Security, privacy & compliance

Customer data is hosted in the European Union. We use two primary infrastructure providers:

• Supabase (Postgres database, authentication, storage) — EU region eu-central-1 (Frankfurt, Germany), running on AWS infrastructure.
• Vercel(application hosting, edge compute) — serverless functions are routed to the nearest EU region by default; static assets are served from Vercel's global CDN.

All physical data centers are SOC 2 Type II, ISO 27001, and ISO 27018 certified at the infrastructure provider level (AWS).

At rest:all Postgres data is encrypted using AES-256 via Supabase's storage layer (PostgreSQL transparent data encryption). Database backups are encrypted using the same standard.

In transit: TLS 1.3 (with TLS 1.2 fallback) is enforced for all connections. HSTS is enabled on leapo.app with a 12-month max-age. Internal service-to-service traffic (Vercel ↔ Supabase ↔ Stripe ↔ OpenAI) is HTTPS-only.

Secrets management:environment variables (API keys, signing secrets, service-role credentials) are stored encrypted in Vercel's and GitHub's secret stores. No secrets are committed to the repository.

Customer-facing: Leapo uses Supabase Auth with row-level security (RLS) on every table holding user data. A user can only read or modify their own records — enforced at the database layer, not just the application layer.

Administrative:production database access is restricted to the founder (single-person team today). All admin access requires multi-factor authentication. Admin sessions are short-lived. We do not maintain a separate "ops team" with standing access.

Third-party access: none of our subprocessors have direct read access to your application data beyond what their service requires (e.g. Stripe sees billing-related data only; OpenAI sees only the prompt content for the duration of the API call — see Section 5).

What we collect: email and name (for authentication), niche / location / business-plan answers (provided by the user, used to personalize the product), payment metadata via Stripe (we never see card numbers), activity logs for product analytics.

What we don't collect:we do not collect sensitive special-category data (health, biometric, religious, political). If a user types something special-category into a free-text field, we recommend they don't — and we minimize its onward transmission to subprocessors (see Section 5).

Retention: account data is retained for the lifetime of the account. On deletion (Section 6), it is purged from the primary database within 30 days. Encrypted backups containing the data are retained for an additional 30 days, then permanently destroyed.

Leapo uses OpenAI's API to power the AI Coach, AI Lead Engine, and Launch Kit generators. This is the only place customer data leaves the EU, and we manage it tightly:

• Data sent:niche, city, business-plan summary, and the user's current question. We minimize personal identifiers in prompts (see roadmap below for in-progress redaction work).
• Training opt-out:we use OpenAI's API tier, where prompts and completions are not used for model trainingby default (OpenAI's public policy, in force since 1 March 2023).
• Retention at OpenAI: API request data is retained by OpenAI for up to 30 days for abuse monitoring, then permanently deleted. We do not enable any extended retention features.
• Transfer mechanism: OpenAI is a US-based processor. Transfers are covered by Standard Contractual Clauses (SCCs) under the OpenAI Data Processing Addendum.
• EU-hosted alternative:we're evaluating Azure OpenAI Service (EU regions) to eliminate US transfer entirely. Tracked on the roadmap below.

Users can exercise the following rights at any time via privacy@leapo.app or in-app where indicated:

• Right of access (Art. 15) — request a copy of all data we hold about you
• Right to rectification (Art. 16) — most fields are user-editable directly in account settings
• Right to erasure (Art. 17) — request full account deletion; we propagate the request to subprocessors
• Right to data portability (Art. 20) — receive your data in machine-readable JSON
• Right to object (Art. 21) — opt out of processing based on legitimate interest
• Right to lodge a complaint with your supervisory authority (Belgium: Autorité de Protection des Données / Gegevensbeschermingsautoriteit)

Standard response SLA: 30 days from receipt, in line with GDPR Art. 12(3). We confirm receipt within 72 hours.

Every third-party service that processes user data on our behalf is listed publicly, with its purpose, country, and applicable data-protection mechanism:

View full subprocessor list →

We notify partners of new subprocessors before they go live, via this page and (for contracted B2B customers) email.

We maintain a written incident response plan covering detection, containment, eradication, recovery, and post-mortem. Key commitments:

• Detection: Sentry monitors runtime errors; Supabase logs surface anomalous database queries; Stripe webhooks alert on failed payment patterns.
• Notification SLA: if a personal-data breach occurs, we notify the supervisory authority within 72 hours (GDPR Art. 33) and affected users without undue delay (Art. 34).
• Partner notification: B2B partners are notified within 24 hours of confirmed incidents affecting their users, with an initial scope assessment.

Backups: Supabase performs daily point-in-time recovery snapshots of the production database, retained for 7 days on Pro plan and 30 days on Team plan. Backups are encrypted and stored in the same EU region as the primary database.

RTO / RPO: our target Recovery Time Objective is 4 hours and Recovery Point Objective is 24 hours. These are best-effort targets, not contractually guaranteed today. We offer formal SLAs to B2B partners as part of contract negotiation.

Provider-level redundancy: AWS (underlying Supabase) and Vercel both operate multi-AZ infrastructure within EU regions, providing resilience against single-data-center failures.

We're not certified today. We've committed to the following milestones:

Roadmap items are good-faith targets, not contractual commitments unless written into a specific customer agreement.

For procurement teams: standard documents you'll want for a vendor review.

For responsible disclosure of security vulnerabilities: please email security@leapo.app with a description of the issue and steps to reproduce. We commit to acknowledging within 72 hours and will not take legal action against good-faith researchers who follow standard disclosure practice.