Keeping your data secure is fundamental to how we build.

Pointerly runs on managed cloud infrastructure provided by industry-leading platforms. We do not operate our own data centers. Our primary providers are:

Infrastructure access is restricted to authorized personnel on a least-privilege basis. We use multi-factor authentication for all administrative access to cloud services.

• In transit: All connections to Pointerly are encrypted via TLS 1.2 or higher. This includes browser traffic, API requests, and database connections.
• At rest: All data stored in our database is encrypted at rest using AES-256 encryption, managed by the underlying infrastructure provider (AWS).
• Secrets: API keys, tokens, and sensitive credentials are stored as encrypted environment variables. They are never committed to source code or exposed in client-side bundles.

• Row-Level Security (RLS): Every database table is protected by RLS policies that enforce per-team data isolation at the database layer. Users can only query data belonging to teams they are members of.
• Role-based permissions: Team members are assigned roles (owner, admin, member) with granular permissions. Sensitive operations like deleting links or managing billing are restricted to appropriate roles.
• Authentication: We use Supabase Auth with secure session management. Passwords are hashed using bcrypt. We support social login providers with OAuth 2.0.

We collect and process only the data necessary to provide the service. Key principles:

• No data selling: We do not sell, rent, or trade your personal data or analytics data to third parties.
• Minimal collection: Click tracking captures only the data needed for analytics (device type, country, referrer). We do not fingerprint visitors or build cross-site profiles.
• Payment isolation: All payment processing is handled by Stripe. We never see, receive, or store payment card numbers.
• Third-party data: Amazon product data and affiliate information are used only to provide the service and are subject to our obligations under the Amazon Advertising API terms.

• All user input is validated server-side before processing.
• Server Actions and API routes enforce authentication and authorization checks.
• We use parameterized queries to prevent SQL injection.
• Content Security Policy headers and output encoding protect against cross-site scripting (XSS).
• Dependencies are regularly reviewed and updated to address known vulnerabilities.

We maintain a security incident response plan that covers monitoring, detection, and response for potential threats. Our process includes:

• Assign an owner, contain impact, and preserve evidence.
• Notify affected users if required by law or contract.
• Document the incident and conduct a post-mortem.
• Update controls to reduce likelihood of recurrence.

If a security incident involves Amazon information (e.g. Amazon Ads API data or credentials), we report the incident to security@amazon.com per our obligations under the Amazon Advertising Partner Network terms.

You can delete your account and all associated data at any time from your account settings. Upon deletion, we remove all your data from our active systems. Backups that may contain your data are automatically purged within 30 days. For details, see our Privacy Policy.

If you believe you have found a security vulnerability in Pointerly, please report it to us at security@pointerly.io.

We commit to acknowledging vulnerability reports within 5 business days and addressing them as promptly as possible. We appreciate responsible disclosure and ask that you give us reasonable time to investigate and address the issue before making it public.