Privacy Policy

Last updated: April 26, 2026

Overview

Preuve AI ("we", "our", "us") respects your privacy. This policy explains what data we collect, why, and how we protect it.

We collect the minimum data needed to provide our service. We don't sell your data. Ever.

What We Collect

Data you provide

  • Your startup idea description (required to generate analysis)
  • Email address (if you create an account)
  • Payment information (processed by our payment processor, we don't store card details)

Data collected automatically

  • Usage analytics (page views, feature usage)
  • Device type, browser, approximate location (country level)

How We Use Your Data

  • Idea analysis: Your idea is processed by AI services and market research tools to generate validation reports. This includes searching publicly available sources for market data, trends, and competitor information.
  • Real-time research: We query public data sources (social media, forums, news, review sites, trend data) to provide current market insights.
  • Account management: Authentication via Supabase Auth using passwordless magic links and one-time codes. We never store, transmit, or hash passwords because we never collect them.
  • Data storage: Reports and user data stored in Supabase Postgres (SOC 2 Type II) with row-level security ensuring you only access your own data.
  • Payments: Processed by Stripe (PCI DSS Level 1) for new purchases. Legacy DodoPayments and Paddle subscriptions remain with their original processor. We never see or store card details.
  • Analytics: We track product usage to improve the service. This data is used internally and not shared.
  • Product improvement: Aggregated, anonymized usage data helps us improve the product.
  • Public benchmarks: We may publish aggregate statistics like score distributions ("27% of fintech ideas score 70+"), pass-rate trends, and average competitor counts on our blog and marketing pages. We never publish your idea text, name, email, or any field that could identify an individual user. Datasets must reach at least 50 anonymous ideas before publication.

Third-Party Services

We use trusted third-party services to operate:

  • AI analysis services: Google (Gemini), Anthropic (Claude), and OpenAI (GPT) process your idea to generate insights under enterprise API terms that prohibit model training. Requests may be routed through ZenMux and OpenRouter, LLM gateways with their own data handling policies.
  • Market research services: Data providers for trends, traffic estimates, and competitive intelligence.
  • Database (Supabase): SOC 2 Type II Postgres with row-level security. Hosted in the EU (eu-west-1, Ireland).
  • Authentication (Supabase Auth): Passwordless magic-link / OTP sign-in. No passwords are ever set, stored, or transmitted.
  • Payments (Stripe, Dodo, Paddle): Stripe (PCI DSS Level 1) handles new purchases. Legacy DodoPayments and Paddle subscriptions continue on their original processor. Card details never touch our servers.
  • Analytics (PostHog): Product usage tracking and session replay. PostHog runs on its US cloud and applies content masking to sensitive form fields.
  • Hosting (Vercel): SOC 2 Type II edge network with automatic HTTPS and DDoS protection.

These services process data as needed to provide our service. We do not sell your data to any third party.

Data Retention

  • Ideas and reports: Stored until you delete them or your account.
  • Account data: Retained while your account is active.
  • Analytics: Aggregated data retained indefinitely, individual session data for 30 days.

Your Rights

You can:

  • Access your data (view your reports in the app)
  • Delete your data (delete individual reports or your entire account)
  • Opt out of analytics (use browser Do Not Track)

For data requests (access, deletion, portability, rectification), email [email protected]. We respond within 30 days as required by GDPR Article 12.

Authentication

Preuve uses passwordless authentication only. You sign in by clicking a link or entering a one-time code we email you. There are no passwords to set, store, leak, or reuse.

This eliminates entire categories of attack:

  • No credential stuffing risk (no password to stuff)
  • No password-reuse exposure from other breaches
  • No brute-force surface against your account
  • No password-leak risk if our database were ever breached

Session tokens are issued by Supabase Auth as JWTs and validated server-side on every authenticated API request. The frontend never sends a user ID to the API; the server reads identity from the JWT.

Security

We protect your data with:

  • TLS 1.3 (256-bit) for all data in transit
  • AES-256 encryption at rest in Supabase Postgres
  • SOC 2 Type II certified infrastructure (Supabase, Vercel)
  • Postgres row-level security policies isolating user data at the database level
  • Server-side rate limiting on every public API endpoint, with stricter limits on authentication endpoints
  • IP-based abuse defenses (manual blocklist, automatic blocking after repeated abuse alerts, IPv6-aware to prevent rotation evasion)
  • Disposable / throwaway email detection on signup
  • Prompt-injection detection and input sanitization on every report submission
  • Server-side paywall enforcement: locked report sections never leave the server in any API response
  • CORS allowlist hardcoded to our production domains (no wildcard origins)
  • Audit log on every API handler (authentication events, writes, security-relevant errors)

Cookies & Local Storage

We use the minimum browser storage required for the service to work. No advertising cookies. No cross-site tracking. The full list, by name:

Strictly necessary

  • sb-base-auth-token - Supabase Auth session in localStorage. Holds the JWT used to identify you on authenticated API calls. Cleared on sign-out.
  • pending_upgrade_idea- localStorage. Preserves an in-progress idea draft across the checkout redirect so you don't lose work mid-purchase. Cleared after the checkout returns.
  • CSRF and rate-limit cookies set by Supabase / Vercel as strictly necessary infrastructure cookies.

Functional

  • user-plan-cache- localStorage. Caches your plan tier so the UI doesn't flicker on each navigation.
  • theme_mode - localStorage. Your light/dark theme preference.
  • vocabulary_mode / has_viewed_report - localStorage. Founder vocabulary preference and report-viewed flag.
  • onboarding_tour_completed_v2- localStorage. Whether you've completed the in-app product tour.
  • tyi_auth_event - localStorage. Cross-tab broadcast of authentication state changes (sign-in / sign-out).
  • Agency dashboard local cache keys (only set if you use the agency dashboard).

Attribution

  • referral_via + referral_via_ts - localStorage. When someone visits via a referral link (?via=CODE), we store the 6-character code for up to 60 days so we can credit the referrer if you sign up. No cross-site tracking.
  • Landing-attribution storage - first-touch source for marketing attribution, kept for the duration of the visit window.

Analytics

  • PostHog cookies and localStorage flags - product analytics, feature flags, and session identifiers. EU-hosted. Disabled if you opt out.

We do not use advertising cookies and do not share storage with ad networks.

Privacy questions? [email protected] · Security? [email protected] · Anything else? [email protected]