Security
How we protect your data
Written plainly, not in legal boilerplate.
We never store your emails.
When you forward a receipt or we fetch one via Gmail, we extract the vendor name, amount, currency, billing cycle, and date — then immediately discard the email. The full email body is never written to any database. If our database were breached tomorrow, no attacker would find a single email body.
Encryption
- In transit: All traffic is encrypted via TLS 1.2+. We enforce HTTPS everywhere and set HSTS headers.
- At rest: Your database is hosted on Neon (Postgres), which encrypts data at rest using AES-256.
- OAuth tokens: If you connect Gmail, your refresh and access tokens are encrypted with AES-256-GCM before being stored. The encryption key is stored separately from the database and is never logged.
Authentication
- Authentication is managed by Clerk, a dedicated auth provider. We never handle or store passwords.
- Sessions are signed and verified by Clerk on every request.
- Every database query that touches your data filters by your internal user ID — it is architecturally impossible for one user's data to appear in another user's account.
Webhook security
- All inbound webhooks (email receipts from Mailgun, payments from Dodo Payments, auth events from Clerk, background jobs from Upstash) are verified using HMAC-SHA256 signatures before any processing occurs.
- Webhook secrets are stored as environment variables — never in code or version control.
Rate limiting
All public and authenticated API endpoints are rate-limited using Upstash Redis. This protects against brute force, scraping, and abuse.
AI and your data
- We use Anthropic's Claude API to parse receipt emails. Only the plain-text content of the email is sent — no subject line, no headers, no attachments.
- Email content is wrapped in explicit "treat as data, not instructions" framing to prevent prompt injection.
- Anthropic does not use API inputs to train models by default.
Data minimisation
- We store the minimum data needed: vendor name, amount, currency, billing cycle, event date, and email subject line. Nothing more.
- When you delete your account, everything is permanently erased — charges, subscriptions, alerts, Gmail connection, preferences. Deletion is instant and irreversible via database cascade.
- Our error monitoring (Sentry) is configured to strip email addresses, names, and all identifying fields before errors are reported.
Infrastructure
| Layer | Provider | Why we trust them |
|---|---|---|
| Hosting | Vercel | SOC 2 Type 2, ISO 27001 |
| Database | Neon | SOC 2 Type 2, AES-256 at rest |
| Auth | Clerk | SOC 2 Type 2, dedicated auth provider |
| Email inbound | Mailgun | SOC 2, established provider |
| Email outbound | Resend | Purpose-built transactional email |
| Payments | Dodo Payments | PCI DSS, Merchant of Record |
| AI | Anthropic | API inputs not used for training by default |
| Rate limiting | Upstash | SOC 2, Redis at the edge |
Breach notification
In the unlikely event of a data breach affecting your personal data, we will notify you by email within 24 hours of becoming aware of it. We will describe what data was affected, what we have done in response, and what you should do.
Responsible disclosure
Found a security vulnerability? Please report it to hello@watchmysubs.com before disclosing publicly. We will acknowledge your report within 48 hours and aim to resolve confirmed issues within 7 days. We appreciate responsible disclosure and will credit researchers who report valid issues.
Got a question we didn't answer?
Email hello@watchmysubs.com →