Trust · Security

Updated · 23 May 2026

Security.

We collect as little as we can get away with, store it in one place we control, encrypt it in transit and at rest, and tell you exactly what is happening. This page is the plain-English version. The legal version is the Privacy Policy.

1. Summary

  • TLS 1.2+ end-to-end. HSTS enforced.
  • Encrypted at rest at the storage layer.
  • Passwords hashed by Supabase (bcrypt-based).
  • One dedicated server in India (OVH). No multi-tenant SaaS infrastructure handling raw data.
  • No third-party trackers — no Google Analytics, no Posthog, no Hotjar, no Meta Pixel, no Mixpanel. Only the providers we strictly need.
  • Your trade data, when you eventually upload it for the AI Coach, is never used to train AI models — ours or anyone else's.
  • DPDP Act 2023 compliant — see the Privacy Policy for the formal version.

If you spot something we should be doing better, write to us at admin@auctionedge.in with subject Security.

2. Data in transit

All traffic between your browser and our servers uses TLS 1.2 or higher, terminated at the edge. HTTPS is enforced sitewide via HSTS — there is no HTTP fallback.

API calls from our application to third-party services (Supabase, Anthropic, Brevo, Cloudflare, OVH) are also TLS-encrypted.

3. Data at rest

  • Application database (Postgres) — encrypted at the storage layer.
  • ClickHouse tick store — encrypted at the storage layer; isolated from the application database.
  • Backups — encrypted; stored on the same provider's secondary storage; retention 30 days rolling.
  • Trade data (forthcoming Coach feature) — encrypted in transit, encrypted at rest. Access scoped to the owning user account; no cross-user reads.

4. Authentication

  • Email + password — handled by Supabase Auth. Passwords are hashed with a bcrypt-based algorithm; we never see or store them in plaintext.
  • Google OAuth — standard OAuth 2.0 flow via Supabase; we receive only your email and basic profile.
  • Sessions — JWT-based, served as httpOnly first-party cookies. Sessions expire and rotate.
  • Password reset — single-use, time-limited link sent to your registered email.
  • MFA / 2FA — on the roadmap; will route through Supabase Auth when added.

There are no third-party tracking pixels or social logins beyond Google.

5. Infrastructure

  • Single OVH dedicated server, located in India, running the marketing site, dashboard, blog, Postgres, ClickHouse, and the prediction engine. No multi-tenant infrastructure handles your raw data.
  • Edge / DNS — Cloudflare (for caching and DDoS protection on public routes).
  • OS — regularly patched; security updates applied within standard windows.
  • Dependencies — kept current; npm and pip audits run as part of release.
  • Backups — automatic, daily, retained 30 days, encrypted.

6. Where data lives

| Data | Where | Why | | --- | --- | --- | | Application database, ClickHouse, AI prediction engine | OVH dedicated server (India) | Primary infrastructure | | Authentication metadata, password hashes | Supabase | Auth provider | | Email delivery (waitlist, briefs) | Brevo (formerly Sendinblue) | Email service | | AI model inference | Anthropic, Google | LLM APIs for the Narrator and Coach | | Edge caching / DDoS | Cloudflare | DNS, CDN |

Some of these processors store data outside India. By using the Platform, you consent to such cross-border transfer where it is necessary for the service to function. The full table with what each processor sees is in the Privacy Policy, Section 5.

7. AI safety and your data

  • Anthropic — by default, content sent via the Anthropic API is not used to train Anthropic's models. We rely on that default.
  • Google (Gemini) — same posture; we use Gemini under terms that do not permit training on submitted content.
  • Your trade data (forthcoming Coach feature) — only ever sent to the AI provider as input for that user's specific Coach run. Never shared, never used for training, never aggregated across users in a way that could be reverse-engineered.
  • The Narrator's output is published on the public blog and Substack — by design, this is the only AI output we make widely available, and it contains no user data.

LLM output is probabilistic and can be wrong. We say so loudly on the Disclaimer page.

8. No third-party tracking

As of this version, we run no third-party marketing trackers: no Google Analytics, no Posthog, no Hotjar, no Mixpanel, no Meta Pixel. The only cookies we set are first-party authentication cookies issued by Supabase and a small UI-state cookie for theme/preferences.

If we introduce a privacy-respecting analytics tool in future (e.g. a self-hosted Plausible instance), we will update this page and the Privacy Policy and notify account holders by email.

9. Incident response

If a security incident materially affects your data, we will:

  1. Investigate as soon as we are aware
  2. Contain the issue — rotate keys, revoke sessions, take affected services offline if needed
  3. Notify you by email and post a notice on this page within 72 hours as required by the DPDP Act, 2023
  4. Notify the Data Protection Board of India as required by law
  5. Publish a post-incident write-up describing what happened, what we did, and what we changed so it does not happen again

Our Grievance Officer (see Privacy Policy, Section 9) acknowledges security incidents within 48 hours.

10. Responsible disclosure

We do not currently run a paid bug bounty programme. We do welcome responsible disclosure from security researchers.

  • Where to send: admin@auctionedge.in, subject Security disclosure
  • What to include: clear reproduction steps, affected URL or endpoint, expected vs observed behaviour, your contact info
  • What we promise: acknowledgement within 48 hours, regular status updates while we investigate, public credit if you want it, and an honest "thanks" that travels further than a sticker would
  • What we ask: give us reasonable time to fix before public disclosure; do not access user data beyond what is necessary to demonstrate the issue; do not run scanners that materially degrade service for other users

11. What you can do

  • Use a strong, unique password. A password manager is the cleanest way.
  • Do not share your account. One human per account is our policy and also the right thing to do.
  • Enable 2FA when we add it. We will email you the moment it is available.
  • Be sceptical of emails claiming to be from us. We will never ask for your password by email. We will never ask you to install software, run a script, or move funds.
  • Verify URLs before entering credentials. We only operate on auctionedge.in and app.auctionedge.in.

12. Updates to this page

We will update this page as the security posture changes. The Last updated date at the top reflects the most recent meaningful change. Substantive changes will also be summarised in the Changelog.

Have a security question we have not answered? Write to admin@auctionedge.in.