Security & data practices

What we store

• Account identity: email, hashed password (if used), OAuth subject claim. Managed by Supabase Auth.
• Topics & reports: the research queries you submit and the resulting analyses, stored under your account.
• Public community content: Reddit, HackerNews, Stack Overflow, and Product Hunt data is fetched at analysis time from public endpoints. We cache only what’s needed to render the report.

What we don’t store

• No payment card numbers — Stripe holds all card data; we store only customer / subscription identifiers.
• No private Reddit data — we only read public subreddits and threads that any logged-out user could read.
• No long-lived raw scrape dumps — each report only keeps the excerpts quoted in the published analysis.

Transport & storage

• TLS 1.2+ everywhere, HSTS enabled at the edge.
• Database on managed Postgres (Supabase), encryption at rest, daily backups.
• Service-role credentials never touch the browser — all authenticated requests go through cookie-scoped Supabase auth.

Authentication

Session tokens are HTTP-only cookies. OAuth (Google) is supported. CSP headers restrict script origins; X-Frame-Options blocks embedding; X-Content-Type-Options is set to nosniff.

Data portability & deletion

Every authenticated user can delete their account from the Settings panel. Deletion cascades through topics, reports, and cached analyses. Email support@discury.io and we’ll export your data on request.

Incident response

Any security issue: email support@discury.io with "SECURITY" in the subject. We acknowledge within 24 hours and publish affected-user notifications within 72 hours of confirmation, per standard breach-notification practice.

Compliance

• GDPR — EU data subjects: see the data portability / deletion sections above; we act as data controller for account data and data processor for the public-community content you ask us to analyze.
• See our Privacy Policy for the full contractual statement and our Terms of Service.