Trust & Security

How MyBrandPilot protects the data you bring into your workspace, who can access it, and where it lives. This page is maintained by the MyBrandPilot team.

This is not an independent certification. It describes the platform controls currently in place and our stated practices as the app owner.

Access & authentication

  • Email and Google sign-in with rotating session tokens.
  • Leaked-password screening against the Have I Been Pwned corpus at signup and password change.
  • Workspace roles (owner, admin, member) enforce what each user can read or change.
  • Session sign-out clears cached data and revokes access on the device.

Data protection

  • All traffic between your browser and MyBrandPilot is encrypted in transit (TLS).
  • Database is hosted on Supabase (AWS-backed) with encryption at rest.
  • Row-level security policies scope every record to the workspace that owns it — cross-tenant reads are blocked at the database layer.
  • Uploaded assets sit in an access-controlled storage bucket with the same workspace scoping.

What we store

  • Account: your email, display name, and workspace membership.
  • Projects: the websites and brand assets you add for analysis, plus AI-generated deliverables.
  • Operational logs: request logs, AI run history, and email delivery status used to run the product.
  • We do not sell your data and we do not use your project content to train third-party models.

Subprocessors

  • Supabase — managed Postgres, authentication, storage.
  • Cloudflare — application hosting and edge delivery.
  • Lovable AI Gateway — routes prompts to the AI models that generate your strategy.
  • Mailgun — transactional email delivery for account and product emails.
  • Paddle — subscription billing and tax handling.

Retention & deletion

  • You can delete individual projects and deliverables from your dashboard at any time.
  • Workspace owners can request full account and workspace deletion by emailing our team.
  • Bounced and unsubscribed email addresses are suppressed from further sends.

Security & privacy contact

Report a security issue, request a subprocessor list update, or ask a privacy question by emailing security@mytradepilot.us. We acknowledge reports within two business days.

For legal terms and data handling, see our Privacy Policy and Terms of Service.