Keeping your data secure is fundamental to how we build.

Pointerly runs on managed cloud infrastructure provided by industry-leading platforms. We do not operate our own data centers. Our primary providers are:

Infrastructure access is restricted to authorized personnel on a least-privilege basis. We use multi-factor authentication for all administrative access to cloud services. Production systems are separated from development workflows and changes are deployed through controlled build and release processes.

Pointerly treats security as an operating requirement, not only a technical feature. Our controls are reviewed as the product, vendors, data categories, and partner API obligations change.

• Security responsibilities are assigned to product and engineering owners.
• Administrative access is granted based on role and business need.
• Access to production systems and sensitive configuration is limited and periodically reviewed.
• Security-impacting changes are reviewed before release where practicable.
• Material security incidents trigger post-incident review and control updates.

• In transit: All connections to Pointerly are encrypted via TLS 1.2 or higher. This includes browser traffic, API requests, and database connections.
• At rest: All data stored in our database is encrypted at rest using AES-256 encryption, managed by the underlying infrastructure provider (AWS).
• Secrets: API keys, tokens, and sensitive credentials are stored as encrypted environment variables. They are never committed to source code or exposed in client-side bundles.
• Credential handling: Integration tokens and partner credentials are stored server-side, rotated or revoked where supported, and excluded from client-facing API responses.

• Row-Level Security (RLS): Every database table is protected by RLS policies that enforce per-team data isolation at the database layer. Users can only query data belonging to teams they are members of.
• Role-based permissions: Team members are assigned roles and granular permissions. Sensitive operations such as billing, team administration, integrations, exports, Creator Connect, and connected account management are restricted to appropriate roles.
• Authentication: We use Supabase Auth with secure session management. Passwords are hashed using bcrypt. We support social login providers with OAuth 2.0.
• Server-side authorization: Server Actions, API routes, and background jobs must validate user, team, and resource permissions before returning or modifying workspace data.

We collect and process only the data necessary to provide the service. Key principles:

• No data selling: We do not sell, rent, or trade your personal data or analytics data to third parties.
• Minimal collection: Click tracking captures only the data needed for analytics (device type, country, referrer). We do not fingerprint visitors or build cross-site profiles.
• Payment isolation: All payment processing is handled by Stripe. We never see, receive, or store payment card numbers.
• Third-party data: Amazon product data and affiliate information are used only to provide the service and are subject to our obligations under the Amazon Advertising API terms.
• Restricted partner data: Amazon Ads API and Creator Connections data is classified as restricted partner data. Automated third-party exports are blocked by default unless the customer explicitly initiates the export to their own connected account.

Pointerly classifies data by sensitivity so product controls can enforce the right handling. Restricted partner data includes Amazon Ads API and Creator Connections-derived fields such as campaign identifiers, advertising metrics, eligibility status, enrollment status, raw partner payloads, and partner credential references.

• Restricted partner data is not sold, rented, or independently shared by Pointerly.
• Automated third-party exports of restricted Amazon partner data are blocked by default.
• Allowed restricted-data exports require explicit customer initiation and destination control.
• Export events are auditable with user, team, destination, data type, and timestamp where available.
• Raw partner tokens, credentials, and restricted payloads are not exposed to client-side code.

For Amazon Ads API, Creator Connections, and related partner data, Pointerly applies additional safeguards:

• Access is scoped by team membership and role-based permissions.
• Credentials and OAuth tokens are stored server-side and are never exposed to browser bundles.
• Exports to external integrations are customer-controlled and auditable.
• Official API sync remains disabled until Amazon approves the application and scopes.
• Security incidents involving Amazon information are reported to Amazon as described below.

• All user input is validated server-side before processing.
• Server Actions and API routes enforce authentication and authorization checks.
• We use parameterized queries to prevent SQL injection.
• Content Security Policy headers and output encoding protect against cross-site scripting (XSS).
• Dependencies are regularly reviewed and updated to address known vulnerabilities.
• Sensitive integrations use server-side token refresh and metadata sanitization before data is returned to the browser.
• Public pages, dashboards, and API responses are designed to avoid exposing secrets, raw tokens, or environment values.

We maintain operational logs and audit records to help detect, investigate, and respond to reliability, security, and compliance events.

• Authentication, authorization, integration, and export events may be logged for security and support.
• Logs are access-restricted and used for security, abuse prevention, debugging, and compliance evidence.
• We avoid logging secrets, raw access tokens, and full sensitive payloads where not required for operation.
• Customer-visible analytics are scoped to the relevant team or workspace.

We maintain a security incident response plan that covers monitoring, detection, and response for potential threats. Our process includes:

• Assign an owner, contain impact, and preserve evidence.
• Classify affected systems, data categories, users, and partners.
• Rotate or revoke affected credentials where appropriate.
• Notify affected users if required by law or contract.
• Document the incident and conduct a post-mortem.
• Update controls to reduce likelihood of recurrence.

If a security incident involves Amazon information (e.g. Amazon Ads API data or credentials), we report the incident to security@amazon.com per our obligations under the Amazon Advertising Partner Network terms.

Pointerly uses subprocessors to operate hosting, database, authentication, storage, email, billing, and related service functions. We select providers based on operational need, security posture, confidentiality obligations, and ability to support customer data protection requirements. Current operational subprocessors and customer-controlled destinations are listed on our Subprocessors and Data Sharing page.

You can delete your account and all associated data at any time from your account settings. Upon deletion, we remove all your data from our active systems. Backups that may contain your data are automatically purged within 30 days. For details, see our Privacy Policy.

If you believe you have found a security vulnerability in Pointerly, please report it to us at security@pointerly.io.

We commit to acknowledging vulnerability reports within 5 business days and addressing them as promptly as possible. We appreciate responsible disclosure and ask that you give us reasonable time to investigate and address the issue before making it public.

We review security and privacy controls when we add material new processing, connect new partner APIs, introduce new export destinations, change infrastructure, or experience a material incident. Amazon Ads API and Creator Connections processing is tracked through an internal DPIA-style review and must be reviewed before official API sync is enabled in production.