Back to Help

Security & data

What we do with your data, how Anthropic handles it, and what happens when you cancel.

Where your data lives

PRplus runs on Supabase (Postgres) in AWS us-east-1 (Virginia). Every row in the database is isolated by organization via Row-Level Security — the database itself enforces that you can't read another org's data, even if an application bug tried.

Data in transit is TLS 1.2+. Data at rest is AES-256. We have a complete subprocessor list with what each vendor does and where they process your data.

How AI processing works

When you generate a pitch or chat with an agent, the relevant context (your client's brand voice, keywords, the trend you're attaching) is sent to Anthropic's Claude API. Under our contract with Anthropic:

  • Your data is not used to train models. Full stop. This is contractual, not a best-effort promise.
  • Anthropic retains inputs for a maximum of 30 days for abuse monitoring, then deletes them.

If you're on Enterprise you can BYOK — bring your own Anthropic API key. In that mode Anthropic bills you directly, PRplus never proxies sensitive data through our shared key, and you control your own Anthropic data-retention settings.

Authentication + account security

  • Supabase Auth handles password hashing (bcrypt), session management, and password-reset flows.
  • Passwords must be 8+ characters. We show strength indicators on signup.
  • Sessions are JWT-based with 1-hour lifetimes + automatic refresh.
  • Google OAuth is an alternative sign-in path (no passwords stored).
  • Enterprise plans support SSO (SAML/OIDC) via Supabase's SSO add-on or WorkOS — contact us to configure.

What you can export

At any time, from Settings → Organization:

  • All clients + client profiles as CSV
  • All pitches (with approval history) as CSV or PDF
  • All mentions as CSV
  • All reports as PDF
  • Team directory as CSV

What happens if you cancel

  1. Days 1–30 after cancellation: your workspace stays accessible in read-only mode. Export anything you need.
  2. Day 30: production content is deleted.
  3. Day 60: residual data rotates out of backups. At this point we have no copy of your content, only financial records we're legally required to keep (typically 7 years).

Need immediate deletion? Email privacy@prplus.iowith “Immediate deletion” in the subject. We'll confirm before we execute so there's no accidental wipe.

Reporting a security issue

If you find a security bug, please report it to security@prplus.io. We respond within 1 business day. We don't currently have a bug-bounty program but we're always happy to credit researchers in release notes if you ask.

Compliance

We're a young company. SOC 2 Type I is on the roadmap for Q3 2026 and we share our in-progress posture with enterprise customers under NDA. Day one we ship with per-org RLS, short- lived auth, webhook signature verification, and audit logging on admin actions.

For GDPR, CCPA/CPRA, and related details, see the Privacy Policy, DPA, and subprocessors list.

Still stuck?

Every paid plan includes email support. Drop us a line at support@prplus.io and a human will respond within 1 business day.