DeedShield← Home
Trust

How we protect your data.

DeedShield holds modest amounts of personal data — your email, your address, alert history. We treat it with the seriousness it deserves.

Last updated · May 2026

Authentication

  • Magic-link email sign-in via Supabase Auth. No passwords stored, no password databases to leak.
  • Magic links expire in 1 hour and are single-use.
  • Sessions are HTTP-only cookies, refreshed automatically.

Encryption

  • All traffic is HTTPS (TLS 1.3 where supported).
  • The database (Postgres at Supabase) is encrypted at rest. Evidence-packet PDFs in Supabase Storage are encrypted at rest and access-controlled per-user.
  • Stripe handles all payment data; we never see card numbers.

Access control

  • Row-level access controls in the database — your data is only readable by your authenticated session.
  • Our small operations team has read-only access to operational data when investigating issues. Access is logged.
  • We do not have access to county recorder accounts on your behalf — we use public read APIs.

What data we hold

  • Your email, optionally your name and phone number.
  • The addresses and parcel IDs of properties you ask us to monitor.
  • Recorded documents we’ve pulled from county systems for your parcels.
  • Alert history and any notes you’ve made on incidents.
  • Stripe customer and subscription IDs (no card data).

Data retention & deletion

  • You can delete your account any time from your profile — your data is removed within 30 days.
  • We retain recorded-document history for 7 years for evidence-purposes, even after account deletion, to support any law-enforcement or civil proceeding you might later need. This is anonymized after deletion (no link back to your identity).
  • Operational logs are kept for 90 days, then purged.

Infrastructure

  • App hosting and CDN: Vercel (US regions). Database, storage, auth: Supabase (US). Email: Resend. SMS: configurable provider. Payments: Stripe.
  • We don’t use third-party analytics or session-replay tools. The only tracking on this site is a first-party session cookie.

Responsible disclosure

If you find a security vulnerability, email security@deedshield.net. We acknowledge within 24 hours, triage within 72 hours, and credit you in our security advisories (with your permission). Please don’t publicly disclose until we’ve had a chance to fix.

We do not currently run a paid bug bounty program, but we recognize good-faith research and we’ll work with you to resolve issues quickly and respectfully.

Compliance

DeedShield is not subject to HIPAA, SOC 2, or PCI DSS directly — we don’t handle health data or store cards. Stripe handles PCI compliance on our behalf. Supabase’s underlying infrastructure (AWS) has SOC 2 Type II. We’re committed to meeting GDPR and CCPA standards for the personal data we do hold.

If something goes wrong

In the event of a data breach affecting your information, we will notify you by email as soon as we’re reasonably able, and in accordance with applicable breach-notification laws (within 72 hours for GDPR-covered users; under 30 days for most US states).