Trust & Security
Trust & Security
Pickrate is operated by PurelySearch LLC (Delaware, United States). This page is the plain account of what data we hold, who processes it, and how we protect it. Last updated June 25, 2026.
The short version
- We don't sell your data. Ever.
- We don't train models on your data. Your Custom Eval inputs are used to run your eval and return your results — nothing else.
- We only share data with the sub-processors listed below, each for a specific operational purpose.
- Data is encrypted in transit and at rest.
What we collect
- Account data — your email and authentication credentials (passwords are hashed; we never see them in plaintext).
- Billing data — handled by Stripe. We store a customer identifier and subscription status; Stripe holds your card details, not us.
- Custom Eval inputs — the prompts, competitor lists, and model selections you submit, plus the results and traces we generate for you.
- Usage data — basic analytics about how the site is used.
Security practices
- Encryption in transit — all traffic is served over TLS.
- Encryption at rest — our database and storage encrypt data at rest.
- Authentication — managed by Supabase Auth, with hashed credentials and session-based access.
- Least-privilege access — application and database credentials are scoped to what each component needs; secrets are never committed to source control.
- API keys — programmatic access uses scoped keys, stored hashed and revocable.
Sub-processors
We use the third-party providers below to operate Pickrate. We will update this list and aim to notify account holders before a new sub-processor that handles customer data takes effect.
| Sub-processor | Purpose | Data | Location |
|---|---|---|---|
| Supabase | Primary database and authentication | Account, authentication, and application data | United States |
| Railway | Application hosting | All application traffic in transit | United States |
| Stripe | Payment processing and billing | Billing details (Stripe stores card data; Pickrate does not) | United States |
| Resend | Transactional email delivery | Email address and message content | United States |
| Inngest | Background job and workflow processing | Application data in transit during processing | United States |
| Anthropic | AI model provider (eval engine) | Eval prompts, including Custom Eval inputs | United States |
| OpenAI | AI model provider (eval engine) | Eval prompts, including Custom Eval inputs | United States |
| Google (Gemini API) | AI model provider (eval engine) | Eval prompts, including Custom Eval inputs | United States |
| Google Analytics | Website usage analytics | Usage and device data (no account credentials) | United States |
| Cloudflare | DNS | None (DNS resolution only) | United States |
Compliance
- SOC 2 — not yet certified. We're evaluating a SOC 2 program and will publish status here when we begin. We will not claim a report we don't hold.
- GDPR / CCPA — you can request access to or deletion of your data at any time by emailing privacy@pickrate.io.
- Data Processing Agreement — available for customers who need one. See our DPA.
Reporting a vulnerability
Found a security issue? Email security@pickrate.io with the details and steps to reproduce. We'll acknowledge it and work with you in good faith. Please don't publicly disclose until we've had a chance to fix it.
Legal
See our Privacy Policy, Terms of Service, and Data Processing Agreement.