Security and trust

All data in transit is encrypted using TLS 1.3. Data at rest in our managed database is encrypted using AES-256. Backup snapshots are encrypted with the same standard and stored in geographically distributed regions.

Accounts are protected by:

• Email + password (passwords hashed with bcrypt; we never store plaintext).
• Optional Google OAuth sign-in.
• Session tokens with automatic refresh and revocation on sign-out.
• Row-Level Security (RLS) at the database layer ensures one user can never read another user's data.

TrendsIQ is hosted on Lovable Cloud (a managed Postgres + edge runtime platform). Our infrastructure inherits SOC 2 Type II compliance from our hosting provider. We follow least-privilege principles for all internal access, audited quarterly.

Database backups are taken every 24 hours and retained for 30 days. We perform quarterly restore drills to verify backup integrity and our recovery time objective (RTO) of under 4 hours.

We monitor the Service 24/7 for availability, errors and anomalous activity. Critical alerts page on-call engineers within 5 minutes. We post status updates at status.trendsiq.io during incidents.

We maintain a documented incident response plan covering detection, containment, eradication, recovery and post-mortem. In the event of a breach affecting your data, we'll notify you within 72 hours, in line with GDPR Article 33.

We welcome reports of security vulnerabilities. Please email security@trendsiq.io with:

• A clear description of the issue.
• Steps to reproduce.
• Your contact details for follow-up.

We commit to acknowledging within 48 hours and providing a remediation timeline within 7 days. Please do not publicly disclose vulnerabilities before we've had a chance to fix them.

You can export your saved items, scripts and pipeline cards from the Settings page at any time. Account deletion removes all your personal data within 30 days, except where retention is legally required.

We're working towards SOC 2 Type II for TrendsIQ itself (in progress, expected 2026). GDPR and CCPA compliant today. ISO 27001 evaluation begins after SOC 2.

We use frontier AI providers (OpenAI, Google) under their data-processing agreements. Your prompts and outputs are not used to train upstream models. We do not retain prompts beyond what's needed to deliver the immediate response.