Security & Subprocessors
Last updated: 2026-05-04
A practical, non-marketing summary of how Helpino is built, what we store, and the limits in place.
Data we store
Account: email, hashed password, optional name (handled by Supabase Auth).
Subscription: Stripe customer/subscription IDs, plan, status (in Supabase Postgres).
Usage: a row per AI request with timestamp and module type, partitioned by environment (preview vs production).
Data we don't permanently store
Your AI prompts and the responses they generate (passed to AI providers and rendered back to you, but not retained on our side beyond short-term diagnostic logs).
Uploaded document content (processed transiently and discarded).
Payment-card details (handled entirely by Stripe; never visible to us).
Encryption and access
TLS for all data in transit (handled by Vercel and Supabase).
Encryption at rest is provided by Supabase and the underlying cloud infrastructure.
Service-role keys (full database access) are stored only as encrypted environment variables in Vercel; never in source code.
Authentication uses JWTs issued by Supabase Auth, verified on every API request.
Only the operator (Pascal Lauener) has direct production database access.
Subprocessors
The third-party services that may process data on our behalf:
| Service | What it does |
|---|---|
| Supabase | Authentication + Postgres database |
| Stripe | Payments + subscription management |
| Anthropic (Claude) | Premium AI for Message, Document, Ask |
| Groq (Llama) | Standard AI for Meal Planner |
| HuggingFace | Embeddings (planned) |
| Vercel | Hosting + edge runtime |
Quotas and rate limits
See the dedicated Usage limits page for the full breakdown by plan, including monthly quotas, per-module daily caps for Unlimited, and the per-minute throttle.
Reporting security issues
Found a vulnerability or want to report a concern? Email contact@helpino.ai with details. We aim to respond within five business days.