⚠️ DRAFT — awaiting legal review.

Security & Subprocessors

Last updated: 2026-05-04

A practical, non-marketing summary of how Helpino is built, what we store, and the limits in place.

Data we store

Account: email, hashed password, optional name (handled by Supabase Auth).

Subscription: Stripe customer/subscription IDs, plan, status (in Supabase Postgres).

Usage: a row per AI request with timestamp and module type, partitioned by environment (preview vs production).

Data we don't permanently store

Your AI prompts and the responses they generate (passed to AI providers and rendered back to you, but not retained on our side beyond short-term diagnostic logs).

Uploaded document content (processed transiently and discarded).

Payment-card details (handled entirely by Stripe; never visible to us).

Encryption and access

TLS for all data in transit (handled by Vercel and Supabase).

Encryption at rest is provided by Supabase and the underlying cloud infrastructure.

Service-role keys (full database access) are stored only as encrypted environment variables in Vercel; never in source code.

Authentication uses JWTs issued by Supabase Auth, verified on every API request.

Only the operator (Pascal Lauener) has direct production database access.

Subprocessors

The third-party services that may process data on our behalf:

ServiceWhat it does
SupabaseAuthentication + Postgres database
StripePayments + subscription management
Anthropic (Claude)Premium AI for Message, Document, Ask
Groq (Llama)Standard AI for Meal Planner
HuggingFaceEmbeddings (planned)
VercelHosting + edge runtime

Quotas and rate limits

See the dedicated Usage limits page for the full breakdown by plan, including monthly quotas, per-module daily caps for Unlimited, and the per-minute throttle.

Reporting security issues

Found a vulnerability or want to report a concern? Email contact@helpino.ai with details. We aim to respond within five business days.