Trust & Security

Security & Privacy

Factual answers to every security question that matters — no vague assurances.

🔒HTTPS enforced

🇮🇪EU-hosted (Ireland)

🔑API key server-side only

🚫Zero tracking cookies

🛡️All routes authenticated

🇬🇧UK GDPR compliant

📁

Your Files & Documents

Are my tool inputs (text I type) stored?

Secured

No. Text you enter into tool forms is sent to the AI model to generate a response, then discarded. FitOut Insider does not store, log, or retain any tool inputs after the response is generated.

Where are my saved documents stored?

Secured

Saved outputs are stored in your account on Supabase, with EU-region servers in Ireland (eu-west-1). Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Row Level Security (RLS) ensures you can only access your own data.

Can FitOut Insider staff read my documents?

Secured

RLS policies at the database level restrict access by user ID. The database admin (site owner) has raw database access — this is true of all database-backed applications. Documents containing commercially sensitive data should be downloaded locally if needed.

🔐

Authentication & Access

How is login secured?

Secured

Authentication is handled by Supabase Auth, which uses industry-standard bcrypt password hashing and secure session management. Login attempts are rate-limited to prevent brute-force attacks.

How is the session cookie protected?

Secured

The session cookie is set with HttpOnly (no JavaScript access), Secure (HTTPS only), and SameSite=Strict (prevents cross-site request forgery). The cookie stores only a session token — no personal data.

Are the tool API endpoints protected?

Secured

Yes. All API routes require a valid authenticated session via Supabase Auth. Unauthenticated requests receive a 401 Unauthorised response. A middleware layer enforces this across all routes.

🤖

API Key & AI Model

Can someone steal the Anthropic API key from the website?

Secured

No. The API key is stored as a server-side environment variable on Vercel. It is never sent to your browser and never appears in any network request you can inspect. All AI calls happen server-to-server. There is no way to extract it from the browser.

Can someone access the AI without logging in?

Secured

No. All AI API routes are protected by session authentication middleware. An unauthenticated request returns 401 immediately, before any AI call is made.

Who processes my AI inputs?

Note

Your tool inputs are sent to Anthropic's Claude API for processing. By Anthropic's API policy, inputs are not used to train AI models. FitOut Insider does not retain a copy of your inputs after the response is generated.

What happens with BYOK (Bring Your Own Key)?

Secured

If you add your own Anthropic API key on the Professional plan, it is encrypted at rest using AES-256-CBC before storage. The key is decrypted server-side only at the moment of the API call and is never exposed to the client or logged.

🌐

Website Infrastructure

Is the website protected against DDoS attacks?

Secured

Yes. FitOut Insider is hosted on Vercel, which provides enterprise-grade DDoS protection, a global CDN, and automatic traffic mitigation at the edge.

Is all traffic encrypted?

Secured

Yes. HTTPS is enforced on all connections via Vercel's automatic TLS certificates. HTTP requests are automatically redirected to HTTPS. HSTS headers are set to enforce this for future visits.

What security headers does the site use?

Secured

X-Frame-Options: SAMEORIGIN (clickjacking protection), X-Content-Type-Options: nosniff, X-XSS-Protection: 1; mode=block, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy (disables camera/mic/location/payment), HSTS.

🛡️

GDPR & Data Privacy

Does FitOut Insider comply with UK GDPR?

Secured

Yes. Data is stored in the EU (Ireland). We process minimal personal data, use no analytics or tracking cookies, and provide full rights of access, rectification, and erasure. A Data Processing Agreement (DPA) is available on request for Professional and Enterprise plan subscribers.

Can I request deletion of my data?

Secured

Yes. Under UK GDPR Article 17, you have the right to erasure. Contact hello@fitoutinsider.com and we will delete your account data within 30 days.

Does the site use analytics or tracking?

Secured

No. There are no analytics tools (Google Analytics, Plausible, Mixpanel), no advertising pixels (Meta Pixel, Google Ads), and no session recording tools installed. Your usage patterns are not tracked or profiled beyond the AI request count needed for your plan allowance.

🗄️

Database Security (Supabase)

How is the database secured?

Secured

Supabase is SOC 2 Type II certified, ISO 27001 compliant, and GDPR compliant. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Row Level Security (RLS) at the database level means even if the API layer is compromised, users cannot access each other's data.

Where is data physically stored?

Secured

All account data, project documents, and usage records are stored on Supabase with the EU region selected: eu-west-1 (Ireland). No data is stored outside the EU except for transient AI processing via Anthropic (USA) under standard contractual clauses.

Found a Security Issue?

We take security seriously. If you discover a vulnerability, please report it responsibly before public disclosure. We will acknowledge within 48 hours and work to fix confirmed issues promptly.

📧 Report a Vulnerability