Security & Compliance
AvisRadar is built to protect your data with the highest security standards. Here's how we secure your competitive intelligence.
Architecture & Hosting
| Component | Provider | Location |
|---|---|---|
| Application | Railway (US infrastructure, encrypted transit) | US-West |
| Database | Embedded SQLite (no exposed DB server) | Same instance |
| Payments | Stripe PCI DSS L1 | Global |
| Resend (SPF/DKIM/DMARC) | US/EU | |
| AI Analysis | Anthropic (Claude API) SOC 2 | US |
| Public review scraping | Apify / Outscraper | EU/US |
All communications between components are encrypted (TLS 1.2+). No banking data ever touches our servers — Stripe handles 100% of payment processing.
Authentication & Access Control
- Passwords hashed with bcrypt (12 rounds) — never stored in plaintext
- Sessions via JWT in httpOnly, Secure, SameSite=Strict cookies — impossible to steal via XSS
- Rate limiting on sensitive endpoints (login, register, API) to block brute-force attacks
- CORS restricted — only avisradar.app domain is authorized
- Security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP
Data We Collect
What we collect
| Data | Purpose | Retention |
|---|---|---|
| Email, name | Account & reports | Subscription duration + 30 days |
| Google Maps Place ID | Public review collection | Subscription duration |
| Public Google reviews | Competitive analysis | Subscription duration |
What we do NOT collect
- No banking data (handled by Stripe)
- No advertising or tracking cookies
- No private data — only public Google Maps reviews
- No tracking pixels in emails
GDPR Compliance
AvisRadar complies with the General Data Protection Regulation (GDPR). You have the following rights at any time:
- Access — obtain a copy of all your data
- Rectification — correct your information
- Erasure — delete your account and all your data
- Portability — export your data in structured format (CSV)
- Objection — object to processing at any time
To exercise your rights: hello@avisradar.app — response within 48 business hours.
AI Processing
Reports are generated by Claude (Anthropic). Data sent to the Claude API:
- Is not used to train models (Anthropic API policy)
- Is not retained beyond request processing
- Contains only public Google Maps reviews — no sensitive personal data
Sub-processors
| Sub-processor | Role | Compliance |
|---|---|---|
| Stripe | Payments | PCI DSS Level 1, SOC 2 |
| Anthropic | AI analysis | SOC 2 Type II |
| Resend | Email delivery | SPF/DKIM/DMARC, GDPR |
| Railway | Hosting | SOC 2 |
| Apify | Public review collection | GDPR |
Vulnerability Reporting
If you discover a security vulnerability, contact us immediately at hello@avisradar.app with subject "[SECURITY]". We commit to:
- Acknowledging receipt within 24 hours
- Investigating and fixing within 72 hours
- Never pursuing legal action for responsible disclosure
Questions about security?
Our team responds within 48 hours to all compliance and security inquiries.
Contact us