Built to earn your trust.
THE ENTITY sits close to your money decisions, so we treat your data with the seriousness that deserves. Here’s exactly how we protect it — written honestly, including what we haven’t built yet.
We collect what the product needs — and nothing we’d be embarrassed to list.
What we store
The essentials to run the product: your account email, your watchlists, the scenarios you build, and your learning progress. That’s the shape of it — no more than the service needs.
It’s yours
Your data belongs to you, not us. You can export it whenever you want and delete your account — and everything tied to it — on request. No dark patterns, no hostage-taking.
We never sell your data
Plainly: we do not sell your personal data to anyone, and we do not train AI models on it. We make money from subscriptions, not from you being the product.
Identity built on Supabase, isolated at the database.
Passwords, done right
Accounts run on Supabase Auth. Passwords are salted and hashed with a modern algorithm — never stored or logged in plaintext. We cannot see your password, and neither can anyone who reads the database.
Sign in your way
Use email and a password, or continue with Google via OAuth so a trusted provider verifies you and we never touch your Google credentials. Either way, your session is held in a secure, HTTP-only cookie.
You only see your own rows
Every table is protected by row-level security, enforced in the database itself. The rules guarantee one account can only ever read or write its own data — isolation that survives even an application bug.
We never see your card number.
Billing is handled end-to-end by our payment processor — Paddle today. When you subscribe, your card details go straight to them over their own secure, PCI-DSS-compliant systems.
THE ENTITY never sees, handles, or stores your full card number. We keep only what we need to manage your subscription — your plan, its status, and a processor reference. Your card data never touches our servers.
What stays where
- Card number, expiry, CVC → only ever with Paddle.
- Plan, status, renewal date → with us, to run your account.
- Receipts and invoices → issued by the processor.
Encrypted in transit, encrypted at rest, locked down by default.
Encrypted in transit
Every connection to THE ENTITY is served over HTTPS/TLS. Nothing moves between your browser and our servers in the clear.
Encrypted at rest
Your data sits on managed, modern cloud infrastructure where storage is encrypted at rest by default — backups included.
Least-privilege access
Access to production is restricted to the people and services that genuinely need it, scoped to the minimum required, and secrets are kept out of the codebase.
We use a cookie for one thing: keeping you signed in. Our product analytics, when on, are privacy-respecting and cookieless — they record aggregate usage like page views and clicks, never building an advertising profile of you. We don’t run third-party ad trackers, and we don’t sell or share your activity.
The full detail — what we collect, the processors we rely on, and your GDPR/CCPA rights to access, export, and delete — lives in the privacy policy.
What we’re building next — stated as plans, not promises.
THE ENTITY is an early-stage product. The items below are on our roadmap; we don’t have them today and we won’t pretend otherwise. We’ll move them up to the sections above the moment they’re real.
SOC 2
A formal Type II audit of our security controls. We are early — we don’t hold this certification yet, and we won’t imply we do.
SSO / SAML
Single sign-on for institutions and teams, so Terminal customers can manage access through their own identity provider.
Two-factor auth (2FA)
An optional second factor on sign-in for accounts that want defence in depth.
Audit logs
Account-level activity history, so you can review sign-ins and key changes for yourself.
Found a vulnerability? Tell us.
We welcome reports from security researchers and treat them seriously. If you believe you’ve found a vulnerability, email us with the details and steps to reproduce. Please give us a reasonable window to investigate and fix the issue before disclosing it publicly, and don’t access or modify other people’s data while testing. Act in good faith and we will too.
Email hello@joinentity.comTrust is earned in the details.
We’d rather under-promise on security and over-deliver. If something here isn’t clear, ask us.
THE ENTITY is research, not investment advice.