Skip to content
Security & privacy

Built to earn your trust.

THE ENTITY sits close to your money decisions, so we treat your data with the seriousness that deserves. Here’s exactly how we protect it — written honestly, including what we haven’t built yet.

01Your data

We collect what the product needs — and nothing we’d be embarrassed to list.

What we store

The essentials to run the product: your account email, your watchlists, the scenarios you build, and your learning progress. That’s the shape of it — no more than the service needs.

It’s yours

Your data belongs to you, not us. You can export it whenever you want and delete your account — and everything tied to it — on request. No dark patterns, no hostage-taking.

We never sell your data

Plainly: we do not sell your personal data to anyone, and we do not train AI models on it. We make money from subscriptions, not from you being the product.

02How accounts work

Identity built on Supabase, isolated at the database.

Passwords, done right

Accounts run on Supabase Auth. Passwords are salted and hashed with a modern algorithm — never stored or logged in plaintext. We cannot see your password, and neither can anyone who reads the database.

Sign in your way

Use email and a password, or continue with Google via OAuth so a trusted provider verifies you and we never touch your Google credentials. Either way, your session is held in a secure, HTTP-only cookie.

You only see your own rows

Every table is protected by row-level security, enforced in the database itself. The rules guarantee one account can only ever read or write its own data — isolation that survives even an application bug.

03Payments

We never see your card number.

Billing is handled end-to-end by our payment processor — Paddle today. When you subscribe, your card details go straight to them over their own secure, PCI-DSS-compliant systems.

THE ENTITY never sees, handles, or stores your full card number. We keep only what we need to manage your subscription — your plan, its status, and a processor reference. Your card data never touches our servers.

What stays where

  • Card number, expiry, CVC → only ever with Paddle.
  • Plan, status, renewal date → with us, to run your account.
  • Receipts and invoices → issued by the processor.
04Infrastructure

Encrypted in transit, encrypted at rest, locked down by default.

Encrypted in transit

Every connection to THE ENTITY is served over HTTPS/TLS. Nothing moves between your browser and our servers in the clear.

Encrypted at rest

Your data sits on managed, modern cloud infrastructure where storage is encrypted at rest by default — backups included.

Least-privilege access

Access to production is restricted to the people and services that genuinely need it, scoped to the minimum required, and secrets are kept out of the codebase.

05Privacy choices

We use a cookie for one thing: keeping you signed in. Our product analytics, when on, are privacy-respecting and cookieless — they record aggregate usage like page views and clicks, never building an advertising profile of you. We don’t run third-party ad trackers, and we don’t sell or share your activity.

The full detail — what we collect, the processors we rely on, and your GDPR/CCPA rights to access, export, and delete — lives in the privacy policy.

06On the roadmap
Planned — not live yet

What we’re building next — stated as plans, not promises.

THE ENTITY is an early-stage product. The items below are on our roadmap; we don’t have them today and we won’t pretend otherwise. We’ll move them up to the sections above the moment they’re real.

SOC 2

A formal Type II audit of our security controls. We are early — we don’t hold this certification yet, and we won’t imply we do.

SSO / SAML

Single sign-on for institutions and teams, so Terminal customers can manage access through their own identity provider.

Two-factor auth (2FA)

An optional second factor on sign-in for accounts that want defence in depth.

Audit logs

Account-level activity history, so you can review sign-ins and key changes for yourself.

07Report an issue

Found a vulnerability? Tell us.

We welcome reports from security researchers and treat them seriously. If you believe you’ve found a vulnerability, email us with the details and steps to reproduce. Please give us a reasonable window to investigate and fix the issue before disclosing it publicly, and don’t access or modify other people’s data while testing. Act in good faith and we will too.

Email hello@joinentity.com

Trust is earned in the details.

We’d rather under-promise on security and over-deliver. If something here isn’t clear, ask us.

Contact security

THE ENTITY is research, not investment advice.