๐Ÿš€ Launch offer: Sign up free and get 60 days full Pro access โ€” no credit card needed. Claim it โ†’

Security & Privacy

How AlgoGrass protects
your data

We're a GDPR compliance product โ€” which means we hold ourselves to the same standards we help you meet. Here's exactly how we handle your data, where it's stored, and what security measures are in place.

๐Ÿ”’ TLS 1.3 in transit๐Ÿ›ก๏ธ AES-256 at rest๐Ÿ‡ฌ๐Ÿ‡ง UK GDPR compliant๐Ÿ‡ช๐Ÿ‡บ EU data residency๐Ÿšซ No data selling๐Ÿงน 30-day scan retention

๐ŸŒWhere your data is processed

AlgoGrass is hosted on infrastructure that keeps your data within the UK and European Economic Area (EEA). We do not transfer personal data to countries outside the UK/EEA without appropriate safeguards.

Application hosting
Vercel (EU region โ€” Frankfurt, Germany)Vercel operates under the EUโ€“US Data Privacy Framework and provides a Data Processing Addendum.
Database
MongoDB Atlas (EU West โ€” Ireland, eu-west-1)All data stored and replicated within EU data centres. At-rest encryption enabled by default.
Transactional email
Resend (EU region)Used for account notifications, password resets, and compliance alerts only.
Payments
Stripe (UK & EU regulated)Stripe processes payment card data. AlgoGrass never stores card numbers. Stripe is PCI DSS Level 1 certified.
AI processing
Google Gemini API (EU data residency where available)Scan descriptions and prompts sent for AI analysis do not include raw personal data from your users.

๐Ÿ”Encryption

All data transmitted between your browser and AlgoGrass uses TLS 1.3. Our HTTPS certificate is managed by Vercel and auto-renewed. HTTP connections are automatically redirected to HTTPS.

Data stored in MongoDB Atlas is encrypted at rest using AES-256, managed by MongoDB's Encrypted Storage Engine. Backup data is also encrypted at rest.

๐Ÿ”’
In transit
TLS 1.3 โ€” all connections between your browser, our servers, and our databases are encrypted.
๐Ÿ’พ
At rest
AES-256 encryption on all MongoDB Atlas storage. Backups encrypted with the same standard.
๐Ÿ”‘
Secrets management
API keys and credentials are stored as Vercel environment variables โ€” never in code or version control.
๐Ÿช
Session tokens
Auth cookies are HttpOnly, Secure, and SameSite=Strict. Session data is not stored server-side.

๐Ÿ—“๏ธData retention

We keep your data only as long as necessary. Here is exactly what we store and for how long:

Scan results
Retained for 30 days, then automatically deletedYou can download your report at any time. Re-scanning creates a fresh record.
Account data
Retained while your account is activeDeletion request: email contact@algograss.com โ€” we'll delete your account and all associated data within 30 days.
Compliance documents
Retained in your account until you delete themDocuments you generate (privacy policy, DPA, etc.) are stored linked to your account.
Audit logs
Retained for 90 days for security and debuggingLogs contain request metadata (IP, timestamp, endpoint). Logs are not used for marketing.
Payment data
Retained as required by UK financial regulations (7 years)Stripe retains full payment records. We store only subscription status and amount.
Email addresses (waitlist)
Retained until you unsubscribe or request deletionOne-click unsubscribe is included in every email.

๐Ÿ“‹What data we collect and why

We collect only what is necessary to provide the service. We do not sell, rent, or share your data with third parties for advertising purposes.

Email address
Account creation, login, and transactional notifications
Password (bcrypt hashed)
Authentication. We never store plaintext passwords.
Website URL you scan
To perform the GDPR compliance scan of your websiteThe URL is sent to our scanner. The resulting report is stored in your account.
Compliance documents you generate
Stored in your account so you can access them later
Usage data
Which tools you use, when you log in โ€” for product improvementNot shared with third parties. Used only to improve the product.
Payment information
Processed directly by Stripe โ€” we never see or store card numbers
Visitor analytics
Page views, device type, country โ€” for understanding trafficFirst-party only. No third-party tracking scripts (no Google Analytics, no Meta Pixel).

๐Ÿ›ก๏ธSecurity headers & controls

AlgoGrass is built with security headers configured at the Vercel edge. These protect against common web attacks including cross-site scripting (XSS), clickjacking, and content injection.

Content-Security-Policy:default-src 'self'; script-src 'self' 'unsafe-inline'; ...
Strict-Transport-Security:max-age=63072000; includeSubDomains; preload
X-Frame-Options:SAMEORIGIN
X-Content-Type-Options:nosniff
Referrer-Policy:strict-origin-when-cross-origin
Permissions-Policy:camera=(), microphone=(), geolocation=()

๐Ÿ”—Sub-processors

We use the following sub-processors to deliver the AlgoGrass service. Each has a Data Processing Agreement in place, and all operate within the UK/EEA or under appropriate transfer mechanisms.

Application hosting & edge network๐Ÿ“ EU (Frankfurt)
Database (primary data store)๐Ÿ“ EU West (Ireland)
Transactional email delivery๐Ÿ“ EU region
Payment processing (PCI DSS Level 1)๐Ÿ“ UK / EEA
AI language model inference๐Ÿ“ EU data residency where applicable

โš–๏ธYour data rights

Under UK GDPR, you have the following rights regarding your personal data held by AlgoGrass:

Right of access (Art. 15)
Request a copy of all data we hold about you.
Right to rectification (Art. 16)
Correct inaccurate or incomplete data.
Right to erasure (Art. 17)
Request deletion of your account and all associated data.
Right to restriction (Art. 18)
Restrict how we process your data while a dispute is resolved.
Right to portability (Art. 20)
Receive your data in a machine-readable format.
Right to object (Art. 21)
Object to processing based on legitimate interests.

To exercise any of these rights, email contact@algograss.com. We'll respond within 30 days as required by UK GDPR Article 12. If you're not satisfied with our response, you can lodge a complaint with the Information Commissioner's Office (ICO).

Security questions or concerns?

Contact our data protection team. We take every report seriously.

Email contact@algograss.com โ†’Privacy Policy