Start Free Trial
Start Free Trial
Trust Centre

Security and privacy you can verify

Elevale is committed to GDPR, UK GDPR, and global privacy standards. This section explains how we protect your data and where to find our legal documents.

GDPR, data retention, privacy rights, security, audit logging, and legal document links.

Explore commitments View documentation
Privacy CenterProfile → Privacy: export your data or submit a privacy request
Account deletionProfile → Security → Danger zone
Audit logWorkspace admins can view who changed what
MFARequired for all accounts after signup
Commitments

What you can expect from Elevale

Outcomes sourced from our platform documentation, encryption, access control, audit logging, data rights, and retention, without implementation jargon.

Authentication

Multi-factor authentication (email or authenticator app) required after signup

  • Multi-factor authentication (email or authenticator app) required after signup
  • Privileged platform roles (super admin, agency admin) must use MFA
  • Password reset and session management via Supabase Auth
Read full documentation →

Encryption

In transit : TLS 1.2+ for all connections

  • In transit : TLS 1.2+ for all connections
  • At rest : Supabase encrypted storage; OAuth tokens encrypted server-side
  • Secrets : API keys stored as hashes; no client-side token encryption
Read full documentation →

Access control

Row Level Security (RLS) on all tenant data

  • Row Level Security (RLS) on all tenant data
  • Role-based access: system, organization, and workspace levels
  • Custom workspace roles with granular permissions
Read full documentation →

Your data rights

Under GDPR, UK GDPR, and many US state laws you have rights over your personal data.

  • Access : Know what data we hold about you
  • Portability : Download your data (JSON export)
  • Rectification : Correct inaccurate data in Profile settings
  • Erasure : Delete your account or request erasure
Read full documentation →

Audit logging

Elevale maintains an immutable audit trail for compliance and security accountability.

  • Workspace data changes (OKRs, KPIs, tasks, wiki, business brief, process map)
  • User and role changes
  • Permission and custom role modifications
Read full documentation →

Retention and deletion

Retention timelines are consistent across billing, automated jobs, and this documentation.

  • Grace period: Until end of current billing period; full access continues
  • Access ends: At grace period end; account closed; deletion schedule begins
  • 60 days after access ends: Personal data anonymised (soft delete)
Read full documentation →
Retention

Clear deletion timelines

Retention periods are consistent across billing, automated jobs, and platform documentation.

View retention policy →

Cancelled workspaces

  1. 1
    Grace period

    Until end of current billing period; full access continues

  2. 2
    Access ends

    At grace period end; account closed; deletion schedule begins

  3. 3
    60 days after access ends

    Personal data anonymised (soft delete)

  4. 4
    90 days after access ends

    Permanent deletion (hard delete)

Other data categories

  • Audit logs Retained 2 years, then purged automatically
  • Cookie consent records 1 year
  • Privacy requests 3 years after completion (compliance evidence)
  • Billing records Retained as required by tax law (typically 6–7 years)
  • Backups Supabase encrypted PITR; rolling schedule independent of application lifecycle
Subprocessors

Trusted partners behind the platform

Elevale uses trusted subprocessors to deliver the platform. The authoritative list is published at elevale.app/legal/subprocessors . We provide 30 days notice before adding subprocessors that process personal data.

Provider Purpose
Supabase Database, authentication, storage (EU/US regions)
Fly.io Application hosting
Stripe Payment processing
OpenAI / Google Gemini AI chat and embeddings (when enabled)
ElevenLabs Voice mode (when enabled)
AWS SES Transactional email

View full subprocessor documentation →

Documentation

Legal and compliance library

All content is published from Elevale platform documentation in Supabase.

Legal documents

Legal

Privacy Policy

, agreed at signup

Open document → Legal

Terms & Conditions

, agreed at signup

Open document → Legal

Cookie Policy

View the cookie policy.

Open document → Legal

Data Processing Agreement (DPA)

View the data processing agreement (dpa).

Open document → Legal

Subprocessor list

View the subprocessor list.

Open document →

Compliance guides

Cookie Policy

Last updated: May 2026

Read guide →

Data retention and deletion

Retention timelines are consistent across billing, automated jobs, and this documentation.

Read guide →

Your privacy rights

Under GDPR, UK GDPR, and many US state laws you have rights over your personal data.

Read guide →

Subprocessors and integrations

Elevale uses trusted subprocessors to deliver the platform. The authoritative list is published at elevale.app/legal/subprocessors . We provide 30 days notice before adding subprocessors that process personal data.

Read guide →

Security and data protection

Read guide →

Audit logging

Elevale maintains an immutable audit trail for compliance and security accountability.

Read guide →

Agency and reseller data responsibilities

Agencies using Elevale white-label branding have specific data protection responsibilities.

Read guide →

Incident response and data breaches

Read guide →
Need help?

Questions about security or privacy?

Reach our privacy and security teams directly. Data rights requests are handled within our documented 30-day SLA.

Email privacy team Report a security concern