Security & trust

Your business data is safe with us

Your clients trust you with their work. You can trust us with your data. Here’s exactly how we protect it.

0-bit
Encryption in transit (HTTPS / TLS)
0%
Per-account data isolation
0
Times we sell or rent your data
0-click
Export anytime — no lock-in
Defense in depth

How your data is protected

No single lock keeps data safe. We wrap yours in layers — each one an independent barrier between the outside world and your clients, projects, and invoices.

  1. L1

    Managed infrastructure

    Supabase + Vercel, with strict security headers and a locked-down content-security policy.

  2. L2

    Encryption in transit

    Every request travels over HTTPS/TLS with HSTS enforced — nothing moves in the clear.

  3. L3

    Secure authentication

    Passwords are hashed, never stored as plain text; sessions are handled by our auth provider.

  4. L4

    Row-level isolation

    Database policies scope every row to its owner, so no account can reach another’s data.

Managed infrastructure
Encryption in transit
Secure authentication
Row-level isolation
Your dataClients · Projects · Invoices
Our practices

Every safeguard, in plain English

Grouped by what they protect — so you can see exactly what stands between your data and everyone else.

01
Encryption & access

Locked down, end to end

From the moment data leaves your device to the moment it’s stored, it stays encrypted and behind secure sign-in.

Encrypted in transit

All traffic is served over HTTPS/TLS, with HSTS enforced. Your data is encrypted while moving between your device and our servers.

Secure authentication

Passwords are hashed and never stored in plain text. Sessions are managed securely by our authentication provider.

02
Isolation & infrastructure

Your account, walled off

We build on reputable managed platforms and enforce isolation at the database layer, so one customer can never see another.

Per-account data isolation

Every account’s data is isolated using row-level security at the database layer, so one customer can never see another’s information.

Hardened infrastructure

We run on managed, reputable infrastructure (Supabase and Vercel) with security headers, a strict content-security policy, and regular updates.

03
Payments

Card details never touch our servers

Payments are processed by Razorpay, a PCI-DSS compliant provider. We never see or store your full card details — sensitive information stays with the processor.

  • PCI-DSS compliant processing
  • Full card numbers never stored by us
  • Handled entirely by Razorpay
secure checkout
Card details PCI-DSS
••••••••••••4242
Processed by Razorpay Never stored by AgencyTrack
04
Ownership & privacy

Your data stays yours

We collect only what’s needed to run AgencyTrack, never sell it, and let you take it with you whenever you want.

Your data, exportable

You can export your clients, projects, and invoices at any time. There’s no lock-in — your data stays yours.

We never sell your data

We do not sell or share your personal or client data with advertisers. We only use trusted providers needed to run the service.

Privacy by design

We collect only what we need to run AgencyTrack, and we comply with applicable privacy law including India’s DPDP Act, 2023.

Security questions, answered

The things people ask most about how we handle their data.

AgencyTrack runs on managed, reputable infrastructure — Supabase for the database and Vercel for the application — with strict security headers and a locked-down content-security policy. Everything is served over HTTPS/TLS with HSTS enforced, so your data is encrypted while it moves between your device and our servers.

Only you and the team members you invite. Every account’s data is isolated with row-level security at the database layer, so one customer can never see another’s information. We never sell or share your personal or client data with advertisers, and we collect only what we need to run the service.

Yes. You can export your clients, projects, and invoices at any time — there’s no lock-in, your data stays yours. You can also request deletion; we comply with applicable privacy law, including India’s DPDP Act, 2023, and you can reach our Grievance Officer for any data request.

Payments are processed by Razorpay, a PCI-DSS compliant provider. We never see or store your full card details on our servers — sensitive payment information stays with the payment processor.

Responsible disclosure

Found a security issue, or have a question about how we handle data? We take it seriously.

Please report it privately before disclosing publicly, and give us a reasonable chance to fix it. For data and privacy concerns you can also reach our Grievance Officer.

Read our Privacy Policy and Cookie Policy, or see how it all fits together in how AgencyTrack works .

Free plan — no credit card

Start running your business the calm way

Create your free account and set up your first client in minutes. No credit card required.