Trust & Security
Headleap is built on a simple principle: your personal data is yours alone. Here is exactly how we protect it.
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Your sessions are protected with secure, HTTP-only cookies and row-level security ensures only you can access your data.
Headleap uses Google Analytics to understand how people use the app and improve the experience. We have no ad networks, no pixel tags, and we never profile you, build shadow profiles, or sell your data to anyone. Ever.
Export all your data at any time in a standard format. No lock-in, no hoops to jump through. Your data belongs to you.
Row-level security means your journal entries, habits, goals, and reflections are isolated to your account at the database level. Even our admin panel cannot access your personal content.
Your data is stored on Supabase (built on PostgreSQL) with enterprise-grade infrastructure, automatic backups, and data centers in the EU and US. Your account is protected by industry-standard authentication.
You control what notifications you receive. One-click unsubscribe from any email. We will never spam you or share your contact information.
We collect only what is necessary to provide the service: your email address for authentication, your name for personalization, and the content you create (habits, journal entries, goals, etc.). We do not collect device fingerprints, IP-based location data, or browsing behavior.
All data is stored in a PostgreSQL database hosted by Supabase with row-level security (RLS) policies. This means your data is cryptographically isolated — no other user or API call can access your rows. Backups are encrypted and retained for point-in-time recovery.
We use Supabase for database and authentication, Vercel for hosting, and Resend for transactional emails. None of these services have access to your personal content. We do not use Google Analytics, Facebook Pixel, or any advertising-related services.
You can delete your account and all associated data at any time from your settings. Deletion is permanent and irreversible — we do not retain copies of your data after deletion.
If you have questions about how we handle your data, reach out at privacy@headleap.app