Security
Last Updated: June 3, 2026
Your data, your control
The short version: your Kaevo data is encrypted in transit and at rest, isolated per-user at the database engine level, and never sold or used to train AI. You can export everything anytime, and request deletion at any time.
Encryption
- In transit: all connections use TLS 1.2 or higher.
- At rest: AES-256 encryption via Supabase, our database provider.
- Passwords: hashed with industry-standard algorithms, never stored in plaintext.
Isolation
Every row of your data is tagged with your user ID. Kaevo uses Supabase's row-level security (RLS), which enforces isolation at the database engine — not in application code. Database queries are physically incapable of returning another user's data, regardless of application bugs or misconfigurations.
Your data is yours
- Export all your data anytime from Settings → Export.
- Request account deletion at support@kaevo.ai and we permanently delete your data within 30 days.
- We never sell, rent, or share your data with advertisers.
- See our Privacy Policy for the full subprocessor inventory.
Payments
Card data is handled directly by Stripe (PCI DSS Level 1). Your card number, CVV, and full card details never touch Kaevo servers. We can see: your subscription status, your billing email, and the last 4 digits of your card.
AI Assistant
When you chat with Kaevo's AI Assistant, the context relevant to your question is sent to Anthropic to generate a response. Per Anthropic's commercial API terms:
- Your data is not used to train AI models.
- Anthropic retains API logs per their data retention policy.
- Only the context relevant to your query is sent, not your full dataset.
Account access
- Email + password authentication.
- Email verification required to activate your account.
- Two-factor authentication (2FA): coming soon.
Reporting security issues
If you discover a security issue, please email security@kaevo.ai. We acknowledge reports within 48 hours.
What we don't do
- We don't sell your data.
- We don't share data with advertisers.
- We don't train AI on your data.
- We don't browse user data internally. Our policy is to access your data only when you ask us to (for example, to resolve a support request) or where strictly necessary to operate and secure the service.