Security

Our Commitment to Security

Security is a core part of how FunnelCheck is built. We follow industry best practices to protect your account, your data, and your Google Analytics credentials at every layer of our infrastructure.

Data Encryption

All data transmitted between your browser and FunnelCheck is encrypted in transit using TLS 1.2 or higher. Data stored in our database — including OAuth tokens and user credentials — is encrypted at rest using AES-256 encryption via Supabase's managed infrastructure.

Google OAuth & GA4 Access

FunnelCheck connects to your Google Analytics 4 property using Google's official OAuth 2.0 protocol. We request the minimum required scope: read-only access to your Analytics data. We never request write permissions and cannot modify your GA4 account in any way.

Your OAuth access tokens are stored encrypted and are only used to fetch funnel data on your behalf. You can revoke FunnelCheck's access at any time from your Google Account permissions page or from the Settings page within FunnelCheck.

Authentication

User authentication is handled by Supabase Auth, which supports secure email/password login and Google OAuth sign-in. Passwords are hashed using bcrypt and are never stored in plain text. Sessions are managed with short-lived JWTs and automatically refreshed.

Infrastructure Security

FunnelCheck is hosted on Vercel's edge infrastructure and uses Supabase for database and authentication services. Both providers maintain SOC 2 Type II compliance and undergo regular third-party security audits. Our database is isolated with row-level security (RLS) policies ensuring users can only access their own data.

Row-Level Security

Every table in our database enforces Row-Level Security (RLS) at the database level. This means that even if an application-level bug occurred, the database itself would prevent any user from reading or modifying another user's data.

AI Data Handling

FunnelCheck uses Claude (Anthropic) to generate funnel insights. Data sent to Claude is limited to aggregated, anonymized funnel metrics — no personally identifiable information (PII) is included. Anthropic does not use API-submitted data for model training.

Responsible Disclosure

If you discover a security vulnerability in FunnelCheck, please report it responsibly by emailing us at hello@funnelcheck.ai with the subject line "Security Disclosure". We take all reports seriously and will respond within 48 hours. We ask that you do not publicly disclose the issue until we have had a chance to address it.

Contact

For security-related questions or concerns, contact us at hello@funnelcheck.ai.