The granular technical breakdown of how Acren stores, accesses, encrypts, and retains your data. For the high-level legal framework, see Privacy Policy. For the operational picture, see Security.
The matrix below captures every class of data we touch and how we protect it. The companion retention matrix, with active retention, post-deletion handling, and backup window per class, is published on the Security page.
Source documents — offering memoranda, T-12 income statements, rent rolls, sponsor PFS. Encrypted at rest in Supabase Storage with AES-256. Accessed only via signed URLs that expire after the session. Path-based isolation per tenant via row-level security policies.
Extracted figures and motivation scores — stored in Postgres with row-level security enforcing owner-only access plus founder admin read access. Credit-provider access requires explicit per-deal authorization through the financing-request flow.
Public-record signal data — assessor parcels, probate dockets, divorce filings, debt-maturity schedules. Stored as normalized records joined against asset registry. Tenant-isolated by territory.
Account data — email, name, firm, territory. Visible to the user and to the founder admin role. No third-party sharing.
Authentication tokens — managed by Supabase Auth. Refresh tokens rotate automatically. Access tokens expire one hour.
Anthropic processing — source documents transmitted over TLS 1.3 to Anthropic for parsing. Per Anthropic's enterprise data policy, customer data is not used for model training and is retained only briefly for the duration of the request.
Email content — transactional emails sent through Resend over TLS. Email logs retained for thirty days for deliverability debugging.
Analytics events — page views, button clicks, parse start / finish events sent to PostHog Cloud (US). No source-document content or extracted financials are ever sent to PostHog.
Error logs — Sentry captures error stack traces with PII scrubbing on all event payloads.
Account or deal deletion triggers a thirty-day soft-delete window. During that window, data is hidden from the application but retained in storage; recoverable on request to privacy@acren.ai. After thirty days, all source documents are permanently deleted from Supabase Storage, all database rows are hard-deleted, and Sentry / PostHog event records are anonymized. Backups roll off within fourteen days of soft-delete completion.
Once a deal is submitted to a specific credit provider, that provider retains read-only access until you revoke it from the deal page. Revocation immediately removes the provider's row-level security policy match, ending all access — including any open browser sessions on next page refresh.
The current subprocessor registry — vendor, purpose, data class, region, and DPA version — is published on the Security page. We notify by email at least fourteen days before adding, removing, or materially changing a subprocessor.
If we identify a security breach affecting your data, we will notify the affected accounts within seventy-two hours of confirmation, in accordance with the breach-notification standard from GDPR Article 33. Notification includes: scope of data affected, time window, mitigation steps taken, and the contact point for follow-up. Public disclosure follows the same window where applicable law requires it.
Operational data questions: security@acren.ai. Legal data requests: privacy@acren.ai. Vulnerability disclosures: security@acren.ai + PGP key at acren.ai/.well-known/security.txt.