How we protect your data

Data you enter stays private

Company profiles you assess are never used to train models, never shared with other accounts, and never appear in aggregate results. Each workspace is isolated via row-level security enforced at the database layer.

Infrastructure

Hosted on Vercel (edge network, automatic TLS) and Supabase (Postgres on AWS, SOC 2 Type II). All data in transit is encrypted via TLS 1.3. Data at rest is AES-256 encrypted by the cloud provider.

Authentication

Sessions use short-lived JWTs stored in HttpOnly cookies (not localStorage). Passwords are hashed with bcrypt. The platform enforces role-based access control — team members only see what their role permits.

Security programme

We run a quarterly security audit covering API surface, database policies, rate limiting, SSRF, injection vectors, and dependency CVEs. The June 2026 audit introduced automated regression tests for security properties — atomic session controls, webhook delivery hardening, and PII scrubbing — that run before every production deployment. API keys are stored as hashed values only; we can never recover a key after issuance.

Supply chain & dependency monitoring

Every production deployment is gated by an automated dependency audit that fails the pipeline on any high or critical CVE. We replaced the xlsx library with exceljs after CVE-2023-30533 and apply the same scrutiny to new additions. Moderate-severity issues are tracked and resolved in the next patch cycle.

GDPR

UnicornBurn processes personal data under GDPR. You can request data export or deletion at any time from your account settings. We do not sell personal data to third parties.

Responsible disclosure

Found a vulnerability? Email hello@unicornburn.com. We aim to acknowledge reports within 48 hours and resolve critical issues within 7 days. We do not pursue legal action against good-faith researchers.

EU AI Act (applicable from August 2026)

UnicornBurn is a decision-support tool for professional investors. It does not fall under the high-risk AI system categories defined in Annex III of the EU AI Act (Regulation 2024/1689) — it does not evaluate individual creditworthiness, access to public services, or employment eligibility. Investment decisions remain entirely with the investor at all times. Verified autopsies in the database carry that status only after manual editorial review by a human — no case is marked verified by an automated process alone. AI-generated outputs (IC memos, LP narratives, due-diligence questions) are analytical starting points; the investor is responsible for reviewing and validating them before any professional use.