Here's exactly what
we can & can't see.
We don't use scary marketing words. Below: how data flows, what's encrypted, what isn't, and the buttons you press to wipe it all.
What's encrypted
Everything in transit
Every byte between your browser/app and our servers is TLS 1.3. Same encryption your bank uses. No exceptions, no fallback.
Everything at rest
Supabase Postgres encrypts the data files on disk with AES-256. Backups too. If someone steals our hard drive, they get noise.
Your mailbox passwords
When you claim you@getguac.app, we generate a random password and store it AES-256-GCM-encrypted with a key only our server knows. Even our database admins can't read it.
Row-Level Security on every table
Even logged into our own database, we can only fetch your row by impersonating your auth token. No 'admin God-mode' over user data.
Auth cookies
HttpOnly, Secure, SameSite=Lax. JavaScript can't read them, third-party sites can't replay them, attackers can't steal them via XSS.
Biometric credentials on mobile
Your fingerprint / Face ID unlocks credentials stored in Android Keystore β a dedicated hardware enclave on your phone. We never see your biometric data.
What we can see
GetGuac is a Guac-AI personal finance assistant. The AI has to read your receipts to score them, parse them, and surface insights. Anyone claiming "true end-to-end encryption" for an AI assistant is lying or shipping a broken product. Here's what our servers can actually read:
- β’ Mail arriving at your @getguac.app inbox β so the in-app Inbox can show it to you and Guac-AI can auto-file +g messages. Opt-out in Profile any time.
- β’ The contents of receipts you upload (image, PDF, or email) β our AI parses store, items, totals.
- β’ Bank statements you upload β same parser, extracts transactions + fees.
- β’ Your sign-in email, name, and any optional profile fields you fill in.
What we never see
Mail from before you signed up
GetGuac Mail only stores mail received after your inbox was provisioned. Old mail history from other providers is never imported, scanned, or copied.
Your password
Stored only as a salted bcrypt hash by Supabase Auth. Even we can't read it back β that's why password resets need a new password.
Other users' data
Row-Level Security blocks every cross-user query at the database layer. Not 'we trust our code' β the DB itself refuses.
Your data on someone else's screen
No data sharing with advertisers, analytics brokers, or third-party marketing. Your guac stays in your bowl.
The kill switches you control
Delete your account + all data
One button on your Profile page. We cascade-delete every receipt, statement, mailbox message, alias claim, and your auth record. Backups roll off in 30 days.
Profile β Delete account βPause inbox processing
A single toggle in Profile β Email settings turns off the poller. We stop reading your inbox until you turn it back on. Your mailbox itself keeps working β you just lose the in-app Inbox + auto-receipt parsing.
Profile β Email settings βExport everything
Download a complete JSON dump of your data. Take it elsewhere or just keep a copy.
Profile β Export data βThings we're working on
Vault feature (planned) β A true end-to-end-encrypted notes section for things AI doesn't need to read (passport numbers, account numbers, recovery codes). Key derived from your password β losing it means losing the data.
Per-field encryption (in progress) β High-sensitivity columns like alternative email and mobile number being moved to AES-GCM encryption so even our DB doesn't see the plaintext.