How Hindsight protects your data.

We request the minimum Google and Microsoft Graph scopes required for the product to work.

• gmail.readonly, used to list and read messages from the connected Gmail inbox
• gmail.metadata, used to retrieve message headers and snippets for triage
• Mail.Read (Microsoft Graph), the equivalent read-only scope for Outlook
• gmail.send and Mail.Send are opt-in, requested separately at the moment you approve a negotiation draft. You can revoke them at any time.

We never request the modify, full, or labels scopes. We do not delete, move, or label messages on your behalf.

Postgres 16 runs with column-level encryption for the following sensitive fields, using libsodium and per-user keys derived via Argon2id from your password:

• email_accounts.oauth_tokens_encrypted_jsonb
• users.mfa_secret_encrypted
• email_messages.body_html and body_text
• Attachment bytes in MinIO object storage, server-side AES-256

The DB cluster volume itself uses LUKS full-disk encryption. Snapshots ship to Backblaze B2 with a separate Sodium key held only in our HashiCorp Vault.

TLS 1.3 with HSTS preload, HTTP/2, and certificate transparency monitoring. Cipher suites pinned to Mozilla Modern. Mutual TLS between web and worker tiers within the VPS network.

Self-hosted on Hostinger VPS in the Mumbai region. Two production VPS plus one backup VPS, all under the same Indian legal entity. No data leaves India unless you are a US-resident user with a US tax profile, in which case your encrypted backups also ship to a US-region Backblaze bucket for disaster-recovery purposes (you can opt out).

We do not use AWS, GCP, or Azure for primary workloads. We do use the Anthropic API for the LLM-fallback parser (PII-stripped prompts where possible) and Resend for outbound transactional email.

Hindsight is compliant with the Digital Personal Data Protection Act 2023, operative in India.

• A Grievance Officer is appointed. Reach out at [email protected] or via the form at /grievance.
• Right to access, correct, and erase. Erasure requests are honored within 30 days, including from encrypted backups within 90 days.
• Consent records stored against every privileged scope grant, with an evidence trail you can inspect from your account.
• Children under 18 are not eligible accounts and parental consent flows are not implemented.

NextAuth.js (Auth.js) with Google and Microsoft OAuth as primary identity providers, plus email magic links as a fallback. MFA is required for all paid users and mandatory for the super-admin account. TOTP via authenticator app is supported; SMS-based MFA is intentionally not offered (SIM-swap risk).

Every row in every tenant-scoped table carries an org_id. Postgres row-level security policies enforce that no query (including internal admin queries) can read across organizations without a deliberate impersonation, which is itself audit-logged.

The super-admin account has elevated privileges across organizations only via the impersonation flow, which writes a row to audit_log for every action taken under impersonation, with the impersonated user notified by email if the session lasts longer than 60 seconds.

Nginx in front of the Next.js app on port 443. UFW firewall on each VPS allows only 22 (SSH from allowlisted IPs), 80/443 (web), and the internal Wireguard mesh. fail2ban configured for SSH brute-force protection. Admin routes additionally require source-IP allowlisting via Nginx geo + allow directives.

The complete list of subprocessors that handle data on our behalf:

• Anthropic, for LLM-based parsing of unstructured transactional email and insight generation
• Plaid (US), only for Plus-tier users who opt in to bank account connections
• Setu Account Aggregator (India), same as above
• Resend, for transactional outbound email (alerts, exports, password resets)
• Backblaze B2, for encrypted off-site backups
• Hostinger, for the underlying VPS infrastructure
• Twilio Business, for WhatsApp due-date reminders (opt-in)

We do not use any data-broker, enrichment, or "transaction insights API" vendor. We do not sell, resell, or share derived data with any third party.

Postgres nightly logical backup (pg_dump) compressed and rsynced to the backup VPS, plus a weekly snapshot to Backblaze B2 with a separate encryption key. WAL archiving for point-in-time recovery within the last 7 days. RTO target 4 hours, RPO target 24 hours; we test restores monthly.

Every commit to main triggers a Trivy scan on the resulting Docker image. CVE-HIGH and above fail the build. Dependabot raises PRs for npm package CVEs daily. We commission an external penetration test once a year, more often if there is a major architectural change.

• Sell, license, or resell your transactional data to any third party
• Build advertising or marketing products on top of your data
• Train any model (ours or a vendor's) on your account's emails or transactions
• Send messages from your connected email accounts without per-action consent
• Surrender data to a third party except under a valid Indian or US court order, in which case you will be notified within 72 hours unless legally prohibited