BorderBird

Security & privacy

A plain-language summary of how BorderBird stores and handles your data. We're a small SaaS, not Big Tech — but rental and tax data is sensitive and we treat it accordingly.

Where your data lives

  • Postgres on Supabase. Your rent ledger, expense entries, properties, leases, and tenants all live in a Supabase project — fully managed Postgres with encryption at rest by default and TLS in transit.
  • Vercel for the application layer. The authenticated app (app.borderbird.com) and this marketing site (borderbird.com) are deployed on Vercel. Vercel does not have access to your stored Postgres data — only the runtime your browser talks to.
  • No data warehousing or BI sharing. We do not export your data to a third-party data warehouse, BI tool, or advertising platform.

Email forwarding, not inbox access

  • We never connect to your inbox. There is no inbox integration and no OAuth scope into your mail. Instead, you set up one email filter that forwards only your Interac e-Transfer and utility-bill emails to a private BorderBird address. We receive only the payment and bill emails you choose to forward.
  • You control exactly what reaches us. The forwarding filter targets the specific senders you choose — your Interac e-Transfer notifications and utility providers. Nothing else is ever sent to BorderBird, and we never see, read, or have access to the rest of your mailbox.
  • Stoppable any time.Because it's a forwarding rule you own inside your own email account, you can turn it off whenever you like. Once it's off, no further emails reach BorderBird.
  • No inbox to revoke, nothing to copy. BorderBird holds no access token to your mailbox and pulls nothing from it — we only ever receive the messages your filter forwards to us.

Authentication

  • Email + password or Google sign-in. Authentication runs via Supabase Auth. Passwords are bcrypt-hashed, never stored in plain text.
  • Session tokens via secure cookies. Logged-in sessions are managed via HTTP-only secure cookies; the session token is not exposed to client JavaScript.
  • Account deletion. You can delete your account from Settings → Account at any time. Deletion is hard — we actually remove your records, not just flag them.

What we don't do

  • No third-party advertising trackers. No Meta Pixel, no Google Ads conversion pixel, no LinkedIn Insight Tag, no TikTok Pixel.
  • No selling or sharing of customer data.Full stop. We don't have a data-selling business model.
  • No invasive analytics. We use Plausible for aggregate site analytics (page views, conversion goals) which is cookieless and does not track individual users across sites.

What we're not (yet)

  • SOC 2 Type II.We don't hold a SOC 2 attestation today. SOC 2 makes sense as a milestone above ~$1M ARR; we'll revisit it as we grow.
  • Penetration testing on a fixed cadence. Ad-hoc reviews only at this stage.
  • Bug bounty program. If you find a security issue, please email security@borderbird.com with details. We respond to all reports within 5 business days.

Questions

For security-specific questions, email security@borderbird.com. For product questions or general inquiries, hello@borderbird.com.