BorderBird
App →

Security & privacy

A plain-language summary of how BorderBird stores and handles your data. We're a small SaaS, not Big Tech — but rental and tax data is sensitive and we treat it accordingly.

Where your data lives

  • Postgres on Supabase. Your rent ledger, expense entries, properties, leases, and tenants all live in a Supabase project — fully managed Postgres with encryption at rest by default and TLS in transit.
  • Vercel for the application layer. The authenticated app (app.borderbird.com) and this marketing site (borderbird.com) are deployed on Vercel. Vercel does not have access to your stored Postgres data — only the runtime your browser talks to.
  • No data warehousing or BI sharing. We do not export your data to a third-party data warehouse, BI tool, or advertising platform.

Gmail integration scope

  • Read-only OAuth.When you connect Gmail for rent import or utility bill capture, BorderBird requests Google's gmail.readonly scope. We can read your messages; we cannot send, modify, or delete them.
  • Filter-first scanning.The scanner filters by sender domain and subject patterns before reading message bodies — we don't read every email, only ones that match a known rent or utility provider pattern.
  • Revocable any time.You can revoke the OAuth grant from your Google Account settings or from BorderBird's Settings → Integrations page. Revocation is immediate.
  • No outbound email forwarding. BorderBird never forwards or copies your emails outside your account.

Authentication

  • Email + password or Google sign-in. Authentication runs via Supabase Auth. Passwords are bcrypt-hashed, never stored in plain text.
  • Session tokens via secure cookies. Logged-in sessions are managed via HTTP-only secure cookies; the session token is not exposed to client JavaScript.
  • Account deletion. You can delete your account from Settings → Account at any time. Deletion is hard — we actually remove your records, not just flag them.

What we don't do

  • No third-party advertising trackers. No Meta Pixel, no Google Ads conversion pixel, no LinkedIn Insight Tag, no TikTok Pixel.
  • No selling or sharing of customer data.Full stop. We don't have a data-selling business model.
  • No invasive analytics. We use Plausible for aggregate site analytics (page views, conversion goals) which is cookieless and does not track individual users across sites.

What we're not (yet)

  • SOC 2 Type II.We don't hold a SOC 2 attestation today. SOC 2 makes sense as a milestone above ~$1M ARR; we'll revisit it as we grow.
  • Penetration testing on a fixed cadence. Ad-hoc reviews only at this stage.
  • Bug bounty program. If you find a security issue, please email security@borderbird.com with details. We respond to all reports within 5 business days.

Questions

For security-specific questions, email security@borderbird.com. For product questions or general inquiries, hello@borderbird.com.