Legal

Security

How WizzStudy protects your account, your content, and your data.

Effective May 29, 2026

Where your data lives

All user content (documents, recordings, generated artifacts, flashcards, notes, review history) is stored in Supabase's Canada (Toronto) region. Database, storage, and authentication all run in the same region. We do not replicate user data outside of Canada.

Encryption

  • In transit: all traffic between your device and our servers, and between our servers and our vendors, is encrypted with TLS 1.2 or higher.
  • At rest: Supabase encrypts all storage and database content at rest using AES-256. Audio recordings, documents, and database rows are all encrypted.
  • Backups: daily encrypted backups retained for 7 days, longer-term backups retained for 30 days.

Access controls

  • Row-level security (RLS) policies enforce per-user data isolation on every database table. The default is deny.
  • Service-role keys are used only by Inngest background jobs and admin endpoints. Every service-role action is recorded in an audit log.
  • OAuth (Google, Apple) and email magic links are supported. Password storage uses bcrypt via Supabase Auth.
  • Two-factor authentication is on our roadmap (Q3 2026).

Vendors

We use third-party vendors for AI processing, voice infrastructure, and payments. Each is bound by a data-processing agreement. Content is sent to vendors only to provide the specific service you request, and is not retained for training.

  • Anthropic, text generation (Claude). No-train terms; no retention beyond the API call.
  • Voyage AI, embeddings. No retention.
  • Deepgram, transcription. No retention.
  • ElevenLabs, text-to-speech. No retention.
  • AssemblyAI, diarization. No retention.
  • LiveKit, voice routing (SFU). No content recording without your explicit action.
  • Stripe, payment processing. PCI-DSS Level 1.
  • Resend, transactional email.
  • Sentry, error tracking. No personal data in error payloads.
  • PostHog, anonymized product analytics.

Compliance

  • PIPEDA-compliant (Personal Information Protection and Electronic Documents Act, Canada).
  • Data Subject Rights endpoints for export and deletion are implemented at /api/dsr/export and /api/dsr/delete and exposed in user settings.
  • Audit logging on all sensitive operations.

Reporting a vulnerability

If you find a security issue, please email security@wizzstudy.com before disclosing publicly. We will acknowledge your report within 48 hours and work with you on a coordinated disclosure timeline.

We don't currently run a paid bug bounty, but we credit reporters in the changelog and will gladly send WizzStudy merch (when we make it).

Incident communication

In the event of a security incident affecting personal data, we will notify affected users by email as soon as we have a clear picture, and in any case within 72 hours of becoming aware of the incident, as PIPEDA requires.