Trust & Security

How we protect your data

Plain answers about what we collect, where it lives, and how it's protected — no badge-wall, just the actual practices.

Security Measures

Encryption in transit and at rest

All traffic is served over TLS, and data is encrypted at rest on AWS-managed infrastructure (RDS, S3).

Passwordless authentication

Sign-in uses magic links and Google OAuth — RivalHound never stores a password that could be leaked or reused.

Tenant isolation

Every query is scoped to your project. Access checks run on every API call, not just at the edge.

Minimal data collection

We store the brands, queries, and results you monitor plus account basics — no tracking pixels in the product, no data resale, ever.

Managed cloud infrastructure

RivalHound runs entirely on AWS (Amplify, Lambda, RDS, SQS) with automated backups and CloudWatch alarms on every queue and scheduled job.

Payments handled by Stripe

Card details go directly to Stripe and never touch our servers. We store only your subscription status.

Data Protection

What We Collect

  • • Brand names, competitors, and queries you choose to monitor
  • • The AI answers and citations those scans return
  • • Account email and subscription status
  • • Support communications and feedback

Your Rights

  • • Delete your project and its data at any time from Settings
  • • One-click unsubscribe on every email we send
  • • Export or deletion requests honored via support
  • • We follow GDPR principles for data handling and deletion

Security Program

Incident Response

In the event of a security incident affecting your data, we will:

  • Contain and investigate the incident immediately
  • Notify affected customers within 72 hours
  • Provide updates throughout the resolution
  • Publish a post-incident review of what changed

Responsible Disclosure

Found a vulnerability? Email security@rivalhound.com — we read every report, respond quickly, and credit researchers who disclose responsibly.

Security Questions?

Have questions about our security practices or need to report a vulnerability?