Security & Privacy Posture | Levqor

1Data We Collect

Category	Data	Purpose
Account	Email address (required)	Authentication, service delivery
Profile	Name, company (optional)	Personalisation, invoicing
DFY Projects	Requirements, credentials (temporary), communications	Project delivery only
Payment	Transaction metadata only (Stripe handles card data)	Order fulfilment, records
Usage	Pages visited, features used, timestamps, IP (country only)	Platform improvement, debugging
Logs	Hashed identifiers only (no raw PII in logs)	Security monitoring

We do NOT collect: Payment card details (Stripe handles this), biometric data, location beyond country, or social media profiles.

2Retention Rules

Data Type	Retention	After Account Deletion
Account data	While account active	Deleted within 30 days
Workflow configurations	While account active	Deleted within 30 days
DFY project data	12 months after delivery	Auto-deleted after 12 months
Temporary credentials	Project duration only	Deleted immediately on completion
Transaction records	7 years (legal requirement)	Retained for compliance
System logs (hashed)	90 days rolling	Auto-purged at 90 days
Encrypted backups	90 days maximum	Included in deletion cycle

3Access Controls

✓Passwordless authentication: Magic-link only. No password storage means no password theft.
✓Database access: Restricted to application layer. No direct database access from external networks.
✓Internal access: Owner-only operations console. Staff access logged and auditable.
✓Customer data isolation: Each account's data logically separated. Cross-account access not possible via application.
✓API authentication: Token-based with expiration. No persistent credentials in URLs.
✓Secrets management: All API keys and credentials stored encrypted. Never committed to source control.

Your responsibility: Secure your email account with 2FA. Your account security depends on your email security.

4Incident Handling

Detection

Automated monitoring for unusual access patterns, failed authentication spikes, and anomalous API usage. Alert triggers reviewed within 24 hours.

Response

If a security incident is confirmed: (1) Contain the issue, (2) Assess impact, (3) Notify affected users if data exposure occurred, (4) Document root cause and remediation.

Notification Timeline

If your data is affected by a breach, we notify you within 72 hours of confirmation, as required by UK GDPR. Notification includes: what happened, what data was affected, and what you should do.

Post-Incident

Root cause analysis completed within 14 days. Preventive measures implemented. Material incidents reported to ICO where required.

To report a security issue: Contact us immediately via our contact page or email security@levqor.ai. Do not disclose publicly until we've had a chance to investigate.

5Deletion Process

You can request deletion of your data at any time. Here's what happens:

1
Request: Email privacy@levqor.ai or use your account settings. Include your account email.
2
Verification: We confirm your identity via your registered email (to prevent someone else deleting your data).
3
Export (optional): Before deletion, you can request a data export in portable format.
4
Deletion: Account data, workflows, and configurations deleted within 30 days.
5
Confirmation: We email you to confirm deletion is complete.

Exceptions: Transaction records (invoices, payments) retained for 7 years for legal/tax compliance. These do not include workflow data or business details.

6External Integration Safety

When we receive data from external systems (webhooks, APIs), we apply these controls:

✓Input sanitisation: All external inputs validated and sanitised before processing.
✓Fail-closed validation: Invalid signatures or malformed payloads are rejected. We do not attempt to "fix" bad data.
✓Hash-only logging: External payloads are hashed for audit trails. No raw personal data in logs.
✓No raw payload storage: We store event metadata (type, timestamp, hash) not full payloads.
✓Idempotent processing: Duplicate webhook deliveries handled safely without double-processing.
✓Signature verification: Stripe webhooks verified against signing secret before processing.

7Third-Party Services

Service	Purpose	Data Shared
Stripe	Payment processing	Payment details (PCI DSS Level 1)
Resend	Email delivery	Email address, message content
Google Drive	DFY file delivery	Delivery files (client-authorised)
Replit	Backend hosting, database	Application data (encrypted)
Cloudflare	DNS, CDN	Traffic metadata only

All third-party services selected for security posture and compliance. We do not sell data to any third party.

!What We Do NOT Guarantee

✗Specific revenue, sales, or business outcomes
✗Third-party platform behaviour (Google, LinkedIn, etc.)
✗Absolute security (no system is 100% secure)
✗Continuous uptime (maintenance windows occur)

We DO guarantee: Delivery of agreed scope. Response to support requests. Data handling as described on this page.

Questions?

For security concerns: security@levqor.ai
For privacy/data requests: privacy@levqor.ai
For general support: Contact page