How PicoRank protects your account and data
Last updated: July 2026
Written in plain English on purpose. If anything here is unclear, ask us via the contact page and we'll clarify — and if we change these documents, the date above changes with them.
PicoRank stores rankings and site-audit data — not state secrets — but we treat your account and your data with the same care either way. This page describes, concretely, how.
Transport & infrastructure
- All traffic to PicoRank — this site, the app, and our APIs — is encrypted with TLS (HTTPS). Plain HTTP redirects to HTTPS.
- The service runs on established cloud providers: application hosting on Render, database and authentication on Supabase (PostgreSQL), email delivery via Resend, payments via Stripe.
Account security
- Authentication is handled by Supabase Auth using the modern PKCE OAuth flow; passwords are stored hashed by the auth provider — we never see or store them in plain text.
- Google sign-in is available if you prefer not to have a password at all.
- Password-reset and verification emails come from
mail.picorank.com, authenticated with SPF and DKIM.
Data isolation
- Every customer's data is tenant-scoped and protected by database row-level security — isolation is enforced by the database itself, not just by application code, and we run automated tests that prove one tenant cannot read another's rows.
- Administrative access to production data is limited, logged, and audited.
Third-party access
- Google Search Console and GA4 integrations are read-only and optional. OAuth tokens are stored server-side only, encrypted, and are deleted when you disconnect.
- Payments are processed by Stripe; card numbers never touch PicoRank's servers.
Your controls
- Export your ranking data as CSV anytime.
- Disconnect integrations from the app, or revoke them from your Google account directly.
- Request account deletion via contact — see the privacy policy for retention details.
Reporting a vulnerability
Found something? Please email security@picorank.com with details and steps to reproduce. We read these promptly, we won't take legal action against good-faith research, and we'll credit you if you'd like (we don't run a paid bounty program).