Security & Privacy

Your Data Never Leaves Our Vault

WaterDuty is built on a zero-compromise security architecture. Your utility credentials and property data are encrypted in transit and at rest—stored exclusively on our servers, never exposed to the client, and never sold to third parties.

How We Protect You

Enterprise-Grade Security for Every Property

Whether you manage 5 properties or 500, your data receives the same level of protection used by financial institutions and healthcare providers.

Encrypted in Transit

All communication between your browser and our servers is secured with TLS 1.3 encryption. No data travels unprotected—ever.

Encrypted at Rest

Your data is stored in Supabase with AES-256 encryption at rest. Even in the unlikely event of a physical breach, your information remains unreadable.

Vault-Protected Credentials

Utility provider credentials are stored in Supabase Vault—an isolated, encrypted secrets manager. They never appear in application logs, client code, or API responses.

Secure Authentication

User authentication is powered by Supabase Auth with support for secure password hashing, session management, and row-level security policies on every database table.

Server-Side Only

Sensitive data is processed and stored exclusively on our servers. Your utility credentials and raw usage data never touch the browser or client-side code.

Privacy First

We never sell, share, or monetize your data. Your property information and water usage records are used solely to power your leak detection alerts.

Under the Hood

How Your Credentials Are Handled

From the moment you connect a utility provider to every scheduled data fetch, your credentials follow a strict security pipeline.

Encrypted Transmission

When you enter your utility provider credentials, they are transmitted over TLS 1.3 directly to our servers. The raw credentials are never stored in your browser, local storage, cookies, or any client-side cache.

Stored in Supabase Vault

Your credentials are immediately encrypted and stored in Supabase Vault—a dedicated secrets management layer separate from the application database. Access is restricted to authenticated server-side processes only.

Server-Side Data Fetching

Our backend services retrieve credentials from the Vault only when needed to fetch your water usage data from utility providers. Credentials are held in memory briefly and never written to logs or temporary files.

Row-Level Security

Every database table enforces row-level security (RLS) policies through Supabase. Users can only access their own properties, meters, and usage data. Even in the event of an application vulnerability, cross-account data access is prevented at the database level.

Our Commitments

What We Promise

We Never Sell Your Data

Your water usage data, property details, and personal information are never shared with, sold to, or accessible by third parties. Period.

Transparent Incident Response

In the unlikely event of a security incident, we commit to notifying affected users promptly and transparently with full disclosure of impact and remediation steps.

Data Deletion on Request

You can request complete deletion of your account, credentials, and all associated data at any time by contacting us at info@waterdutyai.com.

Questions About Our Security Practices?

We take security seriously and are happy to answer any questions about how we protect your data and your properties.