Information Security Program

This document describes the written information security program maintained by Pocai to protect personal data, including children's personal information as required by the Children's Online Privacy Protection Act (COPPA) and its 2025/2026 amendments. This program is reviewed annually and updated as needed.

All personal data is classified as sensitive and protected accordingly. This includes email addresses, full names, dates of birth, parent/guardian email addresses, IP addresses, device identifiers, and user-submitted content. Non-personal data (aggregated metrics, model configurations) is classified as internal.

Database access is restricted to the service role key used by server-side API routes. No direct database access is granted to client-side code. Row-level security policies enforce per-user data isolation — authenticated users can only access their own data. Admin accounts are limited to the developer only. API keys are hashed before storage.

All data in transit is encrypted using TLS 1.3 via HTTPS connections. Data at rest is encrypted by Supabase's infrastructure using AES-256. Authentication sessions are managed via Supabase Auth with JWT tokens. Passwords are hashed using bcrypt before storage.

Security incidents are investigated by the developer. Affected users and relevant authorities are notified within 72 hours of confirmation. The designated security program coordinator can be reached at trypocai@proton.me. Login attempt logging is maintained for abuse detection.

Retention periods are documented in the Privacy Policy (Section 11) and published at /privacy#retention. Data is deleted or anonymized when retention periods expire. Indefinite retention is prohibited. Account deletion includes a 30-day grace period for user cancellation.

Risk assessments are conducted annually to identify and mitigate potential security risks. These assessments cover data collection practices, third-party dependencies, access controls, and incident response procedures. Safeguards are tested and updated based on assessment findings.

All third-party services (Supabase, Cloudflare, hCaptcha) are evaluated for security and privacy practices. Data processing agreements are maintained where applicable. Vendor privacy policies are linked from the Privacy Policy. No third party has direct access to user data beyond what is strictly necessary to provide their service.