We take security seriously. This page answers common questions. We describe what we actually do today — we do not claim certifications or controls we have not implemented. For privacy details, see our Privacy Policy.
Do you have SOC 2 or ISO 27001 certification?
paraboll.online is operated as an independent product. We do not currently publish a SOC 2 Type 2 or ISO 27001 certificate for paraboll.online itself. Our infrastructure providers (such as Supabase and Stripe) maintain their own security programs and compliance documentation; contact us if you need help locating provider documentation for a vendor review.
Where is data stored?
Retrospective data (rooms, participants, cards, votes, comments, action items) is stored in a Supabase-hosted PostgreSQL database in eu-west-1 (European Union — Supabase). Browser localStorage may also hold your participant identifier on your device so you can rejoin the same room.
Marketing pages are served from our web hosting platform. Server logs may be retained by hosting and database providers for operations and security.
What data does the Service store?
- Participant display names and room membership
- Meeting content: cards, groups, votes, comments, reactions, action items
- Room settings: template, phase, facilitator controls, timers
- Support tickets you submit from within a room (when enabled)
- Limited payment confirmation metadata from Stripe for voluntary contributions (not full card numbers)
More detail is in our Privacy Policy.
Do you use AI on customer data?
paraboll.online does not currently send retrospective content to third-party AI providers for inference or training. If we add AI-assisted features in the future, we will update this page and our Privacy Policy before enabling them.
Is the Service GDPR-aligned?
We design our privacy practices with GDPR principles in mind (lawful basis, purpose limitation, data minimization, and user rights). Whether GDPR applies to your use depends on your location and how you use the Service. European users may contact us to exercise rights described in the Privacy Policy.
How is data encrypted?
- Data in transit between your browser and our services is protected with HTTPS (TLS).
- Database and backups are hosted with Supabase, which provides encryption at rest as part of its platform.
- Payment card data for voluntary contributions is handled by Stripe using industry-standard security practices.
How do you handle access control?
Rooms are typically accessed via a unique URL or slug. Anyone with the link may be able to join unless additional access controls are introduced. Facilitators should treat room links like shared credentials: only share them with intended participants. We recommend not posting retro links in public channels if the content is sensitive.
How do you develop securely?
We follow common secure development practices: dependency updates, code review for sensitive changes, least privilege for production access, and use of established frameworks (Next.js, Supabase client libraries). We evaluate security impact when changing authentication, data access, or payment flows.
How can I report a security issue?
If you believe you have found a vulnerability, please email lolatalbon@gmail.com with a clear description and steps to reproduce. Please do not publicly disclose issues before we have had a reasonable opportunity to investigate.
Further questions
Contact lolatalbon@gmail.com. See also: Terms of Service, Privacy Policy.
Last updated: May 28, 2026