Quick Summary
AnchorPlanned is a small, founder-led product. This page explains exactly what data we collect, how we protect it, who processes it, and how you can delete it. We aim to be transparent rather than impressive.
What We Store
- When you connect Google Search Console, we store your page-level and query-level performance metrics (impressions, clicks, CTR, average position) so plans can be regenerated and reloaded.
- We store your account email, encrypted OAuth tokens, plan history, and AI-derived intent classifications for queries you've imported.
- We do NOT store your password (handled by Supabase Auth via Google sign-in).
- We do NOT access your Drive, Gmail, or any Google service beyond Search Console (and Google Sheets only when you explicitly trigger an export).
How It's Protected
- All API calls (Google, OpenAI, Paddle) use HTTPS.
- OAuth tokens (both access and refresh) are encrypted at rest using AES-256-GCM before being written to our database.
- Database is hosted on Supabase (managed PostgreSQL) with row-level security policies enforcing tenant isolation. Your data is scoped to your account; other users cannot access it.
- Authentication codes and tokens are never logged in plaintext.
Permissions We Request
- webmasters.readonly: read-only access to your Search Console data. We cannot modify anything in your GSC.
- openid email profile: basic identity for sign-in.
- drive.file: ONLY requested when you explicitly choose to export a plan to Google Sheets. Limited to files our app creates; never reads your other Drive files.
Sub-Processors
| Provider | Purpose | Data Shared | Link |
|---|---|---|---|
| Supabase | Database + authentication | Account data, GSC metrics | https://supabase.com/security |
| Search Console API, OAuth, optional Sheets export | OAuth tokens (encrypted), Sheets exports on demand | https://safety.google | |
| OpenAI | Intent classification, anchor refinement, AI Visibility | Query text, plan metadata (no training) | https://openai.com/security |
| Vercel | Hosting | All app traffic | https://vercel.com/security |
| Paddle | Billing (merchant of record) | Email, payment details | https://www.paddle.com/legal/security |
| Sentry | Error tracking | Sanitized error reports | https://sentry.io/security |
How To Delete Your Data
You can disconnect Google and delete all associated AnchorPlanned data at any time. Go to Settings -> Disconnect Google & Delete My Data. This will:
- Revoke our access at Google
- Delete your GoogleConnection record
- Atomically purge all your projects, plans, GSC snapshots, and metrics
- Log you out
If you want to delete your account entirely (including profile and subscription history), email security@anchorplanned.com and we'll process within 7 days.
What We're Not
We're a small product. To set expectations:
- We are NOT SOC 2 or ISO 27001 certified.
- We do NOT have a formal SOC 2 / penetration test report.
- We do NOT offer MFA beyond Google sign-in (Supabase handles auth).
- We do NOT have a 24/7 SOC.
If your organization requires any of these for procurement, we may not be the right fit yet. We're transparent about this rather than pretending otherwise.
Reporting Security Issues
Found a vulnerability? Email security@anchorplanned.com. We acknowledge within 48 hours. Please don't publicly disclose until we've had a chance to respond.
Last Updated
Last updated: April 27, 2026. Material changes are noted here and emailed to active users.