Enterprise-grade security,
built in.

• —

  Each workspace's data is fully isolated at the database level. No cross-workspace data access is possible.

• —

  Research reports, tool scores, team notes, and spend data are private to your workspace unless you explicitly create a share link or publish a report.

• —

  Shared report links use opaque tokens — they do not expose workspace IDs, user IDs, or any other internal identifiers.

• —

  When you delete a tool or workspace, all associated data is permanently removed from the database.

• —

  Authentication is managed by Clerk — a SOC 2 Type II certified identity provider. Trackr never stores your password.

• —

  All API routes authenticate via Clerk session tokens. No request can access workspace data without a valid authenticated session.

• —

  Workspace members are role-scoped: Admin and Member. Role checks are enforced server-side on every mutating action, not just in the UI.

• —

  Invitation acceptance enforces plan member limits at the database level. Overage is not possible via race condition.

• —

  Webhook events (Stripe, Clerk) are validated against HMAC signatures before any processing occurs.

• —

  All data is encrypted in transit via TLS 1.3. All storage is encrypted at rest using AES-256 (Neon PostgreSQL).

• —

  Database hosted on Neon (SOC 2 Type II, ISO 27001). Application hosted on Vercel (SOC 2 Type II). No self-managed infrastructure.

• —

  SSRF protection: outbound research requests block private IP ranges (10.x, 192.168.x, 172.16-31.x, 127.x) and .internal/.local hostnames.

• —

  Rate limiting is applied to all authenticated and public endpoints. The in-memory rate limiter is hard-capped at 50,000 entries to prevent state exhaustion.

• —

  All production errors are logged. No silent failures in catch blocks — all API routes surface errors to the logging pipeline.

• —

  All user-supplied content is escaped before rendering. The markdown-to-HTML renderer escapes raw HTML before applying inline formatting.

• —

  Link URLs in rendered content are validated to block javascript: and data: protocol injection.

• —

  Workspace names and tool names are HTML-escaped before embedding in transactional email templates.

• —

  Slug parameters in all public routes are allowlisted to [a-z0-9-]+ to prevent path traversal.

• —

  All ID parameters are validated as proper UUIDs before database queries execute.

• —

  Stripe webhook events use atomic INSERT...ON CONFLICT DO NOTHING to prevent duplicate processing on retry.

• —

  We store: workspace metadata, tool research reports and scores, team notes, SaaS spend records you enter, team member email addresses, and Stripe billing references.

• —

  We do not store: your browsing history, personal web activity, device identifiers, or any data from the Chrome extension beyond the tool URL you submit for research.

• —

  The Chrome extension only activates when you click the icon. It does not run in the background, does not read page content, and only transmits the current tab URL when you explicitly trigger a research request.

• —

  Research pipeline inputs (vendor website content scraped by Firecrawl and Tavily) are used to generate your report and are not retained beyond the research run.

• —

  If you discover a security vulnerability in Trackr, please report it to security@trytrackr.com.

• —

  Include a description of the issue, steps to reproduce, and any relevant screenshots or proof-of-concept code.

• —

  We will acknowledge receipt within 2 business days and provide a fix timeline within 5 business days for critical issues.

• —

  We do not take legal action against researchers who report vulnerabilities in good faith under this policy.

• —

  We do not currently offer a paid bug bounty program, but we will publicly acknowledge reporters with their permission.

Do you sell our data?

No. Trackr does not sell, rent, or share your data with third parties for advertising or marketing purposes. Your tool research, stack data, and team notes are yours. We use your data only to operate and improve Trackr.

Where is my data stored?

All workspace data is stored in Neon PostgreSQL — a SOC 2 Type II and ISO 27001 certified database provider running on AWS us-east-1. The application runs on Vercel, which is also SOC 2 Type II certified.

Can I delete my data?

Yes. Delete individual tools, notes, and spend records from the dashboard at any time. To delete your account and all workspace data permanently, email support@trytrackr.com. Deletion is completed within 30 days and is irreversible.

Do you support SSO?

Google and GitHub OAuth are available on all plans. Enterprise SAML SSO for Okta, Azure AD, and similar providers is available on the Enterprise plan. MFA is supported and can be enforced workspace-wide.