Our approach
We aim to protect your data through the design of the Service, not just through policy — building security into how data is stored, who can access it, and how the application behaves. The measures below describe our current practices; security is an ongoing effort and these practices evolve.
Encryption
We encrypt the content of your conversations with a key unique to your account, so it is not readable as ordinary text in our database. Data is encrypted in transit using TLS. When you permanently delete conversation data or your account, we destroy the associated encryption key, so the content can no longer be decrypted (“crypto-shredding”).
Authentication
You sign in with a password or with Google, and you can add a passkey (WebAuthn) as an additional security key on your account — we recommend enabling one. Passwords are stored only as salted hashes, never in plain text. Administrative access to Ask Tone requires a passkey.
Payment security
Payments are processed by Stripe, a PCI-DSS Level 1 certified provider. We do not receive or store your full card details on our own systems.
Access controls
Internal access to systems and data is granted on a least-privilege basis. Administrative tooling is designed to expose only the metadata needed to operate the Service — not the content of your conversations — and administrative actions are logged and audited. Sensitive operations are designed to fail closed, meaning they deny access when something is wrong rather than defaulting to open.
Infrastructure
We run on established cloud providers, including Supabase, Vercel, and Upstash, and rely on their physical and network security controls. We keep our dependencies up to date and apply security updates.
Application security
We apply a range of application-level protections, including input validation, rate limiting to deter abuse, a content security policy, and a sandboxed environment with no network access for code execution features. We follow secure development practices and review changes before release.
Monitoring
We use error monitoring (Sentry) to detect and resolve faults and keep the Service reliable, configured to avoid capturing the content of your conversations.
Data retention and deletion
You can delete your conversations or your account at any time. Deleted data becomes inaccessible immediately and is permanently removed shortly afterwards, after a short recovery window, at which point the encryption key is destroyed. More detail is in our Privacy Policy.
AI providers
To answer your questions, your prompts are sent to third-party AI providers that we do not own or operate. We choose providers with appropriate data practices and configure our use of them to minimise retention and avoid training on your prompts, but their own policies govern what they do with the data we send them. This is explained in detail in our Privacy Policy.
Reporting a vulnerability
We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@asktone.ai with enough detail for us to reproduce it. We ask that you give us a reasonable opportunity to investigate and fix the issue before disclosing it publicly, and that you avoid accessing or modifying other people’s data, or degrading the Service, while testing. We will acknowledge your report and keep you informed as we work on a fix.
No system is perfectly secure
We work hard to protect your data, but no product, service, or method of transmission over the internet is completely secure, and we cannot guarantee absolute security. You also play an important part — use a strong, unique password, add a passkey for an extra layer, and keep your credentials safe.
Changes
We may update this page as our practices change. We will change the “last updated” date above when we do.