Information Security
How Fellwork protects your data, your account, and your study history.
Last updated: February 2026
We honor Do Not Track by default
Fellwork does not use behavioral tracking, user profiling, or advertising systems — for any user. Your Do Not Track browser setting is respected automatically because there is nothing to opt out of. Vercel Analytics, our only analytics tool, is cookieless and collects only aggregated, anonymous page metrics.
What we collect and why
We collect only what's necessary to provide the service. Here's exactly what that is:
Account data
Email address, display name, and avatar (if you sign in with Google). Used to authenticate you and personalize your experience.
Study data
Your bookmarks, notes, highlights, flashcard progress, and reading plan progress. This is the core of the service — stored securely and never shared.
Billing data
Subscription tier and expiry date. Payment processing is handled entirely by Stripe — we never see or store your card number, CVV, or full billing address.
Aggregated analytics
Vercel Analytics collects anonymous, aggregated page view and performance data at the network edge. No cookies, no user IDs, no cross-site tracking. We cannot identify individual visitors from this data.
What we do not collect
- No behavioral tracking or user profiling
- No advertising or third-party tracking pixels
- No sale or sharing of your data with third parties for marketing
- No fingerprinting or device identification
- No persistent tracking cookies of any kind
How we protect your data
Encryption in transit and at rest
All connections use TLS. Your data is encrypted at rest in our database, hosted on Supabase (SOC 2 Type II certified).
Row-level security
Every database query is scoped to your account at the database level, not just the application layer. Your data is structurally inaccessible to other users.
No raw card data
Payments are processed by Stripe (PCI DSS Level 1). We never receive or store your card number, CVV, or billing address.
Minimal server cookies
The only cookie we set is a short-lived, HttpOnly security token used during Planning Center OAuth. It is deleted within 10 minutes. No tracking cookies exist.
Webhook signature verification
All payment and integration webhook events are verified with HMAC-SHA256 signatures before processing. Forged events are rejected.
Admin audit logging
All administrative actions on user accounts are recorded in an immutable audit log with timestamps and actor IDs.
Infrastructure & providers
We rely on a small set of well-established providers, each with their own security certifications:
| Provider | Role | Certification |
|---|---|---|
| Supabase | Database & authentication | SOC 2 Type II |
| Vercel | Hosting & edge network | SOC 2 Type II |
| Stripe | Payment processing | PCI DSS Level 1 |
| Meilisearch | Bible text search | No PII stored |
| Resend | Transactional email | SOC 2 Type II |
Your rights & controls
Access: You can view all your study data within the app at any time.
Correction: Update your profile, preferences, and language settings from the Settings page.
Deletion: You can delete your account at any time from Settings → Account. This permanently removes your profile and all associated study data.
Data portability: Contact us at hello@fellwork.com to request an export of your data.
Do Not Track: Honored by default — there is nothing to opt out of. We do not track users.
Reporting a security issue
If you discover a security vulnerability in Fellwork, please disclose it responsibly. Do not post it publicly until we've had a chance to investigate and remediate.
Contact us at:
security@fellwork.comWe aim to acknowledge reports within 48 hours and provide a timeline for remediation within 5 business days. We appreciate responsible disclosure and will credit researchers who report valid issues (if desired).
Looking for the full technical policy?
The complete Information Security Policy covers our risk register, incident response procedures, and technical controls in detail.
View Security Policy