Security
Security & data practices
Tuck is built by a small team in the Netherlands. Here’s how we protect your reading library, and how to tell us if we missed something.
Where your data lives
Your library is in a Postgres database hosted by Supabase in the EU (Frankfurt). Row-Level Security policies are enabled on every table; your articles, highlights, and notes are unreachable from any account but yours, including by us. Backups every 6 hours, retained for 30 days, also EU-hosted.
How we encrypt
TLS 1.2+ for everything in transit (thetuck.app, app.thetuck.app, the apps' API calls). At-rest encryption is handled by our infrastructure providers: AES-256 for Supabase Postgres + storage, AES-128 for backups. Auth tokens use industry-standard JWT with short expiry + refresh.
Who has access
Production database access is restricted to two engineers, behind hardware-key 2FA, with all actions logged to an audit trail we review quarterly. Customer-support staff don’t have direct DB access; they go through scoped admin tools that record every read or modification.
Third parties + what they see
Detailed in our privacy policy. Short version: Supabase hosts data, Resend sends emails, AI providers see article text only when you tap Summarize, RevenueCat sees subscription state but no payment details, Plausible records anonymous pageviews (no cookies, no fingerprinting). No advertising trackers anywhere.
Incident response
If we discover a security incident affecting your data, we email everyone affected within 72 hours of confirmation: the GDPR-required deadline, applied as a floor, not a ceiling. We post incident reports publicly afterwards (status.thetuck.app). Recurring incidents trigger external review.
Your control over your data
Export your full library in one click (Markdown, HTML, or JSON) from Settings → Account → Export, on every plan, including after you cancel. Delete your account permanently from Settings → Account → Delete account. Both rights are non-negotiable and free.
Bug bounty & responsible disclosure
Found something? Email security@thetuck.app. We read every report, acknowledge within 48 hours, fix critical issues fast, and credit researchers in the Hall of Thanks below (with your consent).
- In scope: thetuck.app, app.thetuck.app, the iOS / Android / browser-extension clients, the public API endpoints.
- Out of scope:denial-of-service, social engineering of staff, physical attacks, attacks against third-party providers we don’t control.
- Don’t:access or exfiltrate other users’ data, run scanners that degrade service for others, demand payment in exchange for non-disclosure.
- Do: use a test account you control, report to us privately first, give us a reasonable window to fix before publishing details.
We don’t pay cash bounties yet (we’re a small team), but we send Tuck Pro lifetime accounts and stickers, and we credit you publicly if you want.
Hall of Thanks
Researchers who’ve helped make Tuck safer.
Nobody yet. We just launched. Be the first.
Reach the security team
Vulnerability report or anything security-adjacent: security@thetuck.app.
Privacy questions: see the privacy policy.
PGP key forthcoming. For now, email us for the public key if you need to send anything sensitive.
See also: Privacy policy · Terms of service