Trust Centre

Security and privacy you can verify

Elevale is committed to GDPR, UK GDPR, and global privacy standards. This section explains how we protect your data and where to find our legal documents.

GDPR, data retention, privacy rights, security, audit logging, and legal document links.

Explore commitments View documentation

Elevale Trust Centre

Self-service

Privacy Center Export your data or submit a privacy request

Enabled

Audit log Workspace admins can view who changed what

Required

MFA Required for all accounts after signup

Configured

Custom roles Tailored permissions per workspace

Commitments

What you can expect from Elevale

Plain-language outcomes from our platform documentation: encryption, access control, audit logging, data rights, and retention, without implementation jargon.

Authentication

Multi-factor authentication (email or authenticator app) required after signup

Privileged platform roles (super admin, agency admin) must use MFA
Password reset and session management via Supabase Auth

Encryption

In transit: TLS 1.2+ for all connections

At rest: Supabase encrypted storage; OAuth tokens encrypted server-side
Secrets: API keys stored as hashes; no client-side token encryption

Access control

Row Level Security (RLS) on all tenant data

Role-based access: system, organization, and workspace levels
Custom workspace roles with granular permissions

Your data rights

Under GDPR, UK GDPR, and many US state laws you have rights over your personal data.

Access: Know what data we hold about you
Portability: Download your data (JSON export)
Rectification: Correct inaccurate data in Profile settings
Erasure: Delete your account or request erasure

Audit logging

Elevale maintains an immutable audit trail for compliance and security accountability.

Workspace data changes (OKRs, KPIs, tasks, wiki, business brief, process map)
User and role changes
Permission and custom role modifications
Admin actions (user deletion, workspace management)

Retention and deletion

Retention timelines are consistent across billing, automated jobs, and this documentation.

Grace period: Until end of current billing period; full access continues
Access ends: At grace period end; account closed; deletion schedule begins
60 days after access ends: Personal data anonymised (soft delete)
90 days after access ends: Permanent deletion (hard delete)

Retention

Clear deletion timelines

Retention periods are consistent across billing, automated jobs, and platform documentation.

View retention policy →

Cancelled workspaces

1
Grace period
Until end of current billing period; full access continues
2
Access ends
At grace period end; account closed; deletion schedule begins
3
60 days after access ends
Personal data anonymised (soft delete)
4
90 days after access ends
Permanent deletion (hard delete)

Other data categories

Audit logs Retained 2 years, then purged automatically
Cookie consent records 1 year
Privacy requests 3 years after completion (compliance evidence)
Billing records Retained as required by tax law (typically 6–7 years)
Backups Supabase encrypted PITR; rolling schedule independent of application lifecycle

Reviews

Help other directors find Elevale

If Elevale is working for your leadership team, a review on G2 or Capterra helps other business directors discover strategic execution software that fits SMEs and growing teams.

Review on G2 Review on Capterra

Subprocessors

Trusted partners behind the platform

Elevale uses trusted subprocessors to deliver the platform. The authoritative list is published at elevale.app/legal/subprocessors. We provide 30 days notice before adding subprocessors that process personal data.

Provider	Purpose
Supabase	Database, authentication, storage (EU/US regions)
Fly.io	Application hosting
Stripe	Payment processing
OpenAI / Google Gemini	AI chat and embeddings (when enabled)
ElevenLabs	Voice mode (when enabled)
AWS SES	Transactional email