How Index8 handles your information.
Last updated June 12, 2026. Questions: privacy@index8.app.
Who we are
Index8 is a security readiness platform for small businesses, operated from the United States. This policy covers the public site at index8.app and the signed-in workspace.
What we collect
Account information: your name, work email, company name, and password (stored as a hash by our authentication provider, Supabase). Workspace content you choose to add: assessment answers, policies, evidence files, training records, insurance preparation notes, and team member names and emails you invite.
Public readiness check and research submissions: the answers you give, your name, work email, and company, stored so we can follow up and, with your consent during sign-up, carry your check into a new workspace.
Technical information: server logs, a hashed (never raw) IP address for rate limiting and abuse prevention, and product analytics events that contain identifiers, plan names, and computed score bands. Our analytics are configured without cookies, without session recording, and without collecting names, emails, or free-text answers.
What we never collect
Payment card details never touch Index8 servers; checkout and billing are handled by Stripe on Stripe-hosted pages. We ask you not to store regulated identifiers (Social Security numbers, full payment card numbers, login credentials) in workspace fields, and our guidance says the same.
How we use information
To run your workspace, compute your readiness score, generate documents you request, send transactional email (sign-in, invitations, receipts), respond to support requests, and improve the product using the aggregated, non-identifying analytics described above. We do not sell personal information, and we do not use your workspace content for advertising.
Who can see your workspace
Your workspace is private to your organization. Every read and write is scoped to your organization in our application layer and protected by row-level security in our database. Index8 staff access customer data only when necessary to support you, and that access is logged. Public sharing happens only when you create a share link, which you can expire or revoke at any time.
Service providers
We use a small set of processors to run Index8: Supabase (authentication, database, file storage), Vercel (hosting), Stripe (payments), and, when configured, Sentry (error monitoring, scrubbed of personal data before sending), PostHog (cookieless product analytics), Resend (email delivery), and Upstash (rate limiting). Each receives only what its function requires. The full, versioned list is on our subprocessors page.
Connected accounts (when available)
If you connect a workspace integration such as Google Workspace or Microsoft 365, Index8 requests read-only access limited to directory and security-posture information, never email content, files, calendars, or messages. Connection tokens are stored encrypted, used only to refresh the checks you asked for, and deleted when you disconnect. Disconnecting stops all future access immediately.
Retention and deletion
You can remove records from your workspace as you work; removed evidence is held briefly so accidental deletions can be recovered, then purged. To delete your account and workspace data entirely, contact privacy@index8.app and we will complete the deletion and confirm it to you. Backups age out on our database provider's standard schedule.
Security
Traffic is encrypted in transit. Access is organization-scoped with role-based permissions. Evidence files live in a private bucket served through short-lived signed links. We describe our practices in more detail in our security posture. No vendor can promise perfect security, and we do not.
Your choices and rights
You can access and update your information in workspace settings, export your report content, and request a copy or deletion of your data at privacy@index8.app. Depending on where you live, you may have additional rights under laws such as the CCPA; we honor verified requests regardless of residence.
Changes
If this policy changes in a way that matters, we will update the date above and note the change on this page. Continued use after a change means the updated policy applies.