Security
How Paletta handles your data.
Your data stays yours
- Palettes and color systems you create are stored in your account and never shared with third parties.
- User-generated content is never used to train AI models.
- AI palette generation sends only color values and prompt text to our AI provider. No personal data, no palette history, no usage patterns.
- Free users can delete their account and all associated data at any time.
Infrastructure
Sub-processors and the data each one handles.
ServiceRoleData processed
SupabaseAuthentication and databaseAccount info, saved palettes
StripePayment processingBilling info (Paletta never sees card numbers)
AnthropicAI color generationColor values and prompt text only
VercelHosting and edge functionsRequest logs (auto-purged)
PostHogProduct analyticsAnonymous usage events (no PII)
CloudflareDNS and DDoS protectionRequest metadata
Encryption
- All connections use TLS 1.2+ encryption in transit.
- Data at rest is encrypted via Supabase (AES-256).
- Stripe handles all payment data in their PCI DSS Level 1 certified environment.
Compliance
- GDPR: Users can request data export or deletion. Email hello@usepaletta.io.
- CCPA: California residents have the same rights under CCPA.
- Cookie consent: Paletta uses a cookie banner. Analytics can be declined.
Report a vulnerability
- Security issues: hello@usepaletta.io
- Include a description, steps to reproduce, and expected vs actual behavior.