Security Overview

Last updated: April 24, 2026

PeacefulBiz handles business information — strategy, client notes, content, ideas — that you don't want leaking. This page explains how we protect it. We're a small, independent company; we don't have a 60-person security team. But we use the same infrastructure-level protections as much larger SaaS platforms, because the tools we run on give them to us by default.

Your data is yours, private, and isolated

• Per-user isolation. Your business information, content, conversations with Bree, and any data you store is tied to your account. Other users cannot see it, query it, or access it. Enforced at the database level (row-level security on every table that stores user data), not just at the app layer.
• Never sold, never shared. We do not sell your data. We do not share it with advertisers, marketers, or any third party for their use. The only third parties who ever touch your data are the infrastructure providers we use to run the service (listed below), and only under strict data-processing terms.
• Not used to train AI models. Anything you put into PeacefulBiz — including conversations with Bree — is not used to train our AI systems or the underlying model providers' AI systems. See our AI Disclaimer for details.

Encryption

• In transit: All traffic between your browser and PeacefulBiz is encrypted with TLS 1.2 or higher (the lock icon in your browser). This includes every page load, every API call, every save.
• At rest: Data stored in our databases and file storage is encrypted at rest by our infrastructure providers. Database backups are also encrypted.
• Credentials and tokens: Passwords are never stored in plain text — they're hashed with industry-standard one-way functions. OAuth tokens (used when you connect Google Calendar, for example) are stored encrypted and are only readable by the server-side functions that need them. Your browser never has access to stored tokens.

Infrastructure we use

We're transparent about the providers that run PeacefulBiz, because their security posture is part of ours:

• Netlify — hosts the application and runs our server-side functions. SOC 2 Type II certified.
• Supabase — authentication and database. Hosted on AWS. SOC 2 Type II certified.
• Anthropic & OpenAI — provide the large language models that power Bree. Our contracts with these providers prohibit the use of your data to train their models.
• Stripe — payment processing. PCI DSS Level 1 certified. We never see or store your full credit card number — Stripe handles that directly.
• Google Cloud / Microsoft / Apple — when you connect external accounts (Google Calendar, Outlook, iCloud), we use the official OAuth APIs and minimum-required permissions. See our Privacy Policy for scope specifics.

Authentication

• Passwords must meet minimum complexity requirements.
• Session tokens expire and refresh automatically, so a stolen token doesn't grant permanent access.
• Account access is locked to the email address on file — we can't log in as you, and we can't change your password without your participation.

Access within our team

PeacefulBiz is run by Heather (the founder). Engineering access to production databases and systems is limited to the people who need it to build and support the service — and that's a very short list. We don't browse your data. We don't read your content. We only access user data when you specifically ask us to help troubleshoot something, and only with your clear consent.

Data portability and deletion

• Export. You can request an export of your data at any time. We'll provide it in a standard format within 30 days.
• Deletion. You can delete your account at any time. On deletion, your data is removed from our active systems within 30 days. Encrypted backups roll off on a standard retention schedule (typically 30-90 days depending on the provider).

Incident response

If we ever discover a security incident that affects your data, we will:

• Notify you by email within 72 hours of confirming the incident
• Explain what happened, what data was affected, and what we're doing about it
• Provide guidance on any steps you should take on your end

We will not hide, downplay, or delay incident communication. Trust is what you're paying for.

Reporting a security issue

Found a vulnerability or have a security concern? Email heather@peacefulbiz.com with the subject line "Security:" and a description. We respond to every security report within 48 hours and work with researchers in good faith.

A practical note

PeacefulBiz is a small, growing product — not a Fortune 500 SaaS. We don't currently have independent audits, a dedicated security team, or enterprise-grade compliance certifications like SOC 2 of our own. What we do have is a disciplined engineering approach, infrastructure choices that give us strong protections by default, and the willingness to be honest about all of the above. If that matches the level of risk you're comfortable with, we'd love to have you. If you need a more formal security posture for regulated industries, PeacefulBiz may not be the right tool for your use case yet — and we appreciate you being thoughtful about it.

Contact

Security questions? Email heather@peacefulbiz.com.

Stephens Consulting LTD, DBA Wise Owl Marketing
350 E. Washington St., PO Box 514
Slinger, WI 53086, United States