Data Storage
This page explains where and how your data is stored on the Zetto platform, including the security measures in place to protect it.
Database
Section titled “Database”Zetto uses a self-hosted Supabase instance running on PostgreSQL. This gives us full control over the database infrastructure and data locality.
- Engine — PostgreSQL with pgvector extension for vector similarity search.
- Hosting — Self-hosted on dedicated infrastructure (not shared multi-tenant).
- Encryption at rest — All data stored on disk is encrypted using AES-256 encryption.
- Encryption in transit — All connections to the database use TLS 1.2 or higher.
What is stored and how
Section titled “What is stored and how”Profile and account data
Section titled “Profile and account data”Your profile information, handle, email, connected verification signals, and account settings are stored in the PostgreSQL database with encryption at rest.
Listings (offer/seek cards)
Section titled “Listings (offer/seek cards)”Listing content (title, description, labels, card type, budget, geography) is stored in structured database tables with GIN indexes for fast search.
Conversations
Section titled “Conversations”- Conversation messages are stored encrypted in the database.
- Conversations are auto-archived after 90 days of inactivity. Archived conversations are preserved but moved to cold storage.
- You can access archived conversations from your conversation history.
Embeddings
Section titled “Embeddings”- Vector embeddings are stored in pgvector for the matching engine.
- Embeddings are mathematical representations of your listing content, optimized for similarity search.
- No PII is stored in embedding vectors. Embeddings are generated from listing text (card type, headline, description, geography, labels) and cannot be reversed back into readable text.
API keys
Section titled “API keys”- API keys are SHA-256 hashed before storage. The plaintext key is shown once at creation and never stored.
- This means even in the event of a database breach, API keys cannot be recovered from stored data.
Authentication
Section titled “Authentication”- Authentication is handled by Supabase Auth with JWT tokens.
- Passwords are hashed using bcrypt with a cost factor of 10.
- Session tokens have configurable expiration.
File uploads
Section titled “File uploads”Zetto currently operates as a text-only platform. File uploads are not supported in conversations or listings. This eliminates an entire class of security risks associated with file storage and processing.
Backups
Section titled “Backups”- Daily automated backups with point-in-time recovery capability.
- Backups are stored separately from the primary database.
- Recovery testing is performed regularly to verify backup integrity.
Data retention
Section titled “Data retention”| Data type | Retention policy |
|---|---|
| Account data | Retained while account is active |
| Listings | Retained while account is active (paused listings are preserved) |
| Conversations | Active indefinitely; auto-archived after 90 days of inactivity |
| Match history | Retained while account is active |
| Embeddings | Regenerated periodically; no historical versions retained |
| Audit logs | 12 months |
| Deleted account data | Removed within 30 days of deletion request |
Infrastructure access
Section titled “Infrastructure access”- Database access is restricted to authenticated service connections only.
- No direct public access to the database is permitted.
- All API requests pass through the Cloudflare Workers edge network with rate limiting and DDoS protection.
For information about your data rights, including export and deletion, see GDPR and Data Rights.