Guidely

Security Practices

Last updated: April 25, 2026

Guidely is trusted by teams to deliver interactive training on sensitive internal tools. We take that trust seriously. This page describes the technical and organizational measures we use to protect your data.

Infrastructure

  • Hosting: Guidely is hosted on Vercel, which maintains SOC 2 Type II and ISO 27001 certifications.
  • Database: All application data is stored in Supabase (PostgreSQL) with Row-Level Security (RLS) policies enforced at the database layer.
  • Encryption in transit: All connections use TLS 1.2 or higher. No unencrypted HTTP traffic is accepted.
  • Encryption at rest: Data stored in Supabase is encrypted at rest using AES-256.

Authentication & Access Control

  • Authentication is handled by Supabase Auth with secure JWT tokens issued per session.
  • Row-Level Security (RLS) policies ensure that users can only query, insert, update, or delete data within their own workspace.
  • Every API endpoint validates the caller's auth token before processing the request. Unauthenticated requests are rejected.
  • Role-based access (Admin, Creator, Learner) restricts what each team member can see and do within the dashboard and extension.

Chrome Extension Security

  • The extension follows the Chrome Manifest V3 security model, which enforces stricter permissions and sandboxing than previous versions.
  • DOM reading occurs only during active use — when recording a guide, playing a guide, or using AI chat. There is no passive background data collection.
  • The extension does not access or store browsing history.
  • Screenshots are captured only during active recording sessions initiated by the user and are used solely for guide creation.
  • No data is collected when the extension is idle or the side panel is closed.

AI Data Processing

  • AI features are powered by Anthropic's Claude via their commercial API.
  • Page content sent to Claude is processed in real-time and is not used to train AI models, per Anthropic's commercial API terms.
  • Screenshots and DOM data sent for AI processing are not retained by Anthropic after the request is complete.
  • AI-generated guide content is stored in your workspace and can be edited or deleted at any time.

Data Isolation

  • Each workspace's data is isolated at the database level using Row-Level Security (RLS) policies.
  • Team members can only view and interact with guides that belong to their workspace.
  • There is no cross-tenant data access. One workspace cannot query or view another workspace's guides, members, or analytics.

What We Don't Do

  • xWe don't sell user data.
  • xWe don't use tracking pixels or third-party ad cookies.
  • xWe don't passively monitor browsing activity.
  • xWe don't store full payment card numbers.
  • xWe don't train AI models on customer data.

Responsible Disclosure

If you discover a security vulnerability in Guidely, we encourage responsible disclosure. Please contact us at security@useguidely.com with details of the issue. We commit to:

  • Acknowledging your report within 48 hours
  • Providing regular updates on investigation and remediation
  • Not pursuing legal action against good-faith security researchers

Questions

If you have questions about our security practices or need additional information for a vendor review, please reach out at security@useguidely.com.