Data Encryption & Privacy
Document version 1.0 · February 2026 · Technical reference for Privacy Policy and Terms of Service
This document describes how Athenai encrypts and stores user data. It is intended as technical reference material when drafting the platform's Privacy Policy, Terms of Service, and any regulatory compliance disclosures.
1. What Kind of Encryption Athenai Uses
Athenai uses encryption at rest and in transit. This is the same standard applied by the majority of commercial SaaS platforms (e.g. Slack, Notion, Linear, Intercom).
This is not end-to-end encryption (E2EE).
Key distinction
| Model | Description | Examples |
|---|---|---|
| Encryption in transit + at rest | Data is encrypted between the client and server, and stored encrypted on disk. The service operator holds the decryption keys. | Slack, Notion, Gmail, most SaaS |
| End-to-end encryption (E2EE) | Data is encrypted on the sender's device before it reaches the server. The service operator cannot read it — only the intended recipients can. | Signal, WhatsApp (messages), ProtonMail |
Athenai falls into the first category.
2. Encryption Implementation Details
2.1 Message Content
- Algorithm: AES-256-GCM (authenticated encryption)
- Key scope: Per-conversation — each conversation has its own randomly generated 256-bit symmetric key
- Key storage: Stored in the
conversations.encryption_keycolumn, accessible to the service operator - What is encrypted: The text body of each message
- What is not encrypted: Message metadata — sender ID, timestamp, conversation ID, message type, and file attachment metadata
2.2 File Attachments
- Storage: Supabase Storage (managed object storage)
- Encryption: Files are encrypted at rest by the storage provider. They are not encrypted at the application level before upload.
- Access control: Row-Level Security (RLS) policies — only authenticated conversation members can retrieve files
- Signed URLs: Download URLs are time-limited signed URLs, not permanent public links
2.3 Data in Transit
- All communication between Athenai clients (web and mobile) and Supabase is over HTTPS/TLS 1.2+
- Realtime message delivery uses Supabase Realtime over WSS (WebSocket Secure)
3. What the Service Operator Can Access
Because Athenai holds the encryption keys in its own database, the service operator has the technical ability to access:
- All message content
- All file attachments stored in Supabase Storage
- All message metadata (sender, timestamp, conversation membership)
- All user profile data
This access exists at the infrastructure level. It is not exposed through any product UI, and no automated system reads message content for advertising or profiling purposes.
4. Third-Party Infrastructure
| Provider | Role | Data processed |
|---|---|---|
| Supabase | Database, Auth, Storage, Realtime | All user data |
| AWS (via Supabase) | Object storage (S3) | File attachments |
| RevenueCat | In-app purchase management | Subscription and billing data |
| Apple / Google | App distribution, push notifications | Device tokens, app receipts |
5. Key Privacy Disclosures
1. Athenai can read message content
Messages are encrypted at the database level, but Athenai holds the encryption keys. The service is not end-to-end encrypted. Athenai should not be used for communications where users require absolute confidentiality from the service provider.
2. Athenai can access uploaded files
Files stored through the platform are protected by access controls but are not encrypted before storage. Athenai and its infrastructure providers have the technical ability to read stored files.
3. Data is not sold or used for advertising
Even though operator access is technically possible, user content is not used for profiling, advertising, or sold to third parties.
4. Data residency
Primary database is hosted in the us-east-1 AWS region (via Supabase). Users in jurisdictions with data residency requirements (e.g. GDPR in the EU) should be informed of cross-border data transfers.
5. Do not use for legally privileged communications
Given the operator-accessible architecture, Athenai is not appropriate for communications that require legal privilege (e.g. attorney-client, medical).
6. Summary Table
| Data type | Encrypted in transit | Encrypted at rest | Operator can read? |
|---|---|---|---|
| Message text | Yes (TLS) | Yes (AES-256-GCM) | Yes (holds keys) |
| Message metadata | Yes (TLS) | No | Yes |
| File attachments | Yes (TLS) | Yes (provider-level) | Yes |
| User profiles | Yes (TLS) | No | Yes |
| Auth credentials | Yes (TLS) | Yes (bcrypt/Supabase Auth) | No (hashed) |