Trust & Security

Sign-in supports email + password and Google sign-in. Optional time-based one-time password (TOTP) multi-factor authentication is available to every user.

Organization admins can require MFA for all members of their workspace and restrict access to specific IP addresses or CIDR ranges. Both controls are enforced server-side on every authenticated request.

Role-based access (admin / member) is enforced in the database, not just in the UI.

Each organization is a separate tenant. Database row-level security policies scope every read and write to the user's organization memberships — data does not cross between tenants.

Sensitive credentials such as webhook secrets, integration tokens, embed tokens, and email tokens are not readable through the public data API; only server-side code with elevated privileges can access them.

Strategy Hub runs on the Lovable Cloud platform, which provides managed Postgres, authentication, file storage, and serverless functions. Data is encrypted in transit (TLS) and at rest by the underlying managed services.

Describing Lovable platform capabilities here is factual; it is not a Lovable-issued certification of Strategy Hub.

Strategy Hub uses third-party services to deliver the product, including the Lovable Cloud platform (database, auth, storage, functions) and transactional email delivery for invites, reminders, and unsubscribe links.

Workspaces can optionally connect external data sources (e.g. Google Sheets, BigQuery, Snowflake) to refresh KPI values. Those connections are scoped to the workspace that configured them.

For the current subprocessor list or a DPA, contact privacy@strategyhub.io.

Strategy Hub stores the strategy data customers enter (goals, KPIs, initiatives, plans, comments, attachments) plus the account information needed to operate the product.

Workspace admins can export and delete their data from within the product. On account closure, customer data is removed on request. Operational logs may be retained for a limited period for security and debugging.

To exercise a data access, correction, deletion, or portability request, or to ask a privacy question, email privacy@strategyhub.io. We respond within a reasonable timeframe consistent with applicable law.

Report suspected vulnerabilities or security incidents to security@strategyhub.io. Please include reproduction steps and avoid testing against other customers' data.

Strategy Hub is responsible for keeping the application secure, applying platform updates, enforcing tenant isolation, and exposing the access controls described above.

Customers are responsible for managing their users and roles, enabling MFA and IP allowlists where appropriate, choosing what data to enter, and complying with the regulations that apply to their business.

The underlying Lovable Cloud platform is responsible for the managed infrastructure (Postgres, auth, storage, serverless functions).