Trust center

Trust, security & privacy

This page is maintained by the Apex Ascension team to answer common security and privacy questions about the platform. It describes currently enabled controls and practices — it is editable project content and is not an independent certification or audit.

Accounts & authentication

Members sign in with email and password or supported social providers. Passwords are never stored in plaintext — the authentication provider stores only salted hashes. Sessions use short-lived tokens with automatic refresh, and signing out invalidates the active session on this device.

Administrative access is gated by a server-side role check; the client cannot grant itself elevated privileges.

Platform & hosting

The application runs on Lovable Cloud, which hosts the frontend on a global edge network and the database, authentication, storage, and server functions on a managed Postgres backend. Traffic to the site is served over HTTPS.

Lovable Cloud provides the underlying infrastructure controls. Apex Ascension is responsible for how the application is configured, what data it collects, and how it is used.

Data we collect

We collect the minimum needed to operate the service: email address, authentication identifiers, IP address and browser user-agent (for fraud, abuse, and piracy prevention), membership and payment status, and viewing activity on course content.

We do not sell user data. See our legal & disclaimer page for the full privacy notice.

Access controls on stored data

Database tables that contain member data are protected by row-level security policies. Sensitive operational fields (IP address, user-agent, phone, moderation status) are not readable by end users and are only accessible to server-side admin code.

Course files are stored in a private bucket and served through short-lived signed URLs that are only issued to members with an active membership or to sections explicitly marked as free previews.

Payments

Payments are processed by Stripe. Apex Ascension never sees or stores full card numbers; only the membership status and a Stripe customer reference are stored on our side. Stripe is PCI DSS compliant — see their compliance documentation for details.

Subprocessors & integrations

The following third parties process limited data on our behalf:

  • Lovable Cloud — hosting, database, authentication, storage, server functions.
  • Stripe — payment processing and subscription billing.
  • Discord — optional community access (only the data you share there).

Content protection

Course material is watermarked per-session with the viewer's identifier and IP, and viewing events are logged. Sharing credentials or attempting to download, re-host, or scrape content is grounds for permanent termination without refund.

Retention & deletion

Account and membership records are retained while your account is active. To request deletion of your account and associated personal data, contact an admin in our Discord. Some records (e.g. payment receipts) may be retained where required by law.

Reporting a security issue

If you believe you have found a security vulnerability, please report it privately to an admin in our Discord rather than disclosing it publicly. We appreciate responsible disclosure and will respond as quickly as we can.

Compliance

Apex Ascension does not currently claim any formal certification (such as SOC 2, ISO 27001, HIPAA, or PCI DSS) on its own behalf. Where compliance applies, it is provided by the underlying subprocessors listed above. This page will be updated if that changes.