ComparePricingGet started
BlogSecurityFree audit
© 2026 FAQlue

Security

FAQlue is built for companies that take data seriously. Here is exactly what we collect, what we don't, and how we protect it.

What we collect

The FAQlue widget tracks three types of anonymous interaction data from your visitors:

Question clicks

Which FAQ question was opened. Used to reorder questions by popularity.

Search queries

What visitors typed in the search bar. Used to identify gaps in your FAQ.

Suggested questions

Questions visitors submit when they can't find an answer. Delivered via your daily digest.

All events are stored with a timestamp and linked to your FAQ context. Nothing is linked to an individual visitor.

What we don't collect

Cookies

The widget sets zero cookies on visitor browsers

IP addresses

Not logged, not stored, not forwarded

Session IDs

No session tracking of any kind

Device fingerprints

No canvas, font, or browser fingerprinting

Personal data

No names, emails, or identifiers from visitors

Cross-site tracking

No third-party pixels, no ad networks

Because we don't collect personal data from visitors, the FAQlue widget does not require a cookie consent banner on your site.

Infrastructure

Database

Supabase (PostgreSQL). Row-level security on all tables. Encrypted at rest (AES-256).

Hosting

Vercel. All traffic over HTTPS/TLS 1.3. HSTS enabled with 1-year max-age.

Payments

Stripe. We never see or store card details. PCI DSS Level 1 compliant.

Widget isolation

Shadow DOM. The widget's CSS and JavaScript are completely isolated from your site.

Authentication

PKCE flow via Supabase Auth. Service role keys are server-side only.

Security headers

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Content-Security-Policy: default-src 'self'; ...

Data retention

FAQ content

Retained while your subscription is active. Deleted within 30 days of cancellation.

Interaction data

Click and search events are retained for 90 days, then automatically purged.

Suggested questions

Retained until you dismiss or add them. Deleted with the context on cancellation.

Compliance

GDPR: FAQlue processes only anonymous interaction data from visitors. No personal data is collected, so no Data Processing Agreement is required for the widget. For customer account data (your email, plan), FAQlue acts as data controller. You can request access, correction, or deletion at any time.

Cookie law: The widget sets zero cookies. No consent banner is required for FAQlue on your site.

ISO 27001 / NEN 7510: While FAQlue is not certified, the architecture follows the principle of data minimization. If you need a specific security questionnaire completed, email us.

Questions?

Security questions, DPA requests, or compliance questionnaires: hi@faqlue.com