About
Trust and security
Macro by Mark handles account credentials, billing identity, and research workflows for economists, students, professors, and institutional users. This page documents the controls we have actually shipped and the providers your data flows through.
Last reviewed: 2026-05-01.
Account security
Sign-in uses Auth.js v5 with password and Google OAuth. Supabase Auth backs account identity. Browser code never receives Supabase bearer tokens; account routes call Supabase server-side from inside the encrypted Auth.js JWT.
- Multi-factor authentication. Time-based one-time password (TOTP) via any standard authenticator app. Recovery codes (single-use, hashed with per-row salt) are generated at enrollment. Passkeys / WebAuthn are supported as a phishing-resistant alternative.
- Step-up verification. Password change, email change, account delete, and billing portal entry all require re-confirming the current password. The step-up cookie is HMAC signed and lasts 10 minutes.
- Active session inventory.Each sign-in registers a row tied to your account JWT. You can see active devices in Account > Security and revoke any session, including sign-out-everywhere.
- Sign-in alerts. When a sign-in fingerprint (IP + User-Agent) is new for your account, an email notification dispatches automatically.
- Mandatory MFA for admin accounts. Admin entitlements cannot be exercised without a verified TOTP factor.
Network and platform controls
- Content Security Policy. Production drops
'unsafe-eval'entirely. A per-request nonce mechanism is in place to migrate off'unsafe-inline'; trusted inline scripts (JSON-LD, hydration) carry the nonce. - Strict-Transport-Security. Production sets
max-age=31536000; includeSubDomains. - Rate limiting. Auth-sensitive routes (sign-in, register, password reset, password change, email change, account delete, verify-password) use a distributed Upstash limiter that degrades to a per-instance in-memory limiter on outage instead of failing open.
- Server authorization boundary.User-facing account routes use Supabase clients scoped to the caller's JWT, so row-level security is the actual authorization gate; the explicit user_id filters in code are defense in depth.
Data minimization and persistence
- Onboarding identifying fields (city, school, organization, phone, region, professional metadata) live server-side under owner-only RLS with a 7-day TTL on the draft. Pre-verification, the wizard runs in memory only; nothing identifying persists to your device.
- Browser localStorage stores only non-PII UI preferences: focus areas, experience level, marketing opt-in, notification preferences, and the disclosure flag.
- Cookie consent. Non-essential analytics and any future marketing tags are gated behind a runtime consent banner. Decisions are timestamped client-side.
Your data, your access
- Export. Sign in and call /api/account/export. You receive a JSON bundle of every owner-scoped row we hold: profile, preferences, dashboards, watchlists, notifications, workspace, sessions, security events, billing subscriptions. Schema-versioned for stable diffing.
- Delete.Account > Security > Delete account. Step-up gated and confirmed with the literal word DELETE. Cascade removes profile, preferences, dashboards, watchlists, notifications, workspace, onboarding draft, sessions, MFA factors, and recovery codes. Billing records have separate retention obligations and are scrubbed on a separate schedule.
- Correct.Account > Settings to edit profile fields. Account > Security to rotate password or email.
Subprocessors
The product depends on the following third-party providers. Each processes data under a Data Processing Agreement.
| Provider | Purpose | Data |
|---|---|---|
| Vercel | Application hosting and edge delivery | Request metadata, IP, response logs |
| Supabase | Authentication and primary database | Account identity, profile, preferences, sessions, MFA factors |
| Stripe | Payments and subscription billing | Email, subscription metadata, payment method tokens |
| Upstash Redis | Distributed rate limiting | IP buckets and counters (no request bodies) |
| Resend | Transactional email (sign-in alerts, watchlist alerts) | Email address and message content |
| Tiger Cloud (Postgres) | Macro indicator catalog and observation cache | Public macroeconomic series only; no user data |
Retention map
| Data | Retention |
|---|---|
| Profile and preferences | Until account deletion. Restored from export bundle if requested. |
| Onboarding drafts | 7 days from last write or until onboarding completes, whichever is first. |
| Active sessions | Until you sign out, until you revoke them, or 90 days idle (whichever is first). |
| Security events | 365 days, then automatically purged. |
| MFA recovery codes (hashed) | Until consumed or until you re-enroll MFA. |
| Billing records | Retained per applicable financial law (typically 7 years), separate from account deletion. |
Reporting and contact
For privacy requests, vulnerability disclosures, or DPA inquiries:
- security@macrobymark.com for security and vulnerability disclosures
- privacy@macrobymark.com for privacy / GDPR / CCPA requests, DPA, and subprocessor questions
We aim to acknowledge requests within two business days and to fulfill them within 30 days where law applies.
See also our privacy policy and terms of use.