Privacy and Data Security

Requify takes the privacy and security of your data seriously. This page tries to be straightforward about what we collect, how we use it, and who else touches it. If you have any questions or concerns, please contact us at support@requify.app .

Requify is currently a one-person project, so there's no dedicated security team. That said, a lot of care has gone into choosing the right infrastructure and handling your data responsibly.

What we collect

When you sign up and use Requify, we store your account information (name and email), along with any content you create inside the platform — requirements, tests, reviews, incidents, and so on. OAuth login is available but entirely optional; you can sign in with email and password if you prefer.

We also collect usage data and technical information like IP addresses and browser details. This helps us understand how the product is being used and debug errors when things go wrong.

Who we share data with

We don't sell your data or share it with third parties for advertising. A small number of infrastructure providers are involved in running the service:

Turso — each organization gets its own separate SQLite database, stored and encrypted on Turso. This means your data is isolated from other organizations at the database level, not just using RLS.
Tigris — files and documents uploaded to Requify are stored on Tigris.
PostHog — we use PostHog for product analytics and error logging to help debug issues. More detail on what's tracked is on the analytics page .
Plunk — transactional emails (things like password resets and notifications) are sent through Plunk.
Arcjet — used for endpoint security and bot protection.
Creem — handles payments and billing.
Scalekit — powers SSO for enterprise login.

That's the full list. No other services receive your data.

Data deletion

When you delete something in Requify, it's gone immediately — there's no 30-day grace period or soft delete. If an organization is deleted, all of its files and documents stored on Tigris are deleted at the same time.

Security

All data is encrypted in transit (TLS) and at rest. Using a separate database per organization means a breach of one organization's data cannot expose another's. Arcjet is used to protect API endpoints from abuse.

That said, this is a solo project without formal security audits, penetration testing, or a dedicated incident response team. If you discover a security issue, please reach out directly at support@requify.app .

File Security

Each organization is provisioned their own private S3 bucket with limited scope access keys. All files besides user avatars and project images are encrypted by Requify before being uploaded to S3, and the files are decrypted by Requify when download is requested. Avatars are considered not a sensitive item and therefore saved as non-encrypted images to limit server overhead.

Your rights

You can request a copy of your data, ask for corrections, or request deletion at any time by emailing support@requify.app .

There are no formal data processing agreements (DPAs) available at this time. If that's a requirement for your organization, get in touch and we can discuss what's possible.

Self-hosting

If you need your data to stay entirely within your own infrastructure, self-hosting is a supported option. Great care has been taken to ensure self-hosting is not an afterthought for Requify users. Contact us to learn more.

Last update at: 04/05/2026

On this page

Privacy and Data Security What we collect Who we share data with Data deletion Security File Security Your rights Self-hosting