Security & Data Privacy
Last updated May 11, 2026
Security & Data Privacy
Your clients' information and payment details are some of the most sensitive data your agency handles. This article explains exactly how JourneyFuse protects it — what we store, what we don't, where it lives, and the promises we make about how it's used.
If you have a security question that isn't answered here, email security@journeyfuse.com and we'll get you a real answer from a real person.
Credit Card Data — We Don't Store It
JourneyFuse never stores credit card numbers on our servers. Full stop.
Storing card numbers safely requires building and maintaining a fully PCI DSS–compliant cardholder data environment — and there's no good reason for an agency CRM to take on that risk when specialist providers already do it better. So we use specialists for every part of the payment flow.
How card capture actually works
When a client or agent enters a card number anywhere in JourneyFuse — a virtual terminal, a card authorization form, a payment link — the card field is rendered by Evervault, a PCI DSS v4.0.1 Level 1 certified service provider. Here's the flow:
- The card number is typed directly into a secure Evervault iframe — it never touches JourneyFuse's frontend code.
- Evervault encrypts the card in the browser and returns a token (a meaningless reference like
ev:abc123...). - JourneyFuse stores only the token, plus the last 4 digits and brand for display purposes.
- When a charge is needed, the token is passed back to the payment processor — JourneyFuse never sees the underlying card number.
Evervault's PCI DSS compliance is independently audited every year by Prescient Security LLC (a Qualified Security Assessor, QSA Certificate #202-230). Their most recent Attestation of Compliance is dated July 21, 2025, and we can share a copy on request.
Subscription billing and planning fees
For agency subscription payments and any planning fees collected through JourneyFuse, we use Stripe, which is also PCI DSS Level 1 certified. Same principle — cards go directly to Stripe, we store only tokens.
What this means for you
- You can take card authorizations and run virtual terminals through JourneyFuse without your agency needing to be PCI compliant — because the card data never enters your scope.
- If our servers were ever compromised, an attacker would find a collection of useless tokens, not card numbers.
- You don't have to take our word for any of this — the underlying PCI attestations are independently verifiable.
Where Your Data Lives
JourneyFuse runs on modern, reputable infrastructure with industry-standard security practices:
| Layer | Provider | What it does |
|---|---|---|
| Database | Supabase (Postgres) | Stores all agency, client, trip, and proposal data |
| Hosting | Vercel | Runs the web application |
| Card tokenization | Evervault | PCI DSS Level 1 — handles all card data |
| Subscription billing | Stripe | PCI DSS Level 1 — handles agency billing |
| Transactional email | Resend | Sends emails on your behalf |
| Error monitoring | Sentry | Tracks application errors (PII scrubbed) |
| Rate limiting | Upstash | Prevents abuse |
| Maps | Mapbox | Renders location data in itineraries |
Encryption
- In transit: every connection to JourneyFuse uses TLS (HTTPS). No unencrypted traffic, anywhere.
- At rest: Postgres data is encrypted at rest by Supabase. Backups are encrypted.
- Card data: encrypted at the browser by Evervault before it ever reaches our servers.
Workspace isolation (the important one)
JourneyFuse is a multi-tenant SaaS — multiple agencies share the same database. But every table that holds your data has Row-Level Security (RLS) policies enforced by Postgres itself. This is not a soft permission check in our application code that a bug could bypass — it's a database-level rule.
In plain English: one agency literally cannot query another agency's data, even if our application code had a bug that tried to. The database refuses to return rows that don't belong to the requesting workspace.
What We Will Never Do
These are the promises that matter most:
- We will never sell your data. Not to advertisers, not to data brokers, not to anyone.
- We will never share your client list with another agency. Your clients are walled off from every other workspace at the database level.
- We will never use your data to train AI models. Your client emails, trip details, and notes are not training data.
- We will never contact your clients to recruit them. JourneyFuse's founder is also a travel advisor, and we understand why this matters. Doing this would end the business overnight.
- We will never access your data without a reason. Our support team cannot browse your workspace casually. Access for support tickets is logged, and we only access what's necessary to resolve the specific issue you've contacted us about.
Your Control Over Your Data
- You own your data. Everything you put into JourneyFuse belongs to you.
- You can export it. See Data Export & Ownership for details on exporting clients, trips, bookings, and commissions.
- You can delete it. Closing your account removes your data on a defined schedule, with backup retention disclosed in our Privacy Policy.
- You can request a copy or deletion at any time by emailing privacy@journeyfuse.com.
Authentication & Account Security
- Logins are handled by Supabase Auth with industry-standard password hashing (no plaintext passwords, ever).
- Passwords have minimum strength requirements.
- Magic link and password reset flows use single-use, expiring tokens.
- We recommend enabling 2FA on the email account you use for JourneyFuse — that's the most common weak link in any SaaS account.
Reporting a Security Concern
If you believe you've found a security vulnerability or have a security question:
- Email: security@journeyfuse.com
- Response time: we aim to acknowledge within one business day.
- Responsible disclosure: please give us a reasonable window to fix issues before publishing details.
Related Documents
- Privacy Policy — the legal version of what's described above
- Terms of Service — your contract with JourneyFuse
- AI Disclosure — how AI is used inside the product, and how your data is (and isn't) involved
- Data Export & Ownership — exporting your data at any time
FAQ
Is JourneyFuse PCI compliant? JourneyFuse doesn't need to be PCI compliant because we never store, process, or transmit card data ourselves — we use Evervault and Stripe, both PCI DSS Level 1 certified service providers, to handle 100% of card data. Your agency also stays out of PCI scope when using JourneyFuse for card capture.
Can I see Evervault's PCI attestation? Yes. Email security@journeyfuse.com and we'll share the most recent Attestation of Compliance (currently dated July 21, 2025, assessed by Prescient Security LLC).
Who can see my client data inside my workspace? Only members of your workspace, scoped by their role. Owners and admins see everything; agents see what they're assigned to. External agents (host agency model) only see commissions data. No one outside your workspace can see your client data — not other agencies, not other agents from other agencies, not the public.
Does JourneyFuse use my data to train AI? No. Features in JourneyFuse that use AI (like proposal suggestions or email drafting) call third-party AI models with the specific data needed for that single request — they don't contribute to model training. Where we use AI providers, we use them under terms that prohibit training on submitted data.
The founder is also a travel advisor — how do I know my clients won't be poached? Two safeguards: (1) Database-enforced workspace isolation means there is no view inside the product that exposes other agencies' clients. (2) Doing this would be career-ending and would destroy JourneyFuse. It's not happening.
What happens to my data if I cancel? Your data is retained for a defined period after cancellation in case you want to reactivate, then deleted on a published schedule. You can request immediate deletion at any time by emailing privacy@journeyfuse.com.
Where is the data physically stored? Supabase databases are hosted in regions managed by AWS. Specific region details available on request.
Has JourneyFuse ever had a breach? We will disclose any security incident that affects customer data in accordance with applicable law and our Terms of Service.
What about HIPAA / GDPR / other regulations? JourneyFuse is not a HIPAA-covered entity and shouldn't be used to store protected health information. For GDPR, we honor data access and deletion requests; contact privacy@journeyfuse.com.
Related Articles
Testing Mode (Send / Hold for Review / Block All)
Three ways to control whether outbound emails actually reach your clients while you set things up, train a new agent, or sanity-check an automation.
Securing Your Account with Two-Factor Authentication
Add a second layer of security to your JourneyFuse account using an authenticator app. Owners and admins can also require 2FA for all team members.
Your Data, Your Way — Export & Ownership
Download your clients, trips, bookings, invoices, leads, and commissions as CSV files at any time. Your data belongs to you — no restrictions, no hoops to jump through.
Ready To Launch
Bring every trip, payment, and client touchpoint into one fused brand experience.
JourneyFuse is ready to sell, service, and scale with you now. No waitlist. No stitched-together stack. Just one sharp platform your team can actually run on.
Bold branding outside. Serious operating system inside.