How Entity Watch handles customer information

Account and organization records This includes name, work email, organization membership, local authentication state, and security settings such as password and two-factor status.

Workspace workflow records Tracked companies, watchlists, tags, notes, owners, blockers, verification progress, alert history, and activity records are stored so teams can run a repeatable internal process.

Public-register source material Companies House public-register data is fetched and normalized so customers can monitor company profile changes, filing activity, officers, PSC-related timing context, and similar source events.

Limited billing references The application stores billing state together with Stripe customer and subscription identifiers. Payment card details themselves are handled by Stripe rather than stored directly in the application database.

Passwords are hashed before storage Local passwords are hashed with bcrypt before they are written to the database, so the service does not store them in plain text.

Reset and verification secrets are short-lived and hashed Password reset tokens and login verification codes are stored as hashes with expiry windows, which means the raw secret is not kept in plain text in the database.

Abuse-sensitive flows are throttled Sign-in, registration, two-factor verification, password reset, support request, pilot request, and trial activation flows are rate-limited to make brute-force and spam behavior harder.

Sensitive account changes can revoke old sessions When a password, email address, or two-factor setting changes, the auth session version can be incremented so stale sessions are forced through a fresh sign-in path.

Named user memberships Access runs through user accounts and organization memberships, with roles such as owner, admin, member, and viewer.

Customer-controlled team access Customers are responsible for inviting the right people, assigning the right role, and removing access when someone should no longer be in the workspace.

Role-based visibility and action limits The application supports different levels of access so every user does not need the same authority over billing, team management, or workflow changes.

Operational data stays inside the workspace context Internal notes, owners, blockers, and workflow status exist to support the team's internal process. They are not the same as the product's public company pages or public-register content.

Hosting on Vercel The application is hosted on Vercel, which serves the live product and public site over the managed web infrastructure used by the service.

Managed Postgres via Prisma Workspace data is stored in Postgres and accessed through Prisma rather than through ad hoc direct database handling inside the app code.

Stripe for payments and Resend for transactional email Billing runs through Stripe. Transactional email runs through Resend when email delivery is enabled, rather than through a hand-built mail system.

OpenAI only for the assistant path when used If you use the in-product assistant and the OpenAI-backed reply path is enabled, assistant messages plus relevant page or workspace context may be sent to OpenAI to generate a reply. That processing is tied to the assistant feature, not to ordinary watchlist or billing usage.

Not an identity-document vault Entity Watch is not sold as a passport, driving-licence, or general identity-document storage system. Firms should not treat it as a broad document vault for that purpose.

Not legal advice The product helps firms organize monitoring and follow-up. It does not replace legal advice, professional judgment, or regulated filing decisions.

Not an advertising or data-broker platform Entity Watch is not positioned as an ad-tech or data-resale business, and it does not sell private workspace data for those purposes.

Not a substitute for internal access hygiene No privacy page can compensate for weak internal account management. Firms should still use strong passwords, enable two-factor where appropriate, and remove old access promptly.

Operational use of data Workspace and account data are used to provide alerts, verification workflow, billing, support handling, account security, and day-to-day product operations.

Support requests are recorded so they can be handled When you submit the support form, the request is saved with delivery status so the issue can be tracked and followed up, rather than living only in an unstructured email thread.

Use the support page for privacy questions If you need help with account data, workspace data, billing references, support records, or deletion questions, use the support page and include the firm or workspace name so the request can be reviewed properly.

Straight answers over vague assurances If there is a real privacy or security question behind a rollout, ask it directly. Entity Watch is aimed at professional teams that need operational clarity, not marketing language.