Log in

Security

Built to protect
your team's work

Batonly is used to document internal workflows, systems, and operational processes. Because that content can be sensitive, security isn't an afterthought here — it's part of how the product is built.

Overview

Security at every layer

Batonly uses modern cloud infrastructure and strong access controls throughout. Your data is isolated, encrypted, and only accessible to you.

Secure authentication

Accounts are protected by Supabase Auth, with session-based login and full password reset flows.

Data isolation

Row Level Security ensures database queries only return data belonging to the authenticated user.

Private file storage

Screenshots are stored in private buckets. Files are never publicly accessible — only via signed URLs.

Encryption everywhere

All traffic is encrypted using HTTPS and TLS. Data at rest is encrypted by the underlying cloud providers.

Trusted infrastructure

Batonly runs on Supabase, Vercel, and Cloudflare — providers with proven security track records.

Responsible development

Access policies, restricted APIs, and secure auth flows are applied as standard practice throughout.

Authentication

Authentication and access control

Batonly uses Supabase Auth to handle all user authentication. This is a purpose-built authentication system with a strong security model — Batonly never stores raw passwords or manages authentication directly.

  • Passwords are hashed — Batonly never stores or sees your plaintext password
  • Session tokens are stored securely and expire automatically
  • Full password reset flow with time-limited email links
  • Authenticated users can only access their own projects and guides
  • Database Row Level Security (RLS) enforces per-user access at the infrastructure level
How RLS works

Row Level Security is a Postgres feature that attaches access policies directly to database tables. Every query — no matter how it originates — is automatically filtered by these policies.

In Batonly, all tables enforce a policy that restricts reads and writes to rows owned by the currently authenticated user. Even at the database level, your data is invisible to other users.

Data isolation

Your data is yours alone

Every project, guide, and task in Batonly is linked to the user who created it. Database policies prevent any user from reading or modifying another user's data — even if they know the ID.

This isolation is enforced at the database level, not just in application code. It cannot be bypassed by a bug in the application layer.

File security

Screenshots stay private

Batonly is designed for documenting real workflows, which often means your screenshots contain internal systems, dashboards, or operational tools. Those files are treated accordingly.

All uploaded screenshots are stored in private storage buckets — they are not publicly accessible via any URL, and are never exposed without authentication.

  • Screenshots stored in private, non-public storage buckets
  • No screenshot can be accessed via a direct public URL
  • Images are served only through time-limited signed URLs
  • Signed URLs expire automatically — they cannot be shared indefinitely
  • Storage access policies ensure users can only retrieve their own files

Infrastructure and encryption

Reliable providers, encrypted by default

Batonly is built on infrastructure from providers with strong security records. Encryption is applied at every layer as a baseline, not an option.

Infrastructure

Batonly runs on three core providers:

  • Supabase — database, authentication, and file storage, built on Postgres with enterprise-grade security.
  • Vercel — application hosting and deployment, with automatic HTTPS and global edge network.
  • Cloudflare — DNS and network-level protection, including DDoS mitigation.

Encryption

  • All traffic between your browser and Batonly is encrypted using HTTPS and TLS.
  • Data at rest — including your guides, tasks, and uploaded files — is encrypted by Supabase and Vercel's underlying cloud providers.
  • Connections to the database are encrypted in transit and never exposed directly to the public internet.

AI processing

How AI fits into the picture

Batonly uses Anthropic's Claude API to generate guides from the screenshots and context notes you provide. This means content you upload is processed by Anthropic's systems as part of that generation step.

Only the data required to generate your guide — the relevant screenshots and your context notes — is sent to the AI. Anthropic's API usage policies do not permit user data to be used for model training. You can review Anthropic's privacy practices at anthropic.com/privacy.

What the AI receives
  • Screenshots and images you upload for a specific guide
  • Context notes you write for each step
  • Structured instructions to generate formatted documentation

Recommendation: Avoid uploading screenshots that contain credentials, personal data, or confidential financial information. AI processing involves third-party systems outside Batonly's direct control.

Development practices

Security-conscious by default

Security isn't something added at the end. The following practices are applied throughout Batonly as standard.

Database access policies

Row Level Security is enforced on all tables. No unauthenticated or cross-user queries are possible.

Restricted storage

File storage is configured with private access by default. Uploads are only accessible via authenticated, time-limited requests.

Controlled API usage

External API calls — including to the AI provider — are made server-side, with keys stored securely as environment variables.

Secure auth flows

Authentication, password resets, and session management are handled by Supabase Auth with industry-standard token handling.

Found a security issue?

If you discover a potential security vulnerability in Batonly, please let us know. We take all reports seriously and will investigate promptly.

security@batonly.com

General questions? Reach us at hello@batonly.com