Security at Pine
Data security and responsible disclosure
Your privacy and data security are our top priorities. We protect your information at every step, commit to data minimization and purpose limitation, and welcome responsible disclosure of security vulnerabilities.
What we process and keep
Conversations with Pine
We retain conversation history, such as "Cancel my subscription", to improve service and support traceability. We remove personal identifiers from this data to ensure privacy.
Account information
Essential data such as your email, preferences, and timezone used to personalize the service.
Operational data
Service health and performance metrics, stripped of any sensitive user content.
How we protect your data
In transit
All communications with Pine are secured with industry-standard encryption.
At rest
Data in logs and databases is encrypted using advanced standards.
During tasks
Sensitive data is processed in isolated, short-lived environments with hardened protection.
Your Sensitive Data Stays Protected
We keep sensitive information, such as account details and payment data, out of AI processing. This data is not accessible to our agents, and is not used for training or analytics.
Vulnerability Disclosure Program
Report a vulnerability
We will acknowledge receipt within 3 business days and aim to provide a substantive response within 10 business days.
How to report a vulnerability
If you believe you have found a security issue in Pine, please email our security team with enough detail for us to reproduce and validate the issue.
Please include
- A clear description of the issue
- Reproduction steps
- Proof-of-concept, if available
- Potential impact
Scope
- Pine web application: 19pine.ai and subdomains
- Pine mobile apps (iOS / Android)
- Pine APIs
- Authentication, authorization, account takeover, and PII exposure vulnerabilities
Out of scope
- Social engineering, phishing, or physical attacks
- Denial-of-service attacks
- Vulnerabilities in third-party services we integrate with
- Self-XSS or attacks requiring user-side manipulation without remote exploitation
- Findings from automated scanners without demonstrated impact
- Missing security headers without exploitable consequence
- Content spoofing without credible risk
- AI prompt injection from user-uploaded content, which is treated as user-level input by design
Safe harbor
If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research.
Good-faith means
- No data destruction
- No service disruption
- No accessing data beyond what is necessary to demonstrate the vulnerability
- No public disclosure until we have had a reasonable chance to remediate
Recognition
Pine does not currently operate a formal bug bounty program and cannot guarantee monetary rewards. For valid, impactful findings disclosed responsibly, we may offer the following at our discretion.
- Public acknowledgment on this page
- A LinkedIn recommendation from our team
- Pine swag
- At our discretion, a one-time goodwill payment
Security acknowledgments
We thank the following researchers for responsibly disclosing security issues to Pine.