Skip to main content
Help Center

Account

Security & Privacy

Two-factor authentication, session management, and data privacy.

Two-Factor Authentication (2FA)

Add an extra layer of security with TOTP-based 2FA.

Setting Up 2FA

  1. Go to SettingsSecurity
  2. Click Setup 2FA
  3. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password)
  4. Enter the 6-digit code to verify
  5. 2FA is now active — you'll need your authenticator on each login

Brute-Force Protection

After 5 failed 2FA attempts, your account is locked for 15 minutes.

Backup codes

When you enrol in 2FA we generate ten one-time backup codes. Save them somewhere safe — a password manager is ideal. Each code works exactly once and lets you sign in if you lose access to your authenticator. You can regenerate the set any time at SettingsSecurityRegenerate backup codes (which invalidates the old ones).

Lost authenticator + lost backup codes

Visit /recover and submit your email. We'll email you a secure recovery link that disables 2FA on your account so you can sign in. Re-enrol immediately after.

Password reset

Forgotten password? Click Forgot password? on the login page (or visit /forgot-password directly) and we'll email a one-time reset link. The link expires in 60 minutes; request a new one if it does. Active sessions are signed out the moment you set a new password.

Session Management

View and control active sessions in SettingsSecurity:

  • See all devices currently logged in (device type, browser, IP, last active)
  • Revoke individual sessions
  • Revoke All Others to sign out everywhere except your current device

New Device Alerts

When a login is detected from a new device or IP address, ReachSurge sends an email alert. If it wasn't you, secure your account immediately.

Data Privacy (GDPR)

In SettingsPrivacy:

  • Download your data — export all your data as JSON or CSV
  • Request account deletion — when you submit a deletion request you enter a 30-day grace period. During that window the data is preserved and you can cancel the request from the same page. We also automatically stop your next subscription renewal so you aren't billed during the grace window — if you cancel the deletion request, you'll need to reactivate the subscription from SettingsBilling to keep paying. After 30 days the cron job purges your account permanently, satisfying GDPR Article 17.

Audit Log (Enterprise)

Enterprise plans include a full audit log in SettingsAudit Log:

  • Track all account activity (logins, settings changes, team modifications)
  • Filter by action type and date
  • Export as CSV

FAQ

Is my data encrypted? Yes, all data is encrypted at rest and in transit via Supabase's built-in encryption.

Can I disable 2FA? Yes, go to Settings → Security and click disable. You'll need to enter a code to confirm.

What data is included in the GDPR export? Profile, websites, generated pages, citations, backlinks, notifications, achievements, and integration settings (excluding API secrets).

Previous

Webhooks & Integrations

Next

Knowledge Base