Security and Data Protection

How we protect public pages, private portals, payments, and alert data.

HTTPS

Public pages, private portals, APIs, and forms should operate over HTTPS in production.

Private access

Private areas use sign-in, signed sessions, server tokens, and separation from public navigation.

Roles and audit

Sensitive changes such as ads, businesses, billing, and SEO should be logged with actor, time, and before/after values where practical.

Payments

Payments and subscriptions are processed with Stripe. We store needed customer, subscription, invoice, and event identifiers, not full card details.

Notifications

Email, SMS, WhatsApp, and push use external providers plus delivery logs for support, opt-out, and abuse control.

Abuse prevention

Forms, public APIs, wait cards, alerts, login, payments, and ad events use limits and validation to reduce spam, bots, and abuse.

Reduced data

We prefer storing only what is needed to operate, bill, audit, improve, and protect service. Request identifiers should be protected or aggregated where practical.

Secrets

Tokens, keys, webhooks, and connection strings should live in environment variables or secure storage, not public pages or published repositories.

Reports

Report suspected security issues through contact. Include URL, time, steps, and evidence. Do not exploit, download others' data, disrupt service, or publish details before review.

Contact

No perfect guarantee

No internet-connected system can guarantee absolute security. We will investigate reasonable reports and prioritize fixes by risk.