Trust

Security

How we protect your data and how to report security issues.

Last updated: January 1, 2026

Protecting your data is our priority. This page describes our security practices and how to report security vulnerabilities responsibly.

How we protect your data

Encryption in transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). This includes uploaded photos, account information, and payment data.

Encryption at rest

Data stored on our servers and cloud infrastructure is encrypted using AES-256 encryption.

Secure authentication

We use Supabase for authentication with secure session management. Passwords are hashed using industry-standard algorithms. We support magic link (passwordless) authentication for enhanced security.

Payment security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store credit card numbers on our servers.

Access controls

Access to production systems and customer data is limited to authorized personnel on a need-to-know basis. We use multi-factor authentication for all administrative access.

Data retention

Photos are automatically deleted after 30 days. We retain only the minimum data necessary for business and legal purposes. See our Privacy Policy for details.

Data breach notification

In the event of a data breach affecting your personal information, we will:

  • Notify affected users within 72 hours of confirming a breach, as required by CCPA and other applicable laws.
  • Describe the breach including what information was affected and what happened.
  • Explain what we're doing to address the breach and prevent future incidents.
  • Provide guidance on steps you can take to protect yourself.
  • Report to authorities including the California Attorney General if required by law.

Infrastructure security

  • Cloud hosting: We use Vercel for application hosting and Supabase for database and storage, both with SOC 2 Type II compliance.
  • Regular updates: Dependencies and systems are regularly updated to patch known vulnerabilities.
  • Monitoring: We monitor for suspicious activity and security incidents.
  • Backups: Regular automated backups ensure data recovery capability.

Report a vulnerability

We appreciate security researchers who help keep SmilePlease safe. If you discover a security vulnerability, please report it responsibly:

Email: security@smileplease.app

Please include:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact
  • Any proof-of-concept code or screenshots
  • Your contact information (optional)

Responsible disclosure policy

We ask that you:

  • Do not access or modify data belonging to other users.
  • Do not perform actions that could harm our service or users (DoS, spam, data destruction).
  • Do not publicly disclose the vulnerability until we have had reasonable time to address it.
  • Do provide sufficient information for us to reproduce and fix the issue.
  • Do act in good faith to avoid privacy violations and data exposure.

Safe harbor

We support good-faith security research. If you follow our responsible disclosure policy, we will:

  • Not pursue legal action against you.
  • Work with you to understand and resolve the issue quickly.
  • Acknowledge your contribution (if you wish).
  • Keep you informed of our progress in fixing the issue.

Response timeline

  • Acknowledgment: Within 72 hours of receiving your report.
  • Initial assessment: Within 7 business days.
  • Status updates: We will keep you informed until the issue is resolved.
  • Resolution: Depending on severity, typically within 30-90 days.

Out of scope

The following are generally not considered security vulnerabilities:

  • Issues requiring physical access to a user's device
  • Social engineering attacks
  • Denial of service attacks
  • Issues in third-party services (report to them directly)
  • Missing security headers that don't lead to exploits
  • Rate limiting issues that don't affect security

Keeping your account safe

You can help protect your account by:

  • Using a unique, strong password or magic link authentication.
  • Keeping your email account secure (it's used for login).
  • Logging out when using shared devices.
  • Reporting suspicious activity to us immediately.

Contact

For security questions or to report a vulnerability: security@smileplease.app

Related policies