SubTrackr is maintained by its team to answer common security and privacy questions. This page describes the controls that are currently enabled, not an independent certification.
Account access
- Email + password authentication backed by managed Lovable Cloud auth.
- Passwords are hashed (never stored in plain text) and password recovery is via signed email links.
- Magic-link and forgot-password flows are first-class in the auth surface.
Data isolation
- Every database table that stores user data has Row Level Security enabled.
- Policies scope every read and write to
auth.uid()— your account cannot see or modify another account's rows. - Service-role keys are never shipped to the browser.
Transport & hosting
All traffic is served over HTTPS. The app runs on Lovable's managed edge runtime, with the database hosted on managed Postgres.
What SubTrackr does not do
- No connections to your bank, card network, or any payment processor.
- No third-party advertising or analytics trackers on the application surface.
- No automated payments on your behalf.
Reporting a vulnerability
If you've found a security issue, please email security@subtrackr.app with details. We'll acknowledge within 72 hours and won't take legal action against good-faith research.