• Collect the minimum personal data needed to deliver our services.
• Encrypt data in transit and at rest where technically feasible.
• Apply least-privilege access controls and log access to sensitive systems.
• Segregate environments and credentials between production, staging, and development.
• Review third-party vendors for security posture before integration.

We use industry-standard controls including multi-factor authentication for staff access, regular dependency and platform patching, monitoring and alerting for unusual activity, and documented incident response procedures.

Our security and privacy practices are aligned with applicable U.S. federal and state requirements, including FTC guidance on protecting personal information and U.S. state privacy laws such as the CCPA. As our offering and infrastructure evolve, we will add further attestations (e.g. SOC 2) where appropriate.

• Use a unique, strong password. Never reuse passwords across sites.
• Enable any multi-factor authentication option when offered.
• Be alert to phishing. We will never ask for your password by email.

If you believe you have found a security issue, please contact us at the email below. Provide enough detail to reproduce the issue, do not test against real user accounts other than your own, and give us a reasonable window to remediate before public disclosure.