Security
Last updated: May 21, 2026
Where your data lives
- Cloudflare serves the redirect and API workers, and stores link records in Cloudflare KV. Click events flow through a Cloudflare Queue to a consumer Worker. Cloudflare is SOC 2 Type II and ISO 27001 certified.
- Supabase (managed Postgres on AWS, region
us-east-1) is the source of truth for accounts, destinations, placements, videos, and click history. Supabase is SOC 2 Type II certified.
We do not run our own servers or databases. Both subprocessors encrypt data in transit (TLS) and at rest.
Authentication and access
- Sign-in is Google OAuth via Supabase Auth — we never see or store your Google password.
- Your YouTube refresh token is stored server-side in a column that is unreadable through the public API. Only two server functions can read it: one scoped to your own user ID (for the API Worker) and one privileged variant used by the background sync job.
- Every Postgres table that holds creator data uses row-level security policies tied to the authenticated user — one creator cannot read another creator's rows.
What the redirect Worker sees and doesn't see
- The redirect Worker never reads viewer IP addresses. Geographic fields are pre-derived by Cloudflare's edge.
- Query strings are filtered through an allowlist before being recorded. Tracking params (utm_*, fbclid, gclid, etc.) are dropped.
- The User-Agent string is kept for parsing, but no other request headers are persisted.
- No cookies are set or read.
Retention and deletion
See the Privacy Policy for retention details. Account deletion is a two-step process: KV records and placements are removed immediately so links stop resolving, and click rows are hard-deleted by a daily background job after a 30-day grace window.
Incident response
If we discover a security incident that affects your data, we'll notify the email on your account within 72 hours of confirmation, describe what we know, and explain what we're doing about it. If you believe you've spotted a security issue, please email [email protected] with details (steps to reproduce help a lot). We do not currently run a bug bounty program, but we appreciate responsible disclosure and will credit researchers who ask.
Contact
Security questions or disclosure reports can be sent to [email protected].
