Encryption
In transit: every request to Statzy — dashboard, API, redirects, QR scans, MCP endpoints — is served over TLS 1.2 or higher. HTTP requests are redirected to HTTPS.
At rest: our production database and object storage encrypt all data at rest with AES-256.
Authentication
Passwords are hashed with modern algorithms and never stored or transmitted in plain text. Sessions use short-lived signed tokens with secure refresh rotation.
Optional social sign-in (Google) uses OAuth 2.0. We only receive the scopes you approve. You can revoke access from your Google account at any time.
Secure payment handling
Subscription payments are processed by regulated PCI-DSS-compliant payment providers. Card data is entered directly on the provider's hosted fields; Statzy servers only receive a tokenised reference, the card brand, and the last four digits for display in Billing.
Payment webhooks are signature-verified before we act on them, and every webhook event is deduplicated so a replayed event cannot double-bill or double-provision.
Data storage & hosting
Statzy runs on managed cloud infrastructure with redundant hosting and automated daily backups. Analytics events are stored in our primary database with retention aligned to your plan.
Uploaded assets (bio-page avatars, white-label logos, QR icons) are stored in dedicated buckets with per-user access rules.
Account protection
We rate-limit sensitive actions (sign-in, password reset, payment flows) to slow down brute-force attempts, and we email you when unusual activity is detected.
You can reset your password at any time from the sign-in page. If your account is ever compromised, contact statzyhq@gmail.com immediately.
Security monitoring
Production systems emit logs and metrics that are monitored for errors, abuse, and anomalous behaviour. Access to production is restricted to a small number of engineers, requires strong authentication, and is audited.
Incident response
If a security incident affects your data, we investigate, contain, and remediate as fast as we can, and notify affected users promptly with what happened, what data was involved, and what we did about it.
Sub-processors
Statzy relies on a small set of vetted sub-processors for hosting, database, email delivery, and payments. Each is bound by a data processing agreement and processes data only on our instructions. A current list is available on request from statzyhq@gmail.com.
Reporting a vulnerability
Security researchers: please email statzyhq@gmail.com with details and steps to reproduce. Please do not publicly disclose issues before we have had a reasonable chance to fix them.
