Legal

Data Processing & Security

Statzy handles your account data, your subscribers' analytics events, and your payment information. Here is how we keep them safe.
Last updated · July 8, 2026

Encryption

In transit: every request to Statzy — dashboard, API, redirects, QR scans, MCP endpoints — is served over TLS 1.2 or higher. HTTP requests are redirected to HTTPS.

At rest: our production database and object storage encrypt all data at rest with AES-256.

Authentication

Passwords are hashed with modern algorithms and never stored or transmitted in plain text. Sessions use short-lived signed tokens with secure refresh rotation.

Optional social sign-in (Google) uses OAuth 2.0. We only receive the scopes you approve. You can revoke access from your Google account at any time.

Authorization & data isolation

Every table that holds user data is protected by row-level security in the database. Regardless of the request path, users can only read and write the rows that belong to their workspace. Admin capabilities are gated by a separate roles table — never by a flag on a user profile.

Secure payment handling

Subscription payments are processed by regulated PCI-DSS-compliant payment providers. Card data is entered directly on the provider's hosted fields; Statzy servers only receive a tokenised reference, the card brand, and the last four digits for display in Billing.

Payment webhooks are signature-verified before we act on them, and every webhook event is deduplicated so a replayed event cannot double-bill or double-provision.

Data storage & hosting

Statzy runs on managed cloud infrastructure with redundant hosting and automated daily backups. Analytics events are stored in our primary database with retention aligned to your plan.

Uploaded assets (bio-page avatars, white-label logos, QR icons) are stored in dedicated buckets with per-user access rules.

Account protection

We rate-limit sensitive actions (sign-in, password reset, payment flows) to slow down brute-force attempts, and we email you when unusual activity is detected.

You can reset your password at any time from the sign-in page. If your account is ever compromised, contact statzyhq@gmail.com immediately.

Security monitoring

Production systems emit logs and metrics that are monitored for errors, abuse, and anomalous behaviour. Access to production is restricted to a small number of engineers, requires strong authentication, and is audited.

Incident response

If a security incident affects your data, we investigate, contain, and remediate as fast as we can, and notify affected users promptly with what happened, what data was involved, and what we did about it.

Sub-processors

Statzy relies on a small set of vetted sub-processors for hosting, database, email delivery, and payments. Each is bound by a data processing agreement and processes data only on our instructions. A current list is available on request from statzyhq@gmail.com.

Reporting a vulnerability

Security researchers: please email statzyhq@gmail.com with details and steps to reproduce. Please do not publicly disclose issues before we have had a reasonable chance to fix them.