Data in transit
All customer-facing endpoints are served over TLS 1.3 at the Cloudflare edge. HTTP is redirected to HTTPS before requests reach the application.
Data at rest
Production customer and venue data lives in Cloud Firestore behind the Cloudflare Worker service account. Direct browser reads and writes are denied by Firestore rules; development sandboxes are isolated and are not part of the production serving path.
Authentication
- Email/password accounts are managed by Firebase Auth; password-reset and verification flows use signed or hashed one-time tokens.
- Application sessions use signed JWTs delivered in secure, HttpOnly cookies with a 7-day expiry and environment-scoped secrets.
- Google OAuth, password reset, and email verification routes use signed state or hashed one-time tokens.
- CORS restricted to an environment-scoped allowlist in production.
- Per-IP rate limits cover auth, public capture, public scan, newsletter, lead, and key owner/admin mutation endpoints.
Privacy hygiene
Public scan and launch analytics endpoints log a truncated SHA-256 of the client IP with a production salt; raw IPs are never persisted. Interaction monitoring stores named events, coarse scroll depth, dead-click or rage-click counts, field names, validation error types, character-count buckets, and paste-used flags only. It does not store raw keystrokes, field values, payment details, passwords, or high-resolution pointer trails. Detailed launch analytics include an expiration timestamp for Firestore TTL retention, are visible only through admin-authenticated summaries, and are capped in Admin HQ views. Admin-as-owner access is audit logged, and customer export/delete actions are tracked for privacy response workflows.
Reporting a vulnerability
Please email security@loyaltychips.com. We acknowledge reports within 3 business days.