Security

Encryption

All traffic is served over HTTPS with HSTS and a 2-year preload policy. Data at rest in our database is encrypted by the underlying managed Postgres service (Supabase, hosted on AWS).

Access control

Every Postgres table that holds pod data has row-level security enabled. Policies are scoped to pod membership: you can only read or write rows for pods you belong to. Roles inside a pod (admin, leader, accounting, member) further gate destructive actions like changing fees or approving payments.

Storage buckets are similarly scoped. Avatars and pod logos live in public buckets (you choose what to upload). Chat images and payment screenshots are stored in private buckets and served via short-lived signed URLs — never with a permanent public link.

Content Security Policy

Every response includes a Content Security Policy header that restricts which origins can load scripts, styles, images, and network connections. Violations are reported to /api/csp-report so we can detect drift early.

Third-party processors

• Supabase — managed Postgres, Auth, Storage, and Edge Functions. Hosted on AWS us-east-1.
• Vercel — web app hosting, CDN, and edge runtime.
• PostHog — anonymous product analytics. No PII is sent.

Payments

Pickleloonies does not process card payments and does not store any payment-card data. We track who owes what; members settle directly through Venmo, Zelle, or cash. Payment screenshots you upload are private to your pod admins and the uploader.

Vulnerability disclosure

If you find a security issue, email privacy@pickleloonies.com with details and a way to reproduce. We'll acknowledge within 72 hours and won't pursue legal action against good-faith research that respects user privacy and stays within the bounds of this policy.

Data export and deletion

Pods can export their session history, RSVP log, and ledger as CSV from the pod settings page. Account deletion is available from your profile — see the Privacy Policy for retention specifics.