Security

All data transmitted between your browser and our servers is encrypted using TLS 1.3 (HTTPS). Data stored in our databases is encrypted at rest using AES-256. Media files stored in Cloudflare R2 are encrypted at rest by default.

We use OAuth 2.0 with PKCE (Proof Key for Code Exchange) for secure authentication via Google and Facebook. We never store your OAuth provider passwords. All API endpoints require valid authentication tokens, and our database uses Row-Level Security (RLS) policies to ensure users can only access their own data.

Our infrastructure is hosted on trusted cloud providers including Supabase (PostgreSQL database), Cloudflare (CDN, R2 storage, DDoS protection), and Vercel (application hosting). Each provider maintains SOC 2 compliance and implements comprehensive security programs. We use rate limiting (Upstash Redis) to protect against abuse.

We use Sentry for real-time error tracking and performance monitoring. We monitor for security anomalies and unauthorized access attempts. In the event of a security incident, we follow a defined incident response procedure that includes containment, investigation, notification (as required by law), and remediation.

Child profiles are protected by parental PIN controls (4-6 digit PIN with brute-force protection). Content safety filters are applied to all AI-generated content to prevent inappropriate material. We collect minimal data from child profiles (name, birth year, content preference only). No direct child accounts exist — all child profiles are managed by a verified parent account.

If you discover a security vulnerability in our platform, please report it responsibly by emailing [email protected]. We ask that you allow us a reasonable time to investigate and address the issue before making any public disclosure. We appreciate the security research community's efforts in keeping our users safe.