← Back to Legal
SECURITY

How we keep data safe.

Encryption, access controls, retention, monitoring, and what happens if something goes wrong.

Last updated: April 2026. We use industry-standard practices appropriate to the size and risk of our service.

Encryption

  • In transit: TLS 1.2+ for all connections to the site, the platform, and the API.
  • At rest: AES-256 encryption applied by our database and storage providers (Supabase, Vercel storage).
  • Secrets: environment variables and API keys are stored in the hosting provider’s encrypted secret store, never in source control.

Authentication & access

  • Admin access uses password authentication plus a JWT signed with a server-side secret, scoped to a short-lived admin_token httpOnly cookie.
  • Hub client access uses phone-number OTP and a JWT-backed hub_token cookie scoped to /hub.
  • API routes that handle privileged data use the service-role database client and verify session cookies on every request.
  • Internal access to vendor consoles is limited to the smallest practical set of operators and protected by SSO and 2FA.
  • We follow the principle of least privilege: contractors and integrations receive only the access required for their task.

Network & infrastructure

  • Hosting on Vercel and Supabase, both of which maintain SOC 2 Type II reports.
  • Database access restricted to allow-listed application origins; no public direct database access.
  • Row-Level Security (RLS) enabled on customer-data tables, with admin overrides via the service role.
  • Automated dependency scanning and timely patching for known vulnerabilities.

Logging & monitoring

  • Application logs include authentication events, API errors, and admin actions.
  • Anomalies and elevated error rates are surfaced for review.
  • Logs containing personal information are retained only as long as needed for security and operations.

Backups & recovery

  • Database backups are performed by Supabase per their managed-Postgres backup schedule.
  • Configuration and code are version-controlled and reproducible.
  • We periodically verify that backups can be restored.

Retention & deletion

  • Lead-form and email-subscriber records are kept while you remain a contact and deleted within 30 days of a deletion request.
  • Analytics data is auto-deleted after 14 months.
  • SMS consent records are retained for the period required by carrier and regulatory obligations (typically the consent period plus 4 years).

Vendor management

See /legal/subprocessors for the full list. Every vendor is bound by data-protection terms no less protective than our DPA.

Incident response

If we become aware of a security incident or personal data breach, we will: (a) investigate and contain promptly, (b) notify affected customers without undue delay and no later than 72 hours where required, (c) provide what we know, what we are doing, and what affected parties should do, and (d) cooperate with regulators where applicable.

Reporting a vulnerability

If you believe you have found a security vulnerability, please email security@goodlookingco.com with steps to reproduce. We do not currently offer a paid bug-bounty program, but we acknowledge good-faith reports and credit researchers when they prefer.

Safe-harbor. We will not pursue legal action against researchers who: (a) make a good-faith effort to avoid privacy violations, data destruction, and service interruption; (b) only interact with accounts they own or with explicit permission of the account holder; and (c) disclose privately and give us reasonable time to remediate before any public disclosure.