Security

Signal Tracker is built on managed cloud infrastructure with authentication, database, and storage provided through Lovable Cloud. We follow least-privilege principles and limit administrative access to personal data.

• Row-Level Security restricts each user to their own records; admin access is role-gated.
• Passwords are salted and hashed by our authentication provider; access codes are stored only as SHA-256 hashes.
• All traffic is encrypted in transit using TLS.
• Server-side secrets are stored in a secrets manager and never exposed to client code.
• Administrative and self-service access to personal data — and all exports and deletions — are recorded in audit logs.

We welcome reports from security researchers. Please act in good faith, avoid privacy violations and service disruption, and do not access or modify data that is not yours. We will not pursue legal action for good-faith research that follows this policy.

Email security@signaltracker.live with:

• A description of the issue and its potential impact.
• Steps to reproduce, including any proof-of-concept.
• The affected URL, endpoint, or component.

• Acknowledgement of your report within 3 business days.
• An initial assessment and severity triage within 7 business days.
• Status updates as we investigate, contain, and remediate.
• Notification of affected users where legally required.

security@signaltracker.live