How we protect your data

License keys

License keys are never stored in plaintext. We store only an HMAC-SHA256 hash with a secret key. Even in the event of a database breach, your keys remain unusable.

IP addresses

No raw IP addresses are ever stored. Only a salted, truncated hash per installation is kept for bot detection. The original IP cannot be recovered from the stored value.

Payments

All payments are processed by Stripe. We never see, process, or store card data. We are PCI compliant via Stripe.

Infrastructure

• HTTPS everywhere (TLS 1.3)
• PostgreSQL database encrypted at rest
• Plugin files signed with SHA-256 and time-limited download links
• Environment variables via Railway (never in code)

Vulnerability reporting

To report a vulnerability, email [email protected]. We will respond within 48 business hours.