Pin Launchr
Legal Center

Security Policy

Effective Date: April 18, 2026

Security is core to PinLaunchr. This page describes the technical and organizational measures we use to protect customer data, and how to report vulnerabilities. It supplements our Privacy Policy and Data Processing Agreement.

1. Infrastructure

  • PinLaunchr runs on reputable cloud infrastructure providers (including Supabase for database/storage and Google Firebase for authentication) that maintain industry-standard certifications (e.g., SOC 2, ISO 27001) for their platforms.
  • Production systems are logically separated from development and testing environments.
  • We use managed, hardened services rather than self-operated servers wherever practical.

2. Data Encryption

  • In transit: All traffic between your browser and the Service, and between the Service and third-party APIs (Stripe, Firebase, Supabase, AI providers, Pinterest), is encrypted with TLS (HTTPS).
  • At rest: Customer data stored in our cloud databases and object storage is encrypted at rest by our infrastructure providers (AES-256 or equivalent).

3. Authentication and Access Control

  • User authentication is handled by Google Firebase using OAuth sign-in (Google, Apple, Pinterest). We never see or store your social-login passwords.
  • Application sessions use httpOnly, secure session cookies, protecting tokens from client-side script access.
  • Pinterest access uses scoped OAuth tokens limited to the permissions you grant; tokens are stored encrypted and can be revoked by you at any time.
  • Internal access to production data is restricted to authorized personnel on a least-privilege, need-to-know basis, protected by strong authentication.

4. Payment Security

Payments are processed by Stripe, a PCI DSS Level 1 certified provider. Full payment card data is handled exclusively by Stripe and never touches PinLaunchr servers.

5. Application Security

  • Server-side authorization checks on every API route; user data is scoped per account and workspace.
  • Protection against common web vulnerabilities (injection, XSS, CSRF) through framework-level defenses, parameterized queries, and security headers.
  • Secrets and API keys are stored in environment configuration, never in client code or source control.
  • Dependencies are monitored and updated for known vulnerabilities.

6. Logging and Monitoring

We maintain application and access logs for security monitoring, abuse detection, and incident investigation, retained for a limited period and access-controlled.

7. Backups and Resilience

Databases are backed up on an automated schedule by our infrastructure providers, with point-in-time recovery where available. Backups are encrypted and purged on a rolling schedule.

8. Incident Response

  • We maintain an incident response process covering identification, containment, eradication, recovery, and post-incident review.
  • If a personal data breach affects your data, we will notify affected customers without undue delay (and within 72 hours where the GDPR applies), including the nature of the incident, data involved, and remediation steps. See the DPA, Section 9.

9. Data Deletion

You can delete content and your account from within the Service. Account deletion removes personal data per our retention schedule (generally within 90 days, subject to legal holds and rolling backup purges).

10. Employee and Vendor Practices

  • Personnel with data access are bound by confidentiality obligations.
  • Vendors and subprocessors are assessed for security posture and bound by data protection agreements (see DPA, Section 6).

11. Responsible Disclosure

We welcome reports from security researchers.

  • Report to: contact@pinlaunchr.com (subject: "Security Vulnerability Report")
  • Include: a description of the issue, steps to reproduce, affected URLs/endpoints, and your contact information.
  • Please do not: access other users' data, degrade the Service (e.g., DoS), or publicly disclose before we have had a reasonable opportunity (90 days) to remediate.
  • We commit to acknowledging reports within 5 business days and will not pursue legal action against good-faith research conducted within these guidelines.

12. Your Role

Security is shared. Please use a strong, unique password on your sign-in provider, enable two-factor authentication with that provider, protect devices that have active sessions, and review connected Pinterest permissions periodically.

13. Questions

contact@pinlaunchr.com · PinLaunchr, 1209 Mountain Road Place Northeast, Albuquerque, NM 87110, United States