Legal

Security

Last updated: April 2026

Security is not an afterthought at Stelo | it is part of the architecture from day one. This page describes the measures we take to protect your data and the accounts you trust us with.

Encryption in transit

All data between your device and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and reject unencrypted connections.

Encryption at rest

Data stored in our Supabase PostgreSQL database is encrypted at rest using AES-256. Database backups are also encrypted.

Row Level Security

Supabase Row Level Security (RLS) policies ensure that each user can only read and write their own data | even at the database query level.

Payment security

Stelo+ payments are processed by RevenueCat and Stripe | both PCI DSS Level 1 certified. We never see or store your full card number.

Data Storage

All user data is stored on infrastructure operated by Supabase, Inc. Supabase is SOC 2 Type II certified and maintains industry-standard security controls. Data is hosted in data centres that comply with ISO 27001.

Passwords are never stored in plaintext. We store a cryptographic hash of your password. We are actively working on migrating account authentication to Supabase Auth for improved security.

Application Security

Authentication

User sessions are managed with short-lived JWT tokens. Sessions expire after 7 days of inactivity and can be revoked from any device via Settings. We plan to add two-factor authentication (2FA) in a future release.

Input validation

All data submitted to the Stelo API is validated and sanitised server-side to prevent injection attacks. We follow the OWASP Top 10 guidelines in our development practices.

Rate limiting

API endpoints are rate-limited to prevent brute-force and denial-of-service attacks. Repeated failed login attempts trigger a temporary account lockout.

Dependency management

We regularly audit our third-party dependencies for known vulnerabilities using automated tooling. Critical security patches are applied within 24 hours of public disclosure.

Payment Security

Stelo+ subscriptions are handled entirely by RevenueCat (subscription management) and Stripe (payment processing). Stripe is certified to PCI Service Provider Level 1 | the most stringent level of payment card industry certification.

Stelo never receives, processes, or stores raw payment card data. We only receive a subscription status (active/inactive) and renewal dates from RevenueCat.

Social Feature Privacy

Friend connections in Stelo are mutual and require both parties to confirm. By default, only your username, current streak, and level are visible to friends. You can further restrict what is shared in Settings. We never expose your email address or other account details to other users.

Breach Response

In the event of a confirmed security breach affecting user data, we will:

Notify affected users within 72 hours of becoming aware of the breach, consistent with GDPR Article 33 and UAE data protection obligations.
Provide a clear description of what data was affected, the likely consequences, and the measures we have taken or will take.
Cooperate fully with relevant supervisory authorities.

Responsible Disclosure

If you have discovered a security vulnerability in Stelo, we want to know about it as soon as possible. We ask that you:

Report the vulnerability to us via email before disclosing it publicly.
Provide sufficient detail for us to reproduce the issue.
Give us reasonable time to address the vulnerability before disclosure | we aim to acknowledge within 48 hours and resolve critical issues within 14 days.
Not access, modify, or delete other users' data during testing.

We do not take legal action against good-faith security researchers who follow these guidelines.

Security contact

Report a vulnerability

Please include a description of the vulnerability, steps to reproduce it, and any relevant screenshots or proof of concept. We will acknowledge your report within 48 hours.

security@steloapp.io