Security

Finding Horizons implements industry-standard security practices appropriate for a consumer travel application. This page describes our current measures honestly. We do not claim SOC 2 compliance, penetration-test certification, or bank-grade security — those claims would require independent audit and certification that we have not yet completed.

All data transmitted between your device and Finding Horizons servers is encrypted in transit using TLS (HTTPS). We enforce HTTPS on all endpoints. HTTP connections are redirected to HTTPS.

Your data is stored in Supabase PostgreSQL with row-level security (RLS) policies enforced at the database level. RLS ensures that each user can only access their own data — other users cannot query your points, trips, or collections even if they attempted to use the API directly.

All sensitive API keys (Stripe secret keys, AI provider keys, event provider tokens, Google server-side keys) are stored as environment variables on the server and are never exposed to the client or browser. Only NEXT_PUBLIC_ prefixed variables (which are safe-to-expose identifiers like Maps API keys restricted by domain) are present in the browser bundle.

Payment card details are handled exclusively by Stripe, a PCI-DSS Level 1 certified payment processor. Finding Horizons never sees, stores, or handles raw payment card numbers, CVVs, or bank account details. We only store a Stripe customer ID and subscription status.

Authentication is handled by Supabase Auth using industry-standard OAuth flows (Apple Sign-In, Google Sign-In) and secure email magic links. We do not store passwords. Session tokens are short-lived and stored in secure, HttpOnly cookies where supported.

Firebase is used only for analytics and App Check (bot protection) — not for authentication. Supabase is the sole authentication system.

We recommend you:

• Sign in with Apple or Google (delegating credential management to your Apple/Google account security settings)
• Enable two-factor authentication on your Apple or Google account
• Sign out of the app when using a shared or public device
• Contact us immediately if you believe your account has been compromised

You can request deletion of your account and associated personal data from Settings. We process deletion requests within 30 days. Backups may retain data for up to 90 additional days before purging.

In the event of a security breach that affects your personal data, we will notify affected users as required by applicable law (PIPEDA, Québec Law 25, and applicable US state law requirements). Notification will be provided via email and/or in-app notice.

If you discover a security vulnerability in Finding Horizons, we ask that you report it to us responsibly before public disclosure. Contact us at support@findinghorizons.ca with "Security Disclosure" in the subject line.

We commit to acknowledging your report within 5 business days, and to working with you to resolve confirmed vulnerabilities before they are publicized. We do not currently offer a formal bug bounty programme, but we will publicly credit researchers who responsibly disclose issues if they wish.