Security at Toggly
Your family's data deserves the highest protection.
Infrastructure
- Supabase (AWS) — EU/US regions, SOC2 compliant infrastructure
- TLS 1.3 — encryption in transit for all data
- AES-256 — encryption at rest for stored data
- Daily automated backups — with point-in-time recovery
Access Control
- Row Level Security (RLS) — enforced on every database table
- Board-scoped access — users can only access data from boards they belong to
- No admin backdoors — even we can't see your data
Authentication
- Apple Sign In — industry-standard OAuth
- Google Sign In — industry-standard OAuth
- Email/Password — with industry-standard password hashing (bcrypt)
- No plaintext credentials — stored anywhere
- Guest mode — data stored locally only, nothing sent to servers
Privacy by Design
- No ads — ever
- No profiling or targeted advertising — your data is never used for ad targeting
- Anonymous usage statistics — via Firebase Analytics, for app improvement only
- No data selling — your data is never sold to third parties
- GDPR compliant — EU company: Golinski Ventures sp. z o.o., Poland
Your Control
- Export your data anytime — JSON backup (always free), CSV and ICS export (Pro)
- Delete your account — from the app, permanent within 30 days
- Control sharing — you choose board membership
Reporting Vulnerabilities
If you discover a security vulnerability, please report it responsibly:
Email: contact@togglyapp.com
Subject: "Security Report"
We take all reports seriously.