Security at Squeegify.

Email security@squeegify.co.uk with steps to reproduce. We respond within one business day. We thank you publicly (with permission) and we won't take legal action against good-faith research.

Machine-readable disclosure contact at /.well-known/security.txt.

• TLS 1.3 in transit (HSTS preload, max-age 2 years)
• AES-256 at rest (Supabase Postgres + Vercel object storage)
• Stripe handles all card data; nothing card-shaped touches our servers
• Session cookies are HttpOnly, SameSite=Lax, Secure in production

• Application + database: EU (Frankfurt) via Vercel + Supabase
• Email delivery: EU (Resend)
• Payments: UK / EU (Stripe Payments UK Ltd)
• AI vision: US (Anthropic). Transfer governed by UK IDTA and SCCs; Anthropic does not train on data we send for analysis.
• Address autocomplete + imagery: EU + global edge (Google Ireland Ltd)

Full list with purpose and data-residency for each is in the privacy policy. We email account holders 14 days before any sub-processor change takes effect.

A signed DPA is available on request for Operator and Fleet plans. Email legal@squeegify.co.uk with your company name and we send it back the same business day.

• Secrets in Vercel encrypted environment variables, never in code
• Webhook signatures (Stripe) verified with timing-safe comparison
• Webhook delivery logs retained 90 days, queryable by workspace
• Rate limits per IP on every public API endpoint
• Demo widget on the marketing site runs in a strict sandbox; no real customer side effects fire

• We don't train any AI model on customer data
• We don't sell, rent, or share data with third parties
• We don't use behavioural advertising trackers
• We don't set non-essential cookies without consent

Squeegify Ltd is a UK company. We process personal data under UK GDPR. We are registered with the Information Commissioner's Office (ICO).

Privacy policy: /legal/privacy · Terms of service: /legal/terms