Trust

Security & privacy.

This page is maintained by the Storage Compass team to answer common security and privacy questions about the product. It is not an independent certification.

Authentication

Email + password with a leaked-password check against Have I Been Pwned. Optional TOTP two-factor authentication. Google sign-in via the managed OAuth broker. Passwords hashed with bcrypt at rest.

Access control

Every table in our database is protected by row-level security. A user can only read and write their own rows. Admin operations are gated by a separate role table and require verified email + MFA.

Encryption

TLS 1.2+ in transit on every request. Data at rest is encrypted with AES-256 by our managed database provider. Backups are encrypted and rotated.

Secrets

Third-party API keys (Paddle, mapping, planning data) are stored server-side and never shipped to the browser. Service-role database keys are only ever loaded inside verified server handlers.

Payments

Card details are handled by Paddle, our Merchant of Record. Storage Compass never sees your full card number. Webhooks are signature-verified before we grant access.

Data retention

You can delete your account from Account Settings at any time — all personal data is removed within 30 days. Public UK planning, land and facility data we aggregate is retained for the operation of the service.

Incident response

We monitor authentication failures and abnormal usage. If a security incident occurs that affects your data, we'll notify affected users within 72 hours in line with UK GDPR.

SUBPROCESSORS

Who we share data with.

These are the third parties we rely on to run the Service. Each is bound by a data processing agreement. We do not sell personal data. Last reviewed: 6 July 2026.

ProviderPurposeRegion
SupabaseDatabase, authentication, storageEU (Frankfurt)
CloudflareEdge hosting, CDN, DDoS protectionGlobal edge
Paddle.com Market LtdPayments, VAT, merchant of recordUK / Global
ResendTransactional email deliveryEU / US
Google Maps PlatformMap tiles, imagery, Places metadataGlobal
FirecrawlPublic-web data ingestion (server-side)US
LovableApplication hosting & deploymentGlobal edge

Where data is transferred outside the UK/EEA we rely on adequacy decisions or Standard Contractual Clauses with the UK Addendum.

Responsible disclosure

Found a vulnerability? Email security@storagecompass.co.uk with steps to reproduce. We aim to acknowledge within 2 business days and won't pursue legal action against good-faith researchers who follow this policy.

Shared responsibility: Storage Compass protects the platform; customers are responsible for keeping their sign-in credentials secure and enabling MFA on privileged accounts.