Security
How we protect your data, handle authentication, and respond to security reports.
Authentication
LFG uses Supabase Auth, which provides industry-standard authentication including email/password with salted hashing, OAuth 2.0 (Google, Apple, Facebook), and session management with secure HTTP-only cookies. Passwords are never stored in plaintext.
Data protection
All data is transmitted over TLS (HTTPS). Our database uses Row-Level Security (RLS) policies to ensure users can only access data they're authorized to see. Trip data is private by default — only members you invite can see your itineraries.
Privacy by design
We collect only what's needed to provide the service. We don't sell personal data to third parties. Analytics are used to improve the product, not to build advertising profiles. You can delete your account and data at any time.
Responsible disclosure
If you discover a security vulnerability, please report it to security@lfgetaway.com. We take all reports seriously and will respond within 48 hours. We ask that you give us reasonable time to address the issue before public disclosure.
Report a security issue
Found something that doesn't look right? Email us at security@lfgetaway.com. We appreciate responsible disclosure and will work with you to resolve any valid issues.