Trust
Security & Compliance
The concrete, honest measures we take — and the ones we have not claimed.
Encrypted transport
All traffic is served over HTTPS/TLS; the application is hosted on Netlify with platform-managed certificates.
Password hashing
Passwords are hashed with bcrypt and never stored or logged in plaintext.
Token-based auth
Sessions use a signed JWT in an httpOnly, SameSite cookie. In production the signing secret is mandatory — the app refuses to issue tokens without it.
Payment isolation
Card data is handled entirely by Stripe. Full card numbers never reach our servers or database.
Encrypted database
Data is stored in Neon Postgres with encryption at rest; access uses least-privilege credentials.
Minimal data
We collect only what the service needs: an email, a hashed password, subscription state and optional feedback.
Responsible disclosure
Found a vulnerability? Email security@trendnow.app with steps to reproduce. Please give us reasonable time to remediate before any public disclosure. We appreciate good-faith research.
An honest note on certifications
We do not currently claim formal certifications such as SOC 2 or ISO 27001. We describe only the controls we actually run. As the platform matures we will update this page rather than overstate our posture.