This page is maintained by TAP TO CLOSE to answer common security and privacy questions about the TAP TO CLOSE service. It describes the controls we have enabled today. It is editable project content and is not a third-party certification or independent audit.
Shared responsibility
TAP TO CLOSE runs on the Lovable Cloud platform. Lovable provides the underlying hosting, managed database, authentication, storage, and edge runtime. TAP TO CLOSE is responsible for application logic, access policies, and how customer data is used inside the product. Customers are responsible for safeguarding their own login credentials and the contact data they capture through their public profile.
Authentication & access
- Email + password sign-in and Google sign-in via our managed auth provider.
- Password reset flow with email-bound recovery links.
- Role-based access enforced server-side; admin roles are stored separately from user profiles.
- Account deletion is available from Settings.
Data protection
- All traffic to the app and API is served over HTTPS.
- Data at rest is stored in our managed database with row-level security policies that scope each record to its owner.
- Server-side validation on all write endpoints; client-supplied role claims are not trusted.
- Secrets and API keys are stored server-side and accessed only from server functions.
Payments
Subscription payments are processed by Stripe. We do not see or store full card numbers. Card data is collected directly by Stripe's embedded checkout.
Subprocessors
We rely on the following subprocessors to operate the service:
- Lovable Cloud — hosting, database, authentication, storage, edge functions.
- Stripe — subscription billing and payment processing.
- Google — optional sign-in provider.
Data retention & deletion
Account and lead data is retained while your account is active. When you delete your account from Settings, your data is removed per the timeline described in our Privacy Policy.
Privacy requests
To export, correct, or delete your data, use the controls in Settings or contact us at privacy@taptoclose.com.
Reporting a vulnerability
If you believe you've found a security issue, please email security@taptoclose.com with details and steps to reproduce. Please do not publicly disclose the issue until we've had a chance to investigate and respond.
Compliance
TAP TO CLOSE does not currently claim SOC 2, ISO 27001, HIPAA, PCI-DSS, or GDPR certification. Payment card handling is delegated to Stripe, which maintains its own PCI-DSS attestation. For questions about a specific compliance requirement, contact security@taptoclose.com.