Security at WasteLess

Information current as of: 06/03/2025

At WasteLess, based in Ukraine, we take the security of your data seriously. This page provides an overview of the security practices we implement to protect your information while using our Service. Security is an ongoing process, and we continuously work to improve our measures.

User Authentication

  • Password Security: User passwords are securely hashed using industry-standard algorithms (bcrypt via Supabase Auth) before being stored. We never store your plain-text password.
  • Secure Sign-up/Reset: We utilize One-Time Passwords (OTP) sent via email for account verification during sign-up and for password resets.
  • OAuth (Google/Notion): Authentication via Google or Notion uses secure OAuth 2.0 protocols managed by those providers.
  • Session Management: We rely on Supabase's secure session handling, using JWTs stored securely (e.g., httpOnly cookies via SSR adapters).

Data Encryption

  • In Transit: All communication between your device and our servers, and between our servers and third-party services (Supabase, R2, Gemini, etc.), is encrypted using TLS/SSL (HTTPS).
  • At Rest: Your product data in Supabase and images in Cloudflare R2 are encrypted at rest by the respective providers using industry-standard encryption.

Infrastructure Security

  • Cloud Providers: We utilize Supabase and Cloudflare, which maintain high security standards for their infrastructure.
  • Access Control: Access to production systems, databases, and API keys (like Gemini, GitHub PAT, R2 keys) is restricted to authorized personnel using secure methods. Sensitive keys are stored as environment variables, not in code.
  • Row Level Security (RLS): We implement Supabase's Row Level Security policies on the tables to ensure that authenticated users can only access, insert, update, or delete their own product data.

Third-Party Services Security

We integrate with reputable third-party services:

  • Supabase: Provides database, authentication, and RLS. See Supabase Security.
  • Cloudflare R2: Provides object storage for images. See Cloudflare Security.
  • Google Gemini: Processes images for data extraction. See Google Cloud Terms.
  • GitHub: Stores feedback issues in a private repository. The Personal Access Token used has a 'write' permission only.
  • Microsoft Clarity: Provides usage analytics. See Microsoft Privacy Statement.
  • Monobank: Process payments securely according to their standards (Monobank Security). We do not store full payment details.
  • Google / Notion: Handle OAuth authentication and API interactions securely.

Image Handling

  • User Product Images bucket: Stored under a path prefixed with your unique User ID. Access requires authentication and is granted via time-limited signed URLs generated server-side.
  • Feedback Screenshots bucket: Processed client-side and uploaded. The API generates a public URL, but this URL is intended only for embedding within private GitHub issues associated with your feedback. Do not include sensitive information in feedback screenshots.
  • Shared Product Images bucket: Contains generic product images. If a barcode match is found, a time-limited signed URL is generated server-side for display within the app.

Feedback Submission

  • Secure Transmission: Feedback is sent via HTTPS.
  • GitHub Integration: Uses a minimally-scoped, securely stored PAT to create issues in a private GitHub repository.
  • Content Warning: Users are advised not to submit sensitive information via the feedback form or screenshots.

Your Responsibilities

Help keep your account secure:

  • Use strong, unique passwords.
  • Keep credentials confidential.
  • Log out on shared devices.
  • Report suspected unauthorized access immediately to [email protected].
  • Ensure images uploaded for AI processing are clear and well-framed for best results and avoid uploading inappropriate content.

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly to [email protected]. Provide details so we can investigate. We aim to acknowledge reports promptly but do not have a formal bug bounty program or fixed response timeline currently. Please allow reasonable time for us to address issues before public disclosure.

Updates and Changes

We may update our security practices and this document. Please review periodically. Significant changes will be communicated.

Contact Us

For security-related questions, contact us at: [email protected].

Also refer to our Privacy Policy and Terms of Use.