Security
Strong defaults. No surprises.
Authentication
Accounts are managed by Supabase Auth. Passwords are hashed with bcrypt and never stored in plaintext. JWTs are short-lived and refreshed automatically. Admin access is gated by a per-user flag (no shared password).
Data storage
Application data lives in Supabase Postgres (US region). Row Level Security policies ensure each user can only read their own rows. Daily managed backups are retained for 7 days.
Gmail integration
Connecting Gmail uses Google OAuth 2.0. We request read-only metadata scopes — we never see full email bodies, attachments, or your contacts. OAuth refresh tokens are encrypted at rest with Fernet. Disconnecting in Settings revokes our access immediately.
Disclosures
Found a security issue? Email security@ojamafy.com. We respond within 72 hours.