SpotLift

Security

How we protect your data

Your Data Stays in India

All SpotLift data — your business profile, generated posts, review replies, and account information — is stored on servers located in Mumbai, India. We use Supabase's Mumbai region (ap-south-1) for all database storage. Your data does not leave India for storage purposes.

Your Business Data Is Private

SpotLift uses Row Level Security (RLS) at the database level. This means each user account can only ever read or write their own data. It is technically impossible for one SpotLift user to access another user's business profile, generated content, or account details — this is enforced at the database layer, not just in our application code.

We Never Store Your Google Credentials

SpotLift does not ask for, store, or have access to your Google account password or any Google OAuth tokens. Our tools analyse publicly visible information from your Google Business Profile. You copy and paste content manually — SpotLift never posts to your GBP directly on your behalf.

Encrypted Connections

All communication between your browser and SpotLift's servers uses HTTPS with TLS encryption. Your data is never transmitted in plain text.

Payment Security

SpotLift does not store credit card or UPI details. All payments are processed directly by Razorpay, a PCI-DSS compliant payment gateway regulated by the Reserve Bank of India. SpotLift only receives a confirmation of payment success — never your payment credentials.

Authentication

SpotLift uses Supabase Auth for secure account management. Passwords are hashed using industry-standard algorithms and are never stored in plain text. Session tokens are short-lived and invalidated on logout.

Third-Party Services

SpotLift uses a limited set of third-party services, each chosen for their security posture:

  • Supabase — Database and authentication (Mumbai, India)
  • Vercel — Application hosting and serverless functions
  • Anthropic — AI content generation (your business context is sent to generate content; no personal identifiers beyond business name and city are included in prompts)
  • Razorpay — Payment processing (RBI-regulated)
  • Brevo — Transactional email delivery
  • Google — Places API for business lookup

Reporting a Security Issue

If you discover a security vulnerability in SpotLift, please report it responsibly to contact@spotlift.in with the subject line "Security Issue". We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly.