How we protect your account
We take the security of your collection, your payments, and your personal data seriously. This page summarises the controls in place today. It is maintained by the RareItUp team and is not an independent certification.
Sign-in is handled by our managed auth provider with email/password and Google sign-in. Sessions use short-lived tokens that refresh automatically and are stored only in your browser. We never see your password.
Every database table is protected by row-level security policies that scope reads and writes to the signed-in account. Sensitive operational fields (moderation status, referral graph, refund counters) are not exposed through the public API. Admin actions are gated by a separate role check.
Card payments are processed by Stripe. We never receive or store your full card number. Webhook events are signature-verified before any purchase is credited to your account, and refunds reverse referral commissions automatically.
If you believe you have found a security issue, please email security@rareitup.com with details and steps to reproduce. We aim to acknowledge reports within two business days.
We collect only the data needed to run your account: email, display name, collection activity, and payment metadata returned by Stripe. You can request export or deletion of your data at any time from the settings page or by emailing privacy@rareitup.com.
