Security at Share The Aloha
How we protect your photos, your recipients, and your account.
Share The Aloha holds personal photos and the email addresses of people you love. We take that responsibility seriously. This page describes the technical and operational measures we use to keep your content secure. It is intentionally specific — we tell you what we do and what we don't.
How we keep your data safe
Encryption everywhere
All data is encrypted in transit using TLS 1.2 or higher. Stored data — including your photos and account details — is encrypted at rest with AES-256 by our infrastructure providers.
Hashed passwords
We never store your password in plain text. Passwords are hashed by our authentication provider (Supabase Auth) using industry-standard algorithms. Our staff cannot read your password — if you lose it, it must be reset.
Brute-force protection
Login pages have automatic rate-limiting and brute-force protection at the authentication layer. Repeated failed sign-in attempts trigger throttling.
Private media, signed URLs
Your uploaded photos live in a private object-storage bucket. They are never directly accessible. Each photo URL embedded in a delivered email is a time-limited signed URL — only the recipient who received the email can open it.
Encrypted backups
Our database is backed up daily to encrypted, geographically separate storage. Backups are retained for 90 days, then permanently destroyed.
Row-level access control
Every piece of user data is protected by row-level security policies at the database layer. Even a misconfigured application query cannot return another user's photos, recipients, or notes.
No behavioral tracking, no ad tech
We do not run Google Analytics, Facebook Pixel, or any third-party advertising trackers on our site or in our emails. The data you share with us is for delivering Alohagrams to the people you love — nothing else.
Our infrastructure providers
We are a small team that uses best-in-class infrastructure providers rather than rolling our own data centers. Each is independently audited.
- →Supabase — our database, authentication, and storage provider. SOC 2 Type II certified; data centers in the United States.
- →Vercel — our application hosting. SOC 2 Type II certified; global edge network with US-based primary regions.
- →Resend — our email delivery service. SOC 2 audit in progress; uses authenticated SMTP with SPF, DKIM, and DMARC.
- →Stripe — our payment processor. PCI Service Provider Level 1 (the highest level of payment-card security certification). We never see or store your card number.
- →Cloudflare Turnstile — bot/abuse protection on sign-up and login.
Your account, your control
Password reset
If you forget your password, you can reset it from the Forgot password link on the sign-in page. We email you a one-time code, and you set a new password without needing the old one.
Change your email or password
Both are editable from your Settings page once you're signed in. Email changes require confirmation at the new address.
Delete your account
You can permanently delete your account and all your data from the Settings page. Active data is removed within 30 days; backups are purged within 90 days.
Recipient controls
Every Alohagram and Tribute delivery includes “Adjust frequency”, “Unsubscribe”, and “Report” links. Recipients can pause, slow down, or stop deliveries at any time without contacting us.
Responsible disclosure
If you're a security researcher and you've found a vulnerability in Share The Aloha, please report it. We commit to acknowledging good-faith reports and working with you in good faith. Please read our Responsible Disclosure Program page before submitting.
Direct security contact: security@sharethealoha.com
What we don't do
- ✗We do not sell your personal information.
- ✗We do not run advertising or behavioral-tracking pixels.
- ✗We do not analyze the content of your photos or notes to train AI models.
- ✗We do not share your data with marketing partners.
- ✗We do not retain payment card numbers — they live entirely at Stripe.
Honest disclosures
We tell you what we don't have so you can decide whether you're comfortable with our posture today:
- ○We are not currently SOC 2 or ISO 27001 certified ourselves. Our infrastructure providers are. We expect to pursue our own certifications when our user base or business needs justify the cost.
- ○We have not yet completed a third-party penetration test. One is scheduled before public launch. Results will be summarized on this page when complete.
- ○Two-factor authentication (2FA) is not yet available on user accounts. It is on the near-term roadmap.
Reporting an incident
If you believe your account has been compromised, or you've received an Alohagram you suspect was sent without your consent:
- →security@sharethealoha.com — account compromise, suspected misuse, security vulnerabilities
- →report@sharethealoha.com — abusive content, harassment, terms-of-service violations
- →support@sharethealoha.com — everything else
Last updated: May 30, 2026. We will update this page as our security posture evolves. Material changes will be reflected in the “Last updated” date.