🔒

Security at Share The Aloha

How we protect your photos, your recipients, and your account.

Share The Aloha holds personal photos and the email addresses of people you love. We take that responsibility seriously. This page describes the technical and operational measures we use to keep your content secure. It is intentionally specific — we tell you what we do and what we don't.

How we keep your data safe

Encryption everywhere

All data is encrypted in transit using TLS 1.2 or higher. Stored data — including your photos and account details — is encrypted at rest with AES-256 by our infrastructure providers.

Hashed passwords

We never store your password in plain text. Passwords are hashed by our authentication provider (Supabase Auth) using industry-standard algorithms. Our staff cannot read your password — if you lose it, it must be reset.

Brute-force protection

Login pages have automatic rate-limiting and brute-force protection at the authentication layer. Repeated failed sign-in attempts trigger throttling.

Private media, signed URLs

Your uploaded photos live in a private object-storage bucket. They are never directly accessible. Each photo URL embedded in a delivered email is a time-limited signed URL — only the recipient who received the email can open it.

Encrypted backups

Our database is backed up daily to encrypted, geographically separate storage. Backups are retained for 90 days, then permanently destroyed.

Row-level access control

Every piece of user data is protected by row-level security policies at the database layer. Even a misconfigured application query cannot return another user's photos, recipients, or notes.

No behavioral tracking, no ad tech

We do not run Google Analytics, Facebook Pixel, or any third-party advertising trackers on our site or in our emails. The data you share with us is for delivering Alohagrams to the people you love — nothing else.

Our infrastructure providers

We are a small team that uses best-in-class infrastructure providers rather than rolling our own data centers. Each is independently audited.

Your account, your control

Password reset

If you forget your password, you can reset it from the Forgot password link on the sign-in page. We email you a one-time code, and you set a new password without needing the old one.

Change your email or password

Both are editable from your Settings page once you're signed in. Email changes require confirmation at the new address.

Delete your account

You can permanently delete your account and all your data from the Settings page. Active data is removed within 30 days; backups are purged within 90 days.

Recipient controls

Every Alohagram and Tribute delivery includes “Adjust frequency”, “Unsubscribe”, and “Report” links. Recipients can pause, slow down, or stop deliveries at any time without contacting us.

Responsible disclosure

If you're a security researcher and you've found a vulnerability in Share The Aloha, please report it. We commit to acknowledging good-faith reports and working with you in good faith. Please read our Responsible Disclosure Program page before submitting.

Direct security contact: security@sharethealoha.com

What we don't do

Honest disclosures

We tell you what we don't have so you can decide whether you're comfortable with our posture today:

Reporting an incident

If you believe your account has been compromised, or you've received an Alohagram you suspect was sent without your consent:

Last updated: May 30, 2026. We will update this page as our security posture evolves. Material changes will be reflected in the “Last updated” date.