BirthMemo

Security Policy

How we protect your information

Last updated: February 7, 2026

Our Security Commitment

At BirthMemo, security is a top priority. We use industry-standard cloud infrastructure, secure server-side processing, and multiple layers of protection to keep your data safe. This document outlines our security measures and best practices.

Cloud Infrastructure

BirthMemo uses Supabase (built on AWS) for authentication and data storage. Our cloud security includes:

Row Level Security (RLS)

  • Database policies enforce that users can only read and write their own data
  • Even if an attacker gains database access, RLS prevents cross-user data exposure
  • All tables containing user data have RLS policies enabled

Authentication

  • Secure user authentication via Supabase Auth
  • Passwords are hashed using bcrypt (never stored in plain text)
  • Sessions are managed with secure, HTTP-only tokens

Encryption

  • All data encrypted at rest on Supabase servers
  • All connections encrypted in transit with TLS
  • HTTPS enforced on all endpoints

API & Server Security

Secure AI Processing

  • The Google Gemini API key is stored server-side only and is never exposed to the browser
  • AI requests are routed through our secure server endpoint (/api/generate)
  • Input is validated and sanitized on the server before being forwarded to Google

Rate Limiting

  • AI generation: 5 requests per minute per IP address
  • Prevents abuse, brute-force attacks, and excessive API usage
  • Automatic cleanup of rate-limit tracking data

Input Validation

  • All user inputs are sanitized (HTML tags stripped) before processing
  • Field length limits enforced (200 characters max per field)
  • Request body structure validated before any processing occurs

Phone Number Security

Phone numbers are handled with special care:

  • Stored securely: Phone numbers are stored in your Supabase account, protected by RLS
  • Never shared: Numbers are never shared with third parties
  • WhatsApp deep links: We use wa.me URLs which are processed by your device locally
  • No logging: Phone numbers are not written to server logs
  • Format validation: Numbers are validated to prevent formatting errors

Best Practices

  • Only store phone numbers of people who've consented to receive messages
  • Regularly review and remove outdated contact information
  • Use the app's delete function to remove numbers when no longer needed

PWA & Update Security

BirthMemo is a Progressive Web App with a managed update system:

  • Network-first strategy: Pages and API calls always fetch from the network first, with cache fallback only when offline
  • API calls never cached: Requests to /api/* always bypass the cache
  • Versioned cache: Each deployment invalidates old caches to prevent stale content
  • Update banner: Users are prompted when a new version is available and can reload at their convenience
  • Build-stamped requests: API calls include a version identifier to prevent cached response issues

Free Tier Limits

Usage limits on the free tier also serve as a security measure:

  • 15 birthdays maximum: Limits the amount of data stored per account
  • 3 AI generations total: Prevents abuse of AI resources
  • 1 message per birthday: Keeps storage bounded
  • Rate limiting: 5 AI requests per minute per IP

Responsible AI Use

We use AI responsibly to enhance your experience:

  • Minimal data sharing: Only essential information (name, relationship, tone, interests) is sent to generate messages
  • No training: Your data is not used to train AI models
  • Server-side only: AI processing happens through our secure server, not directly from your browser
  • Ephemeral processing: AI processes your request and returns results without long-term storage
  • Content filtering: AI-generated messages are designed to be appropriate and heartfelt
  • User control: You choose which generated message to save (if any)

Reporting Security Vulnerabilities

We take security vulnerabilities seriously. If you discover a security issue:

How to Report

  1. Email us at security@birthmemo.app
  2. Include a detailed description of the vulnerability
  3. Provide steps to reproduce the issue if possible
  4. Include any relevant screenshots or proof of concept

Our Commitment

  • We will acknowledge your report within 24 hours
  • We will investigate and provide updates on our progress
  • We will credit responsible disclosures (with permission)
  • We will not take legal action against good-faith security researchers

Please do not publicly disclose vulnerabilities until we have had a chance to address them.

Security Best Practices for Users

Help keep your account secure by following these practices:

  • Use a strong, unique password for your BirthMemo account
  • Use a modern, updated browser (Chrome, Firefox, Safari, Edge)
  • Don't log in on public or shared computers
  • Log out when you're done using the app on shared devices
  • Be cautious when using the app on public WiFi networks
  • Regularly review your stored birthdays and remove outdated entries
  • Keep your operating system and browser updated

Security Policy Updates

This Security Policy may be updated as we improve our security measures or add new features. Significant changes will be communicated through the app. We encourage you to review this policy periodically to stay informed about how we protect your information.