Trust, security & privacy

• Sign-in is handled by our managed authentication provider with email/password and Google sign-in.
• Passwords are never stored by us in plain text — only the authentication provider holds credential material.
• Administrative privileges are granted through a separate roles table and verified server-side on every request.

• Your draft formulations, baskets and orders are only readable by you and by our admin team.
• Row-level security is enabled on all customer data tables, so authorisation is enforced in the database, not just in the app UI.
• Order lifecycle changes (submission, status updates) are performed through controlled server actions that re-verify ownership.

• Your account profile (name, optional business name) and the formulations, colours, fragrances and notes you save.
• Order records including amounts, status and timestamps.
• We do not store full payment card details — payments, when enabled, are handled by a PCI-compliant payment processor.

• The application runs on managed cloud infrastructure with traffic served over HTTPS.
• The database, authentication and file storage are provided by a managed backend platform with encryption at rest and in transit.
• Service-role credentials are kept on the server only and are never shipped to your browser.

• You can request a copy of the personal data we hold about you.
• You can ask us to correct inaccurate data or to delete your account and associated formulations.
• For any privacy or data request, contact us at the address below and we will respond within a reasonable timeframe.

If you believe you have discovered a security issue, please contact us privately so we can investigate before any public disclosure. Email hello@whippedstudio.co.uk with the details and steps to reproduce.