RetailWatcher

Legal

Security Statement

Last updated: April 9, 2026

RetailWatcher handles sensitive business data — purchase records, vendor pricing, invoice files, and financial metrics. We take that responsibility seriously. This page describes the security measures we have in place to protect your data and our platform.

HTTPS everywhereEncrypted passwordsPCI-compliant paymentsPrivate file storageMFA for sensitive actionsJWT session management

1. Data in Transit

All communication between your browser and RetailWatcher is encrypted using TLS 1.2 or higher (HTTPS). We enforce HTTPS on all pages and API routes. HTTP connections are automatically redirected to HTTPS. We use HSTS headers to prevent downgrade attacks.

2. Data at Rest

Your business data (products, vendors, purchases, losses) is stored in a managed PostgreSQL database hosted on Supabase, which encrypts data at rest using AES-256. Invoice images and PDF files you upload are stored in private Supabase Storage buckets — they are not publicly accessible and require authenticated session tokens to retrieve.

3. Password Security

Passwords are never stored in plain text. We use bcrypt with a work factor that is reviewed periodically as hardware improves. This means that even in the unlikely event of a database breach, your password cannot be directly extracted from stored data.

  • Minimum password length and complexity is enforced at account creation.
  • Password reset links expire after 60 minutes and are single-use.
  • Login attempts are rate-limited to prevent brute-force attacks.

4. Session Management

Authentication sessions are managed using NextAuth.js with a JWT strategy. Session tokens are:

  • Signed with a cryptographically random secret key.
  • Stored in an HttpOnly, Secure, SameSite cookie — not accessible to JavaScript on the page.
  • Automatically invalidated on logout and when account credentials change.

An idle session timeout is enforced — users are automatically signed out after a period of inactivity to protect unattended devices.

5. Payment Security

RetailWatcher does not store, transmit, or process payment card data on our servers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of payment security certification. We never see your credit card number, CVV, or full billing details.

6. Multi-Factor Authentication (MFA)

RetailWatcher requires email-based MFA (a one-time 6-digit code) before performing high-risk account actions:

  • Cancelling or modifying your subscription via the Stripe portal.
  • Deleting your account and all associated data.

Verification codes are bcrypt-hashed before storage, expire after 10 minutes, and are invalidated immediately after successful use. A 60-second rate limit prevents code spam.

7. AI Invoice Processing

When you use the Scan Invoice feature, your uploaded invoice image or PDF is sent to Anthropic’s Claude AI for data extraction. The file is transmitted over HTTPS. Anthropic processes the file to return structured product data and does not retain the file for training purposes. Extracted data is stored in your RetailWatcher account under your control.

8. Access Controls

  • Every API endpoint verifies your identity before processing requests.
  • Team member role permissions (Owner, Manager, Staff) restrict what actions each role can take.
  • Store data is isolated — one store’s data is never accessible to another store’s users.
  • Internal database access is restricted to authorized services with environment-variable credentials that are never committed to source code.

9. Infrastructure

  • Hosting: Vercel (globally distributed CDN and serverless edge functions).
  • Database: Supabase managed PostgreSQL with automated backups.
  • File storage: Supabase Storage with private bucket access controls.
  • Email: Resend (transactional only — no marketing lists).
  • SMS: Twilio (Enterprise plan, opt-in only).

10. Dependency Management

We regularly update our software dependencies and monitor for known security vulnerabilities using automated tooling. Critical security patches are applied as soon as possible after disclosure.

11. Vulnerability Reporting

We take security reports seriously. If you discover a potential security vulnerability in RetailWatcher, please report it responsibly by emailing:

security@retailwatcher.app

Please include a description of the vulnerability, steps to reproduce, and any relevant screenshots or proof-of-concept. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it (typically 30–90 days). We do not currently offer a formal bug bounty program, but we will acknowledge and credit responsible disclosures.

12. Incident Response

In the event of a data breach or security incident that affects your personal data, we will:

  • Notify affected users by email within 72 hours of becoming aware of a breach (in line with GDPR Article 33 requirements).
  • Describe what data was affected, what we have done to contain the incident, and what you should do to protect yourself.
  • Work with affected parties and relevant authorities as required by law.

13. Questions

If you have security-related questions, contact us at security@retailwatcher.app.