Security

Last updated: April 26, 2026

Tracks trust GRID with a lot of sensitive information — phone numbers, emergency contacts, photos, signatures, payment receipts. Here’s how we protect it.

Authentication

• Mandatory two-factor at sign-in. Every account — racer, gate, tech inspector, tower, track admin — gets a 6-digit one-time code emailed to them on every fresh sign-in. The code is hashed before it touches the database, expires in 5 minutes, and is invalidated after 5 wrong tries.
• Authenticator app (TOTP) as a second second-factor. Anyone who wants belt-and-suspenders security can also enroll an authenticator app (Authy, Google Authenticator, 1Password) from Settings → Two-factor authentication.
• Passwords are stored as bcrypt hashes by Supabase Auth. We never see your plaintext password.
• Password resets happen via a one-time link emailed to your account address.

Encryption

• In transit: all traffic between the app and our servers is HTTPS/TLS. The app refuses to talk to plain HTTP.
• At rest: the database, storage buckets, and backups are encrypted at rest by Supabase.

Row-level security

Every table in our database is locked down with row-level security policies, enforced by Postgres itself — not by application code that could be bypassed. The rule we follow:

• Racers see only their own data.
• Track staff see only data scoped to their track and their role.
• One track’s staff can’t see another track’s racers, entries, or tech cards.
• Privileged operations (issuing tech cards, voiding entries, marking timing-system uploads) go through audited stored procedures, not direct table writes.

Audit logging

Every staff action that mutates a record — approving a tech card, voiding an entry, refunding, editing pricing — writes a row to our audit log with the user, timestamp, and what changed. Track admins can review this log for their own track.

Account deletion

You can delete your account from Settings → Delete Account. When you do:

• Your personal information (name, DOB, phone, email, photos, signatures) is removed or anonymized within 30 days.
• Your password is rotated to a random value and your email is replaced with an unreachable placeholder so the account can’t be re-used.
• Audit-trail entries are anonymized — they show that an action happened, but not by whom.

Payments

When payments go live they’ll be processed by Stripe. Card numbers, CVCs, and expiration dates never touch our servers — they go straight from the user’s device to Stripe. We only ever see a charge ID and the last 4 digits.

Vendors we trust

We rely on a small number of well-known providers for the parts of the stack we don’t want to build ourselves:

• Supabase — Postgres, Auth, Storage, Edge Functions. SOC 2 Type II.
• Resend — transactional email (sign-in codes, password resets).
• Stripe — payments. PCI DSS Level 1.
• Expo Push — mobile push notifications.
• Sentry — error reporting (no personal data sent).

What we don’t do

• We don’t sell or rent your data — not to advertisers, not to data brokers, not to anyone.
• We don’t track you across other apps or websites.
• We don’t collect location data.
• We don’t use behavioral analytics or marketing pixels.

Reporting a vulnerability

If you find a security issue, please tell us before disclosing publicly. We’ll respond within one business day and work with you on a coordinated fix.

Email: gridbyzn@gmail.com with subject line SECURITY.

Please include:

• Steps to reproduce
• What you were able to access or do
• Your name (so we can credit you, if you want)

We don’t currently run a paid bug bounty, but we’ll publicly thank researchers who report responsibly.

Breach notification

If we discover a data breach affecting you, we’ll notify you within a reasonable time and as required by applicable law (GDPR, CCPA, PIPEDA, state breach laws, etc.).

For the legal underpinnings of all of this, see our Privacy Policy and Terms of Service.