Your members' data is safe.

Specifics — not marketing. Every claim below is something a developer can verify.

We never see card numbers

Stripe hosts checkout. PCI SAQ A scope.

AES-256 encryption at rest

Database encryption is on by default.

Your data, exportable

Download everything as CSV anytime.

Payment data — we never touch it

When your members pay you, the card number, expiry, and CVC are entered on a page hosted by Stripe (stripe.com), not by us. We never see it. Stripe stores it. They are PCI-DSS Level 1 certified — the highest level, the same as every major bank. This puts Grappll in PCI SAQ A scope — the simplest compliance level for software like ours, because we don't handle card data at all. We only store a reference token (e.g. "cus_NxxxXxx") that lets Stripe charge the right customer next time. If Stripe has a breach, that's not our problem to fix. If Grappll has a breach, no card numbers can leak from us because we don't store any.

Member data — encrypted, isolated, backed up

All data (members, attendance, classes, payments) is stored in PostgreSQL on Supabase, which runs on AWS infrastructure in US-East regions. Encryption at rest: AES-256 (industry standard, same as banks). Encryption in transit: TLS 1.3 for everything between your browser and our servers. We force HTTPS — there is no way to use the app over plain HTTP. Row-Level Security (RLS): every database query is filtered by gym ownership at the database layer, not just in our code. Even if a bug let one gym try to query another gym's data, the database itself would block it. This is the strongest form of multi-tenant isolation Postgres offers. Backups: Supabase takes daily automated backups, retained for 7 days minimum (longer on paid plans). If something catastrophic happens, we can restore within hours.

Authentication — battle-tested

We use Supabase Auth for sign-in. It's the same auth stack used by thousands of production apps. Passwords are hashed with bcrypt (you can never reverse-engineer them, even from our database). Sessions are stored in HTTP-only cookies with the Secure and SameSite=Lax flags — they can't be read by JavaScript and can't be sent cross-site by malicious websites. Gym owners can use email/password or sign in with Google. We support password reset via email and will add 2FA in a future release.

Hosting — Vercel + Supabase

Application: Vercel (Frame, Netflix, TikTok use them for parts of their infrastructure). Auto-scaling, HTTPS-only, DDoS protection at the edge. Database: Supabase (used by Mozilla, GitHub Copilot's billing, Notion's enterprise customers). We do not self-host. We did not build our own database or auth system. Every layer of our stack is operated by companies that have been audited far more rigorously than a small SaaS could ever justify on its own.

Who has access?

Access to the production database is strictly limited to our core team for the sole purpose of providing support, and to an emergency service account for backups. We log into the database only when investigating a specific support request. We do not browse customer data for marketing or analytics. Member personal data is never shared with any third party — not for advertising, not for "feature improvement," nothing. If you delete your gym account, we delete your data within 30 days (this is required by our privacy policy).

Your data is yours

You can export every member, payment, and attendance record as CSV at any time, by yourself, from the dashboard. No request form, no waiting. You can delete your gym entirely from the Settings page. All members, classes, attendance, payments, and orders cascade-delete. We keep no shadow copies. You own your customer relationships. If you leave Grappll, your Stripe Connect account is yours — your members' subscriptions continue with whoever you move them to. We don't hold your customer data hostage.

What happens if there is a breach?

We've audited the code against the OWASP Top 10 and applied: • Input validation on every API endpoint (Zod schemas with strict mode) • Rate limiting per IP (sliding window: 3/hr on demo, 10/15min on lead capture, etc.) • Content Security Policy (no inline JavaScript injection) • HTTP Strict Transport Security (forces HTTPS for 2 years) • X-Frame-Options DENY (no one can iframe us for clickjacking) • CSRF protection via SameSite cookies Despite all of that, no system is 100% secure. If we ever detect a breach affecting customer data, we will: 1. Email every affected gym owner within 72 hours of detection 2. Tell you exactly what data was exposed 3. Help you notify your members if their data was affected This isn't a checkbox — it's how we operate.

Have a security question we didn't answer?

Email us directly. Real reply, same day.

grappll.app@gmail.com