How to report

• Email [email protected] with a clear description and reproduction steps.
• Encrypt sensitive details if needed — ask in your first email and we'll share a key.
• Please give us a reasonable chance to fix the issue before any public disclosure.

Our commitment

• Acknowledgement: within 3 business days.
• Triage + severity assessment: within 7 business days.
• Fix timeline: critical issues are prioritized immediately; we'll keep you updated through resolution.
• Credit: with your permission, we're glad to credit you once a fix ships.

Safe harbor

We will not pursue or support legal action against anyone who, in good faith, reports a vulnerability under this policy — provided you avoid privacy violations, data destruction, and service degradation, and you do not access or modify data that isn't yours. If in doubt, contact us before testing.

In scope

• dropinly.com and its subdomains
• Public booking pages and the customer portal
• The owner/admin dashboard and authenticated APIs
• The public API documented at /docs

Out of scope

• Denial-of-service (DoS/DDoS) and volumetric/load testing
• Social engineering, phishing, or physical attacks against staff or shops
• Reports from automated scanners without a demonstrated, exploitable impact
• Missing best-practice headers with no concrete security impact
• Third-party services we integrate with (report those to the relevant vendor)

Our security posture

• All traffic is served over TLS; data is encrypted in transit and at rest.
• Tenant data is isolated with row-level security; access is scoped per authenticated membership.
• Payments run through Stripe — we never store raw card numbers.
• Operational health is monitored continuously; see our status page.
• Machine-readable policy: /.well-known/security.txt.