Security
Last updated 18 June 2026
Security and privacy are built into how Click works, not bolted on. This page explains the technical and organisational measures we use to protect your account, your data, and your payments — and how to report a security issue to us.
1. Our approach
We design Click so the most sensitive things are protected by default: interest signals are private until mutual, card details never touch our servers, and sensitive merchant documents are kept in a private store. We take reasonable steps to protect personal information consistent with the Australian Privacy Principles. No online service can be perfectly secure, but we work to reduce risk and respond quickly when issues arise.
2. Infrastructure and hosting
The Platform runs on managed cloud infrastructure (Vercel for the application, Supabase for the Postgres database and file storage). Traffic between your browser and Click is encrypted in transit using HTTPS/TLS, and data held by our infrastructure providers is encrypted at rest by those providers. We connect to the database over a managed, access-controlled connection.
3. Authentication and access
You can sign in with Google, Facebook, or your email. When you use social sign-in, the provider authenticates you and Click never receives or stores your Google or Facebook password. Sessions are managed by NextAuth using signed, encrypted tokens.
Internally, access to personal data is limited to what is needed to run the Platform. Administrative tools are restricted to authorised staff, and privileged operations (such as reading sensitive documents) use scoped, server-side access rather than exposing raw data to the browser.
4. Payment security
All payments and merchant payouts are handled by Stripe, a PCI-DSS Level 1 certified payment provider. Card details are entered directly with Stripe and are tokenised — Click never receives or stores your full card number. Merchant identity and bank verification (KYC) is performed by Stripe Connect under Stripe's own security controls.
5. Data storage and isolation
We separate data by sensitivity. Public media (such as profile photos and event images) is served from a public storage bucket. Sensitive merchant documents (such as identity or licence documents) are held in a private bucket that refuses anonymous reads and is only accessed through short-lived signed URLs generated on the server.
Server-side access to storage uses a privileged key that is never exposed to the browser, so file access always passes through our application logic and permission checks.
6. Privacy by design — the click mechanic
When you "click" someone, that interest signal is stored privately and is never revealed to the other person unless they click you back. There is no direct-message inbox and no way to broadcast one-way interest. This removes a common harassment vector and is enforced in how the data is modelled and surfaced, not just in the interface. See our Safety Policy for the member-facing controls.
7. Support and diagnostic data
Our in-app bug reporter can capture a screenshot of your screen plus recent console and network activity to help us fix issues. Secrets and sensitive values are redacted on your device before anything is sent, and reports are stored against your support ticket for the team handling it.
8. Your role in security
You can help keep your account secure:
- Use a strong, unique password (or sign in with Google/Facebook) and enable two-factor authentication with your provider.
- Keep your devices, browser, and email account secure, and sign out on shared devices.
- Be cautious of phishing — Click will never ask for your password by email, and our emails come from a letsclick.app address.
- Report anything suspicious to us straight away.
9. Reporting a vulnerability
We welcome responsible disclosure. If you believe you have found a security vulnerability, please email security@letsclick.app with enough detail for us to reproduce it. Please give us a reasonable opportunity to investigate and fix the issue before any public disclosure, and do not access or modify other users' data, degrade the service, or run intrusive automated scans. We will not pursue good-faith researchers who follow these guidelines.
10. Incident response and breach notification
We maintain processes to detect, investigate, and respond to security incidents. If a data breach is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
11. Contact
For security matters, email security@letsclick.app. For privacy requests, see our Privacy Policy. For safety concerns about another member or an event, see our Safety Policy.