Home / Security
Trust and data practices

Chroify Security and Data Practices

Chroify is service business scheduling software that handles bookings, calendars, clients, workers, receipts, reviews, and support. This page explains the security practices and shared responsibilities around that workflow.

Direct answer

How does Chroify approach security?

Chroify uses managed authentication, role-based access, database row-level security, server-side checks for sensitive actions, masked analytics for authenticated app areas, and security-focused deployment headers. No online service is risk-free, so customers should also protect accounts and maintain appropriate business records.

Account access

Authentication and role boundaries

Chroify uses Supabase Auth for account authentication. Owners, workers, clients, and platform administrators have different app experiences and access boundaries.

Managed authentication

Authentication credentials are handled by Supabase Auth rather than stored directly in Chroify application tables.

Role-based access

Owners manage their workspace, workers see assigned work, clients use their portal, and platform admin actions are separately controlled.

First-party app routes

Private dashboard routes are marked noindex and served with stricter browser security headers where needed.

Business data

Tenant separation and protected operations

Service-business data can include clients, workers, appointments, messages, invoices, receipts, and reviews. Chroify’s code is designed so each business works with its own records.

Row-level policies

Supabase row-level security policies are used to restrict browser-side access to records connected to the current user and business.

Server-side enforcement

Sensitive API routes check authentication, business membership, owner access, superadmin role, rate limits, and IP bans before processing protected actions.

Delivery safeguards

Email, reminder, and receipt delivery routes verify appointment, client, and business relationships before sending messages or recording delivery logs.

Payments and automation

Payment access and reminder controls

Stripe webhook validation

Owner access activation is tied to expected payment state and pending access records. Webhook handling should reject unrelated or unexpected payment events.

Cron secret protection

Reminder jobs require a configured cron secret and fail closed when that secret is missing or weak.

Account deletion

Owner account deletion is handled through a server endpoint designed to cancel active Stripe subscription state before deleting owner data.

Privacy and analytics

Public analytics and masked app sessions

Chroify uses Microsoft Clarity on public marketing pages to understand website usability. Authenticated application areas are treated differently from public pages.

Public pages

Public marketing pages may use analytics to understand page visits and improve the website.

Authenticated app

Authenticated app content is marked for masking, superadmin sessions are excluded, and recording begins only after the user accepts the Privacy Policy.

Policy reference

Read the Privacy Policy for the current description of analytics, local storage, data handling, and rights requests.

Customer responsibilities

Security is shared

Chroify can provide safeguards, but each business is responsible for lawful data handling and safe account practices.

Protect accounts

Use strong account practices, limit access to people who need it, and promptly remove old workers or clients who should no longer access a portal.

Do not send sensitive secrets

Do not send passwords, payment card numbers, or unnecessary sensitive information through support emails or client messages.

Report concerns quickly

Send suspected security incidents to security@chroify.com with the affected page, workflow, and safe reproduction details.

Related trust pages

Review Chroify policies and contact routes

Questions about security or data practices?

Use the official contact page to reach support, privacy, security, or legal inboxes.