Managed authentication
Authentication credentials are handled by Supabase Auth rather than stored directly in Chroify application tables.
ChroifyEspañolLog inGet accessChroify is service business scheduling software that handles bookings, calendars, clients, workers, receipts, reviews, and support. This page explains the security practices and shared responsibilities around that workflow.
Chroify uses managed authentication, role-based access, database row-level security, server-side checks for sensitive actions, masked analytics for authenticated app areas, and security-focused deployment headers. No online service is risk-free, so customers should also protect accounts and maintain appropriate business records.
Chroify uses Supabase Auth for account authentication. Owners, workers, clients, and platform administrators have different app experiences and access boundaries.
Authentication credentials are handled by Supabase Auth rather than stored directly in Chroify application tables.
Owners manage their workspace, workers see assigned work, clients use their portal, and platform admin actions are separately controlled.
Private dashboard routes are marked noindex and served with stricter browser security headers where needed.
Service-business data can include clients, workers, appointments, messages, invoices, receipts, and reviews. Chroify’s code is designed so each business works with its own records.
Supabase row-level security policies are used to restrict browser-side access to records connected to the current user and business.
Sensitive API routes check authentication, business membership, owner access, superadmin role, rate limits, and IP bans before processing protected actions.
Email, reminder, and receipt delivery routes verify appointment, client, and business relationships before sending messages or recording delivery logs.
Owner access activation is tied to expected payment state and pending access records. Webhook handling should reject unrelated or unexpected payment events.
Reminder jobs require a configured cron secret and fail closed when that secret is missing or weak.
Owner account deletion is handled through a server endpoint designed to cancel active Stripe subscription state before deleting owner data.
Chroify uses Microsoft Clarity on public marketing pages to understand website usability. Authenticated application areas are treated differently from public pages.
Public marketing pages may use analytics to understand page visits and improve the website.
Authenticated app content is marked for masking, superadmin sessions are excluded, and recording begins only after the user accepts the Privacy Policy.
Read the Privacy Policy for the current description of analytics, local storage, data handling, and rights requests.
Chroify can provide safeguards, but each business is responsible for lawful data handling and safe account practices.
Use strong account practices, limit access to people who need it, and promptly remove old workers or clients who should no longer access a portal.
Do not send passwords, payment card numbers, or unnecessary sensitive information through support emails or client messages.
Send suspected security incidents to security@chroify.com with the affected page, workflow, and safe reproduction details.
Use the official contact page to reach support, privacy, security, or legal inboxes.