Security overview

Passwords are stored as salted password hashes rather than plaintext. Failed login attempts are throttled. OAuth sign-in may be available when configured. Authenticator-app MFA is supported in account security settings where enabled.

LocateFlow uses TLS for traffic in production. Some sensitive application fields may be encrypted at the field level when configured, and infrastructure providers may provide at-rest encryption for databases, object storage, and backups depending on deployment.

Do not treat this page as a claim that every field, log, backup, processor copy, or third-party system is separately field-encrypted by LocateFlow.

Internal access should be limited to authorized operators who need it for support, security, billing, or operations. Admin actions and sensitive workflows may be logged for audit, fraud prevention, and incident review.

Secrets and credentials should be managed through environment configuration and secret-management practices. If a secret exposure is suspected, it should be rotated and investigated.

LocateFlow maintains backup and recovery procedures appropriate to the deployment. Restore testing should be completed and documented before full production launch or enterprise commitments are made.

Web subscriptions are billed through Stripe. iOS subscriptions are managed by Apple App Store, and Android subscriptions are managed by Google Play. Store purchases, cancellations, renewals, and refund requests may be controlled by the applicable store rules.

LocateFlow does not store full payment card numbers. Card entry and payment processing are handled by payment processors or app stores. Those providers may have their own PCI obligations and security practices.

To report a vulnerability, email [email protected] with a brief description, steps to reproduce, affected URLs or account context, and any suggested remediation. Do not send passwords, payment card numbers, private keys, or real user data.

Good-faith testing should avoid service degradation, social engineering, persistence, data exfiltration, destructive actions, and public disclosure before LocateFlow has had a reasonable opportunity to respond.

If LocateFlow determines that a security incident materially affects customer data, LocateFlow will use reasonable efforts to notify affected users and regulators when required by applicable law. DPA-level breach terms are summarized in the Data Processing Addendum.