Trust & Security

• Accounts are protected by email + password authentication backed by a managed identity provider.
• Passwords are never stored in plaintext; only securely hashed credentials are retained.
• Sensitive actions (managing your bikes, moderating community reports) require an authenticated session, verified server-side.
• Moderation actions such as approving recovery claims are gated by a server-side role check, not by anything the browser can change.

• Database access is controlled by row-level security policies so users can only read and modify their own records.
• Server-only operations run through authenticated server functions; secrets and admin keys never reach the browser.
• Map coordinates on public incidents are intentionally fuzzed to a neighbourhood-level point before being displayed.

• All traffic to SpokeWatch is served over HTTPS (TLS) end-to-end.
• Data is stored on managed cloud infrastructure with encryption at rest provided by the platform.
• Server logs are retained briefly for abuse prevention and debugging, then rotated.

Shared responsibility

SpokeWatch relies on hosting, database, and authentication services provided by its underlying platform. Platform-level features such as encryption in transit, encryption at rest, and managed identity are provided by that platform. Application-level decisions — what data is collected, which records are public, how moderation works — are made and maintained by the SpokeWatch project owner. As a user, please use a unique strong password and notify us promptly if you believe your account has been compromised.

Privacy & your rights

See the Privacy Policy for full details on what we collect, how it is used, retention, and how to request access, correction, or deletion of your data.

If you believe you've found a security issue in SpokeWatch, please reach out via the contact details on the About page. Please give us a reasonable window to investigate and remediate before any public disclosure.