Data minimisation
The MVP does not permanently store transcript content or uploaded media on its application server. Local browser storage keeps transcript history under the user’s control.
Production safeguards
- HTTPS is mandatory in production.
- Secrets stay in server-side environment variables and are excluded from Git.
- Supabase row-level security separates profile, usage, and subscription records.
- Stripe webhook signatures are verified before billing events are accepted.
- Security headers reduce browser attack surface.
Limits and disclosure
No service can promise absolute security. Before launch, configure provider retention, rate limiting, monitoring, backups for account metadata, incident response, and a dedicated security contact. Report suspected issues privately to support@ilovetranscript.com.