Skip to main content

Security

Last updated: July 6, 2026

Your calendar and time data is sensitive, and we treat it that way. This page explains the concrete measures Stintt uses to protect your data — encryption, authentication, least-privilege access, tenant isolation, and payment security — and how to report a vulnerability. It complements our Privacy Policy, Terms of Service, and Data Processing Agreement.

1. Encryption

All traffic to and from Stintt is encrypted in transit with TLS (HTTPS). We do not serve the application or any API over unencrypted connections.

Data at rest is stored in a managed Postgres database (Supabase) that encrypts disk storage. OAuth access and refresh tokens we hold on your behalf are stored encrypted, never in plaintext.

2. Authentication

Sign-in to Stintt uses OAuth 2.0 with PKCE (Proof Key for Code Exchange) via Supabase Auth. Calendar and other source connections use the standard OAuth 2.0 authorization-code flow, with the provider client secret held only on our servers — never shipped to the browser.

Access tokens are short-lived: a stored OAuth access token expires after approximately one hour, and is refreshed only when you actively use a feature that needs it. You can revoke our access at any time from your provider account or by disconnecting the source in-app.

3. Least-privilege access

We request the minimum access needed to do the job. Google Calendar is connected with read-only scope — we can read the events you choose to track, and we never create, edit, or delete anything on your calendar.

AI features are opt-in and never run automatically: your data is sent to our AI sub-processor only when you explicitly trigger an action (or message the assistant).

See our Privacy Policy for exactly what each AI action sends and to whom.

4. Data isolation & access controls

Every row of your data is protected by database row-level security (RLS): the database itself enforces that you can only read the data belonging to you and the workspaces you are a member of, independently of the application layer. A bug in application code cannot expose another tenant’s data past this boundary.

Within a workspace, access follows least privilege by role. Owners, managers, and members see different surfaces, and managers in a closed workspace can only see the people in their own reporting line. Administrative capabilities are granted explicitly rather than shared through a single super-account.

5. Audit logging

Sensitive workspace administrative actions — role changes, member suspension and removal, and similar events — are recorded to an append-only audit log, written in the same database transaction as the action itself so the record cannot silently diverge from what actually happened. Workspace owners and administrators can review this history in the admin area.

6. Payment security

Payments are handled by our Merchant of Record, Dodo Payments, which operates the hosted checkout and processes card data under PCI-DSS standards. Your full card details are entered on Dodo’s systems — Stintt never receives, sees, or stores them.

7. Infrastructure & sub-processors

Stintt runs on established cloud platforms (Supabase for the database and authentication, and managed hosting providers for the web app and background services). We rely on a small, vetted set of sub-processors, each bound by a data processing agreement, and each used only for the feature you have opted into.

The full, current list of sub-processors is in our Privacy Policy and Data Processing Agreement.

8. Your data, your control

You can export a copy of your data or permanently delete it at any time using the self-service tools on our Privacy Policy page. Deleting your data revokes stored OAuth tokens and removes your records from our servers, and disconnecting a source stops any further syncing immediately.

Synced workspace calendar events older than approximately 18 months are automatically deleted, so we do not retain event history indefinitely.

Manage or delete your data from the Privacy Policy page.

9. Responsible disclosure

If you believe you have found a security vulnerability, we want to hear from you. Please email security@stintt.com with enough detail to reproduce the issue, and give us a reasonable opportunity to investigate and remediate before any public disclosure.

We will not pursue or support legal action against researchers who act in good faith, avoid privacy violations and service disruption, and do not access or modify data that is not their own. We aim to acknowledge reports promptly and keep you updated on our progress.

10. What we do — and don’t — claim

We believe in describing our security honestly rather than over-stating it. Stintt is an independent product, and we are not currently SOC 2 or ISO 27001 certified. What this page describes are practices that are actually implemented in the product today.

In the event of a personal-data breach affecting your data, we will notify affected customers and cooperate as set out in our Data Processing Agreement.

See our Data Processing Agreement for breach-notification and audit commitments.

Contact

Security reports: security@stintt.com · Privacy requests: privacy@stintt.com