PatchProof ← Trust & policies

Security

Last updated 24 June 2026 · Version 0.1 (draft)

Draft for review. Some statements describe the target production architecture (Supabase backend) not yet enabled in the current single-device build. Update as each piece goes live.

Current build vs target

The app you are using today stores records locally in your browser on your own device. Nothing is transmitted to a PatchProof server. This is private by design but device-bound: clearing the browser removes the data, so export regularly.

The production architecture below is being rolled out as accounts and sync are enabled.

Where data lives

How it is protected

Record integrity

Patch-test responses are timestamped and fingerprinted (SHA-256) and photos carry a capture-freshness check, so the audit trail is tamper-evident — that is the point of the product.

Retention

Records are retained for 7 years by default to support insurance and claims, then deleted. You can request earlier erasure subject to the Privacy Policy.

Sub-processors

ProviderPurposeRegion
SupabaseDatabase & storageEU (Ireland)
NetlifyHosting/CDNEU edge
StripePaymentsUK/EU
TwilioWhatsApp remindersUK/EU
SentryError monitoringEU

Breach response

If a personal-data breach occurs we will assess it without undue delay, notify the ICO within 72 hours where required, and inform affected users where there is a high risk to their rights. Report a suspected vulnerability to [security@patchproof.co.uk].