Effective date: May 15, 2026.
Permissions
Browser permissions are limited to storage plus the supported platform hosts. ShareVeil does not request broad access to every website.
Extension connection
The extension receives a browser credential after web sign-in. Credentials are stored hashed on the server, kept in extension storage, and used only for ShareVeil sync APIs.
Web protection
Production pages send security headers for HTTPS, framing protection, content type protection, referrer limits, and a content security policy. Public support and request forms can require Cloudflare Turnstile verification when launch keys are configured.
Payments
Stripe handles Checkout, Billing Portal, and payment details. Webhooks update ShareVeil entitlements after successful payment or subscription changes.
Data isolation
Pro synced library and account data live in Supabase Postgres with Row Level Security so each row is scoped to its account. Payment data is held by Stripe; ShareVeil keeps only the customer and subscription identifiers needed to reconcile entitlements.
Reporting a vulnerability
If you find a security issue, please report it through the support form with subject prefix "security" or email support@shareveil.com. We aim to acknowledge within 3 business days and to confirm a fix or mitigation timeline within 14 days. Please do not test for vulnerabilities against other accounts or attempt to access data you do not own.