← TinyKomainu

Trust at TinyKomainu

Last updated: May 20, 2026

We are a small indie team. That does not mean we cut corners on security or privacy—we document what we actually do, not what sounds good on a sales page.

Encryption

  • Signing secrets (Hooks): Encrypted at rest with AES-256-GCM before storage. The encryption key lives in a separate environment variable and is never sent to the browser.
  • Database: Hosted on Supabase (Tokyo region, ap-northeast-1), which encrypts data at rest. Webhook payloads and account data travel over TLS in transit.
  • In transit: TLS 1.2+ for all public endpoints (web app, webhook receiver, API routes).

Access control

  • Row Level Security (RLS): User-owned tables are protected so you can only read and modify your own data.
  • Service role: The Supabase service-role key is used only in server-side code (webhook receiver, cron jobs). It never ships to the browser.
  • Webhook payloads: Not publicly accessible. Incoming webhooks require your unguessable endpoint token; the dashboard requires authentication.

Data retention

Hooks — webhook payloads:Deleted automatically after your plan's window:

  • Free: 7 days
  • Pro: 30 days
  • Team: 90 days

A daily job removes payloads past this window. After deletion, recovery is not possible.

Watch: Monitoring history and account settings are kept while your account is active. If you delete your account, we remove your data within 30 days (see Watch privacy policy).

Billing: Stripe may retain payment records for up to 7 years per regulations—we do not control that.

Infrastructure

  • Supabase — PostgreSQL database and auth (Tokyo region)
  • Vercel — Application hosting and serverless functions (multi-region edge network)
  • Cloudflare — DNS and edge network for our domains
  • Stripe — Payments (card data never touches our servers)
  • Resend — Transactional email

What we don't do

  • We do not sell your data.
  • We do not share webhook payloads with third parties except your configured delivery channels (Slack, email, etc.).
  • We do not train machine learning models on your data.
  • We do not run advertising trackers, analytics pixels, or similar surveillance on our apps.

Reporting security issues

If you find a vulnerability or security concern, email mk@natrium.co.jp. Please include enough detail for us to reproduce the issue. We will acknowledge receipt and work on a fix as quickly as we can.

We do not operate a paid bug bounty program. We appreciate responsible disclosure.