How we protect renter and landlord data
This page is maintained by QualiFlow to explain the technical and operational controls in place today. It describes enabled capabilities only — not a certification or audit attestation.
Encryption everywhere
All traffic is encrypted in transit (TLS 1.2+) and data is encrypted at rest. Passwords are stored as bcrypt hashes; we never see your plaintext password.
Row-level access controls
Every multi-tenant table is protected by database row-level security policies scoped to the authenticated user. Renters see only their own data; landlords see only their own listings, inquiries, and applicants.
Server-side computed signals
Recommendation ratings, eligibility logic, and other trust signals are computed by privileged server functions and written under a service role, so they can't be tampered with from the browser.
Hardened infrastructure
We run on Lovable Cloud's managed infrastructure with audited backups, automatic security patches, least-privilege credentials, and isolated environments for development and production.
Secure payments by Paddle
Card and bank details go directly to Paddle.com (our Merchant of Record). QualiFlow never sees or stores payment instruments. Paddle is PCI DSS Level 1 certified.
Responsible disclosure
If you discover a vulnerability, email security@getqualiflow.com with reproduction steps. We respond within 5 business days and acknowledge responsible reporters publicly with permission.
Shared responsibility
QualiFlow secures the platform infrastructure and application. You are responsible for using a strong unique password, keeping your email account secure, signing out on shared devices, and verifying who you are communicating with before sharing identity documents or money.
Data handling
We minimize collection: profile fields exist because they power compatibility explanations or are needed by landlords for legitimate screening. Deposit specifics are hidden from renter-facing UI but retained for landlord use. Sensitive renter disclosures are never used by QualiFlow to recommend approve/deny decisions.
Incident response
In the unlikely event of a confirmed data incident, affected users will be notified by email within the timeframes required by applicable law (typically within 72 hours of confirmation), with the facts known at the time and the steps we are taking.
Contact
Security questions or reports: security@getqualiflow.com. Privacy-related requests: privacy@getqualiflow.com.
See also: Privacy Policy · Terms of Service · Fair Housing Compliance.