Rick Pollick

Security

Security

A quick summary of how this site protects your account and your data. For the privacy-policy side of the same story, see the Privacy Policy.

Authentication

Sign-in is passwordless. When you enter your email on /login, Supabase emails a one-time magic-link URL. Nothing to remember, nothing to reuse, and no password database that can leak. Sessions are stored in HTTP-only cookies scoped to the site — JavaScript on the page can't read them.

Payments

Card numbers, CVVs, and expiry dates are handled entirely by Stripe — the same PCI-DSS Level 1 provider trusted by Amazon, Google, and Shopify. We never see or store raw card data. If a charge fails, the site only receives a yes/no signal and an opaque customer ID.

Data isolation

Every table in the app database has row-level-security policies enforced by Postgres. Even if application code had a bug, one user still cannot read or modify another user's profile, feed tokens, or subscription state. Service-role access is reserved for narrow server-side tasks (subscription webhook fan-out, admin-initiated deletion) and never reaches the browser.

Email

All transactional email flows through Resend. Every bulk-style message — new-post alerts, subscription receipts — carries an RFC 8058 one-click unsubscribe header, so Gmail / Yahoo / Outlook can remove you with a single click. We don't use tracking pixels, open-rate beacons, or remarketing IDs.

Monitoring

Runtime errors are captured by Sentry with PII scrubbing on — stack traces and request metadata only. Cookies, form bodies, and auth headers are filtered at the SDK level before anything leaves the server.

Dependencies

The full third-party surface area is intentionally small:

  • Vercel — hosting, edge delivery, environment variables.
  • Supabase — Postgres + auth.
  • Stripe — payments and subscription management.
  • Resend — transactional email.
  • Sentry — error monitoring.
  • Google Analytics — aggregate page-view counts only; no cross-site profiles.

All of them are SOC 2 Type II or equivalent. Dependency updates for the app itself are reviewed and deployed through a standard CI flow.

Reporting a vulnerability

If you think you've found a security issue on the site, please email rick@rickpollick.com with “security” in the subject. Include enough detail to reproduce the issue — we'll acknowledge receipt within a business day and keep you updated through the fix. Please give us a reasonable window to remediate before any public disclosure.

Security — Rick Pollick