Card data — we don't have it
Card numbers, CVCs, and expiry dates never touch our servers. Stripe Checkout collects payment data on the creator's connected Stripe account — we receive only a payment reference and the resulting webhook event.
Money flow
thx.so uses Stripe Connect with direct charges. Money flows from the supporter to the creator's connected Stripe account; thx.so does not hold funds. Stripe pays out the creator on the schedule they configure (default: 2-day rolling).
Authentication
Creator accounts are authenticated via Supabase Auth, which supports email/password, OAuth providers, and magic-link sign-in. Sessions use HTTP-only cookies on the thx.so domain.
Data in transit and at rest
All traffic uses TLS 1.2 or higher. Data at rest is encrypted on Supabase Postgres and Cloudflare's storage layers.
Subprocessors
A current list of subprocessors (Stripe, Cloudflare, Supabase, email provider, error tracking) is maintained on the privacy page.
Reporting a vulnerability
If you believe you've found a security vulnerability, please email security@thx.so. We acknowledge reports within 48 hours.