Trust & security

How SiteClick handles your data.

This page is maintained by SiteClick to answer common security and privacy questions about the app. It reflects the controls in place today. It is not an independent certification.

Hosting & data location

SiteClick runs on managed cloud infrastructure with data storage inside the UK / EU. Application code is deployed to edge servers close to your users; the database and photo storage are region-pinned.

Access controls

  • Every project, photo, RAMS record, and message is scoped to a team. Row-level security policies enforce this at the database, not just in the UI.
  • Client-portal share links are per-project, revocable, and can be time-limited.
  • Photo files are served through short-lived signed URLs — the storage bucket is not publicly listable.
  • Team owners and admins have separate permissions from field/worker accounts. The Office Hub is gated to office roles only.

Encryption & backups

  • All traffic uses TLS in transit. Data is encrypted at rest by the underlying database and object-storage providers.
  • Automated database backups are retained by the managed database provider.
  • Passwords are never stored in plain text; authentication uses industry-standard hashing.

Subprocessors

SiteClick relies on the following subprocessors for core functionality:

  • Lovable Cloud — application hosting, database, storage, authentication.
  • Stripe — subscription billing and payment processing.
  • Open-Meteo — weather auto-log lookups (site coordinates, no personal data).

We do not use your project photos, notes, or messages to train third-party AI models. AI features (photo tagging, voice-to-note, receipt OCR) run against Lovable's AI gateway on demand only.

Cookies & analytics

SiteClick uses a first-party session cookie to keep you signed in. It does not run third-party advertising trackers. Basic usage counts are collected server-side to monitor app health.

Data retention & deletion

  • Team owners can delete individual projects, photos, and records at any time from within the app.
  • On written request from a team owner, we will fully delete the team workspace and all associated data within 30 days.
  • Backup rotation may retain deleted data for a short window before permanent removal.

Report a security issue

Email security@siteclick.app with a description of the issue and steps to reproduce. We aim to acknowledge within 2 working days.

For general privacy or data-request questions: contact page.

This page describes the current state of the SiteClick app. It is not a SOC 2, ISO 27001, or Cyber Essentials certification. See our Privacy Policy and Terms for the full legal position.