Compliance

FyndMe is committed to responsible data handling and security. This page outlines our security practices and approach to regulatory compliance.

1. Infrastructure and Hosting

FyndMe is hosted on industry-leading cloud infrastructure that maintains SOC 1/2/3, ISO 27001, and PCI DSS compliance certifications. All data is stored in the United States. Our infrastructure providers are contractually obligated to protect your data.

2. Data Encryption

• All connections are encrypted in transit using TLS (HTTPS enforced)
• All stored data is encrypted at rest using industry-standard encryption
• Passwords are never stored by FyndMe — authentication is managed by a dedicated, industry-standard identity provider

3. Authentication and Access Control

• User authentication uses a trusted, industry-standard identity provider with email verification required
• Passwords are securely hashed and never accessible to FyndMe staff
• All authenticated API access requires valid, time-limited credentials
• Finder access tokens are cryptographically signed and short-lived
• Administrative access to infrastructure requires multi-factor authentication

4. Application Security

• Rate limiting: All public endpoints are rate-limited to prevent abuse
• Input validation: All user input is validated and sanitized on the server side
• XSS prevention: User-generated content is sanitized before display
• Upload restrictions: File uploads are restricted to approved image types
• Bot protection: Public forms include automated abuse deterrents
• Security headers: Industry-standard HTTP security headers are applied to all responses, including protections against clickjacking, MIME sniffing, and cross-site scripting

5. Data Minimization

FyndMe follows a data minimization principle:

• Finders are never required to create an account or provide personal information
• Progressive visibility ensures owner contact details are hidden by default and only shared when you explicitly enable them
• Temporary records such as abuse reports and rate limit data expire and are automatically removed
• Account deletion removes all associated data including items, conversations, photos, and linked accounts

6. Incident Response

In the event of a security incident:

• We will investigate and contain the incident promptly
• Affected users will be notified via email within 72 hours of confirmation
• We will take corrective action to prevent recurrence
• Applicable regulatory authorities will be notified as required by law

7. GDPR Considerations

While FyndMe is US-based, we respect the privacy rights of all users:

• Right of access: View your data through your dashboard
• Right to rectification: Edit your items and account information at any time
• Right to erasure: Delete your account and all data through account settings
• Right to data portability: Contact us at support@fyndme.org to request a data export
• Lawful basis: We process data based on contractual necessity (providing the Service) and legitimate interest (security, abuse prevention)

8. CCPA Considerations

For California residents:

• We do not sell personal information
• We do not use third-party advertising trackers
• You may request disclosure of collected data or deletion of your data by contacting us

9. COPPA Compliance

FyndMe does not knowingly collect personal information from children under 13. If we become aware that a child under 13 has created an account, we will delete the account and all associated data promptly.

10. Payment Compliance

All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. FyndMe does not store, process, or transmit cardholder data. Credit card information is entered directly into Stripe's secure checkout and never touches our servers.

11. Third-Party Services

FyndMe uses a small number of trusted third-party services for infrastructure and payment processing. All providers maintain industry-recognized security certifications and are contractually obligated to protect user data. We do not use third-party analytics, advertising networks, or social media tracking pixels.

12. Contact

For compliance inquiries, data requests, or to report a security concern, contact us at support@fyndme.org.