Legal

Security Policy

Effective April 13, 2026 — M&R Legacy Ventures LLC d/b/a TrackFinder USA

Our Commitment

M&R Legacy Ventures LLC takes the security of TrackFinder USA and the data of our riders seriously. This policy describes the security measures we have in place and how to report a potential vulnerability responsibly.

Security Measures

  • Data transmission — all data between your browser and our servers is encrypted via TLS (HTTPS). Unencrypted connections are redirected automatically.
  • Authentication — user authentication is managed by Supabase Auth with secure, hashed password storage. We never store plaintext passwords.
  • Session management — sessions use short-lived tokens with automatic expiry.
  • Payment security — payment processing is handled entirely by Stripe. Card numbers never pass through or are stored on our servers.
  • Database access — production database access is restricted to authorized personnel and enforced through Row Level Security (RLS) policies.
  • Infrastructure — the Service is hosted on Vercel with automatic HTTPS, DDoS protection, and access controls.

Responsible Disclosure

If you discover a security vulnerability in TrackFinder USA, we ask that you report it to us privately before public disclosure. This gives us the opportunity to investigate and address the issue before it can be exploited.

To report a vulnerability, email:

legal@trackfinderusa.com

Please include:

  • A description of the vulnerability and the potential impact
  • Clear steps to reproduce the issue
  • Any supporting evidence (screenshots, request/response logs)
  • Your name or handle if you'd like credit

What We Ask of Researchers

When investigating a potential vulnerability, please:

  • Do not access, modify, or exfiltrate data belonging to other users
  • Do not perform denial-of-service attacks or disrupt service availability
  • Do not use social engineering, phishing, or physical attacks against our users or staff
  • Do not publicly disclose the issue until we have had 90 days to investigate and respond
  • Test only against your own accounts or test data

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith in accordance with these guidelines.

Our Response

When you submit a report, we will:

  • Acknowledge receipt within 5 business days
  • Investigate and provide updates on our progress
  • Notify you when the issue has been resolved
  • Credit you by name or handle in our acknowledgments, if you wish

We do not currently offer a paid bug bounty program.

Scope

In scope:

  • trackfinderusa.com and all subdomains
  • TrackFinder USA mobile applications (when available)
  • TrackFinder USA public APIs

Out of scope:

  • Third-party services: Supabase, Stripe, Mapbox, Vercel, Resend — report those directly to the respective vendors
  • Social engineering or phishing attacks
  • Denial-of-service attacks
  • Vulnerabilities in outdated browsers or operating systems

Data Breach Notification

In the event of a confirmed data breach affecting user personal information, we will notify affected users and applicable regulatory authorities as required by applicable law, including Washington State's data breach notification law (RCW 19.255).

Contact

M&R Legacy Ventures LLC d/b/a TrackFinder USA
legal@trackfinderusa.com

For general privacy questions, see our Privacy Policy.