Trust & security

Security at FameLifter

Q: How do I report a security issue?

Email security@famelifter.com with details. We aim to acknowledge within 24 hours. We support responsible disclosure and will not pursue legal action against good-faith researchers who follow standard industry guidelines.

FameLifter encrypts data in transit with TLS 1.2+ and at rest with AES-256. Payments are handled exclusively by Stripe; we never see card numbers. Passwords are bcrypt-hashed, two-factor authentication is supported, and we honor GDPR data rights including a 72-hour breach notification commitment.

Last updated: April 26, 2026

Encryption in transit

All requests use HTTPS with TLS 1.2 or higher. HSTS is enabled. Cloudflare terminates TLS at the edge with origin-only certificates.

Encryption at rest

Database storage is encrypted with AES-256 by the managed MongoDB provider. Backups are encrypted with the same standard and rotated automatically.

Authentication

Bcrypt-hashed passwords, Google OAuth, and optional TOTP two-factor authentication. Sessions use HTTP-only cookies with SameSite=Lax.

Edge protection

Cloudflare proxy with WAF, DDoS mitigation, bot management, and rate limiting. Origin servers are only reachable through Cloudflare.

Payments

Card numbers never touch our servers. Stripe Elements collects and tokenizes payment details. We store only Stripe customer IDs and last-four digits for display purposes.

Breach notification

Per GDPR Article 33, affected users are notified within 72 hours of a confirmed incident. Notifications include scope and recommended actions.

Data handling commitments

No selling of user data. Personal data is never sold, rented, or shared with third parties for advertising or marketing.
GDPR data rights. Access, correct, export, or delete your data from settings — or by emailing [email protected].
Minimal data collection. We collect only what is needed to run the service: account email, name, billing data (held by Stripe), and feature usage logs.
Retention windows. Account data is retained while your account is active; cancellation triggers a 30-day grace period before permanent deletion (or earlier on request).
Subprocessors disclosed. The list below names every third party that handles user data on our behalf.

Subprocessors

Third parties that process user data on our behalf. Each is bound by a Data Processing Agreement and listed here for transparency.

Provider	Purpose	Data accessed
Stripe	Payments, billing, invoicing	Email, name, billing address, card details
Google (OAuth)	Sign-in via Google	Email, name, profile picture (only if user opts in)
Google Gemini	AI features (idea generator, summaries)	User prompts; no account data
Cloudflare	CDN, WAF, DDoS protection	IP address, request metadata
MongoDB Atlas	Database hosting	All application data (encrypted)
SMTP provider	Transactional email	Email address, message content

Report a security issue

If you believe you've found a vulnerability, email [email protected]. We acknowledge reports within 24 hours.

We support responsible disclosure and will not pursue legal action against good-faith researchers who follow standard industry guidelines (no destructive testing, no data exfiltration, no social engineering of staff or users).

Frequently asked questions

How is my data encrypted?▾

All traffic between your browser and FameLifter uses HTTPS with TLS 1.2 or higher. Data at rest in our database is encrypted with AES-256. Payment information never touches our servers — it is handled by Stripe directly via Stripe Elements.

Where is FameLifter hosted?▾

Our application servers run behind Cloudflare with origin certificates and IP allow-listing. The database is hosted on managed MongoDB infrastructure with automated backups. All hosting is in regions covered by GDPR-aligned data protection.

How are passwords stored?▾

We do not store passwords in plain text. Passwords are hashed using bcrypt with a per-account salt. We support Google OAuth and two-factor authentication (TOTP) for accounts that prefer not to use a password at all.

Do you sell user data?▾

No. We do not sell, rent, or share user data with third parties for advertising or marketing. Personal data is used only to provide the service and is processed under our published Privacy Policy.

Are you GDPR compliant?▾

Yes. We honor data access, correction, and deletion requests. Users can export their data and close their account at any time from settings. Our cookie policy and privacy policy describe lawful bases and retention windows in detail.

What happens if there is a data breach?▾

We will notify affected users within 72 hours of confirming a breach, in line with GDPR Article 33. Notifications go to the email on file and include the scope of the incident and any actions you should take.

Which third parties process user data?▾

Stripe (payments and billing), Google (OAuth login and Gemini AI features), Cloudflare (CDN and DDoS protection), MongoDB Atlas (database hosting), and an SMTP provider for transactional email. Each is bound by a Data Processing Agreement.

How do I report a security issue?▾

Email [email protected] with details. We aim to acknowledge within 24 hours. We support responsible disclosure and will not pursue legal action against good-faith researchers who follow standard industry guidelines.