Security at Shelfd
Last updated: 8 June 2026
Shelfd is operated by Photon Labs Ltd (registered in England and Wales, ICO registration ZC136232). We hold collectors’ data and process real payments, so security is built into how the product works rather than bolted on. This page explains, in plain terms, how we protect your information and your money. It complements our Privacy Policy and Terms & Conditions.
Encryption
- In transit: every connection between the app, the website, and our backend uses HTTPS/TLS. There is no unencrypted path to your data.
- At rest: data is stored in an EU-hosted database (London region). Shipping addresses are additionally encrypted at the field level using pgcrypto, and are automatically deleted 7 days after an order or trade completes.
Access control
- Row-Level Security on every table. Our database enforces, at the row level, that you can only read and write your own data. Authorisation is checked by the database itself, not just the app — so a bug in the client cannot expose another user’s records.
- Least-privilege backend. Server-side functions that perform privileged actions are locked down to authenticated or service-role callers; administrative functions are not callable by ordinary users. We periodically audit which functions are reachable and revoke anything that doesn’t need public access.
- Admin two-factor authentication. Access to the Shelfd admin console requires a second factor (TOTP) in addition to a password.
- Passwords are handled by our authentication provider (Supabase Auth) and are never visible to Shelfd in raw form.
Payments
- All card payments and seller payouts are handled by Stripe (Stripe Payments UK Limited), a PCI-DSS Level 1 certified payment provider. Shelfd never sees or stores your card number.
- On a purchase, your payment is taken in-app and held while the order is fulfilled, then the seller’s share is paid out through Stripe Connect after the buyer-protection window. You never pay a seller directly.
- Sellers and trade payout recipients complete identity verification (KYC) through Stripe Connect before any money can be paid out. Identity documents are held by Stripe, not by Shelfd.
Data minimisation
We try to hold as little as possible, for as short as possible:
- No precise or background location. The app does not collect GPS or device location. Any location you add (a city/country) is optional and typed by you.
- Shipping addresses auto-delete 7 days after an order or trade completes (retained only while a dispute is open).
- Error reports are scrubbed. Crash and diagnostic reports sent to our monitoring provider have personal data — names, addresses, postcodes, phone numbers, emails, payment details, tracking numbers — actively stripped before they leave your device.
- No advertising trackers, no cross-site tracking, and we do not sell personal data. See the Privacy Policy for the full list of sub-processors.
Infrastructure
- Database, authentication, file storage, and server-side functions run on Supabase (EU/London).
- The public website is hosted on Netlify.
- Shipping is handled through Sendcloud (primary) and ShipEngine; transactional email through Resend; push notifications through the Expo Push service. Each receives only the minimum data needed to do its job.
- Privileged operations run in isolated server-side functions rather than on the device, so secrets and payment logic are never exposed in the app.
Monitoring
We monitor for errors and for abuse and fraud (for example, unusual sign-in or transaction patterns). Technical logs are retained briefly for security and reliability, then automatically deleted. Diagnostic monitoring is configured to redact personal data, as described above.
Your part
Security is shared. Use a strong, unique password, keep your device up to date, and never agree to complete a sale or trade outside the app — moving off-platform removes buyer protection and is where almost all marketplace scams happen. If you ever receive a message asking you to pay a seller directly, treat it as a red flag and report it to us.
Reporting a vulnerability
If you believe you’ve found a security issue, please tell us before disclosing it publicly. Email Shelfd@photonlabs.dev with the subject line “Security” and as much detail as you can (steps to reproduce, and what you were able to access). We will acknowledge your report, investigate, and keep you updated. We’re grateful to researchers who report responsibly and will not pursue action against good-faith testing that respects user privacy and doesn’t degrade the service.
Contact
Operator: Photon Labs Ltd
Email: Shelfd@photonlabs.dev
Regulator: Information Commissioner’s Office (ICO), ico.org.uk