Mapspoto
Menu
Download Terms Privacy Impressum Child Safety Account Deletion

Security Practices Appendix

Last updated: 2026-04-17

Architecture overview

MapSpoto uses Expo / React Native on the frontend and Supabase for authentication, database, storage, and realtime features on the backend.

The stack itself is not a security guarantee, but it gives us mature building blocks for authentication, permissions, and database controls that we can use to enforce stricter access rules.

Database access control

MapSpoto uses PostgreSQL Row Level Security (RLS) to restrict data access.

This means regular clients can only read data they are permitted to see. They cannot access other users' non-public data through normal app interfaces.

We do not publish large SQL policies directly on the website, but we do keep reviewing and tightening database access rules.

Account and password security

The account system is built on Supabase Auth.

Developers cannot see your plaintext password. Password storage and verification are handled by the authentication system.

Frontend key handling

The app frontend uses only a restricted anonymous access key (Anon Key) to connect to the backend.

High-privilege service keys are not embedded in frontend code or bundled into the app.

Security checks

We use third-party tools and platform features to check for common security issues, for example:

  • Supabase Security Advisor to review database, RLS, and storage access settings.
  • Dependency security scanning to detect known issues in third-party packages.
  • Code scanning tools to look for common security mistakes and misconfigurations.
  • Secret scanning to confirm that high-privilege keys or sensitive environment variables were not committed by mistake.

Recent improvement areas

  • Tightening public profile fields to reduce unnecessary exposure of personal information.
  • Removing overly broad public storage access so that entire buckets cannot be listed publicly.
  • Simplifying profile completeness rules so that contact details and similar sensitive fields are not treated as required profile signals.

Scope and limits

We will keep improving security settings and product logic, but we do not claim the app is “absolutely secure.”

Security is an ongoing process. If we find new problems, we will continue to fix and tighten them.

Back to “Privacy & Security Overview”
Canonical URL: https://www.mapspoto.com/security-practices/en/