Security & Data Protection

Your data is encrypted, access-controlled, and handled with care at every layer of our platform.

Our Security Approach

LetItRip employs a defence-in-depth strategy: every layer — from transport to storage to application logic — is hardened to protect your personal information.

Encryption at Rest

All personally identifiable information (PII) — names, emails, phone numbers, addresses — is encrypted with AES-256-GCM before it is written to our database. The encryption key is stored securely in our server environment and is never exposed to client-side code.

Privacy-Preserving Search

To look up records by email or phone without decrypting every row, we use HMAC-SHA256 blind indices. These one-way hashes let the server find your account instantly while keeping the underlying value unreadable at rest.

Transport Security

All connections between your browser and our servers are encrypted with TLS 1.2+ (HTTPS). API calls, form submissions, and file uploads are never transmitted in plain text.

Data Minimisation

We collect only the data necessary to process your orders and provide our services. Public-facing pages such as product listings and auction feeds never expose seller or buyer PII.

Access Controls

Firestore security rules enforce role-based access: only authenticated users can read their own data, and administrative endpoints require verified admin tokens. Server-side repositories are the sole gateway to the database — no direct client queries are permitted.

Secure Logging

Our structured logging system automatically redacts PII fields before writing to logs. Email addresses, phone numbers, and personal names are never stored in plain text in log output.

Real-Time Data Anonymisation

Live auction feeds and bidding activity shown on the site use anonymised identifiers. Your real name or email is never broadcast in real-time channels.

Secure File Uploads

All file uploads are staged locally and submitted to the backend via FormData. The server validates MIME types using magic-byte inspection — not just file extensions — to prevent malicious uploads.

CSRF & Injection Protection

Server Actions validate origin headers, and all user-generated HTML content is sanitised to prevent cross-site scripting (XSS). API routes use rate limiting backed by Redis to mitigate abuse.

Compliance & Your Rights

You can access, update, or delete your personal data from your account settings at any time. For data-related queries, contact us at privacy@letitrip.in.

🛡️ Data Protection Flow

🖥️

Your Browser

Data entered in forms

🔒

TLS 1.2+

Encrypted in transit

🛡️

Server Action

Validated & sanitised

🔐

AES-256-GCM

Encrypted at rest

🗄️

Firestore

Stored securely

Last updated: June 2025

Questions About Security?

Read our full privacy policy or contact us directly with any data protection concerns.