Security

Files: Cloudflare R2, encrypted at rest, served via Mihn's signed URLs.

Account data: Supabase Postgres, EU regions. Authentication tokens are scoped to your session and rotated on a regular cadence.

Transport: TLS 1.2+ everywhere. HTTPS-enforced at the edge.

No third-party analytics that profile you. No Google Analytics, no Facebook Pixel, no session recording, no behavioural ad retargeting. Our self-hosted analytics record anonymous page views only.

If you've found a security issue, write to founder@mihn.app. A real person reads it the day it arrives. We'll acknowledge within 48 hours and give you an honest timeline for the fix.

We don't have a formal bounty program yet, but we'll credit researchers who report responsibly in our changelog, and we'll send a small thank-you (gift card or equivalent) for valid findings until a proper program exists.

We're working on a public uptime page. Until it's live, incident updates go out via email to all active accounts and are posted on founder@mihn.app.