Security & data
Your catalog photos are commercial assets. Here is how we treat them.
Infrastructure
- SwatchSwap runs on Cloudflare's global network. All traffic is encrypted in transit with TLS.
- Images are stored in Cloudflare object storage; account data lives in Cloudflare's database platform.
- The application is protected by a strict Content Security Policy and hardened response headers.
Your account
- Passwords are stored only as salted PBKDF2 hashes — never in clear text.
- Sessions are stored server-side as hashed tokens. Changing your password signs out all other devices.
Your images
- Uploads and results are private to your account and served only to your authenticated session.
- Your photos are shared only with the AI processor that generates your result — never with other users, never for model training.
- Generated results expire automatically (see Privacy) — we keep as little as the service needs.
Payments
All payments are processed by Stripe, a certified PCI Service Provider Level 1. Card details never touch our servers.
Access
Administrative access to production systems is limited to named staff and protected by authenticated sessions on an explicit allowlist.
Found a vulnerability?
We appreciate responsible disclosure. Write to support@swatchswap.app with details, and we will get back to you quickly. Please don't access data that isn't yours or disrupt the service while testing.
Last updated: July 5, 2026