Security Practices

1. Our Commitment

LoyaltyHero is dedicated to safeguarding customer and merchant data. As a modern, lightweight PWA operating on Google Cloud and Firebase infrastructure, we apply security-by-design principles to protect transactions, stamp card progress, and feedback records against unauthorized access and exploitation.

2. Data Encryption

• →In Transit: All communications between user browsers, the landing page, and our database APIs are encrypted using industry-standard TLS (Transport Layer Security) 1.2 or 1.3.
• →At Rest: Databases, configuration files, and backup storage volumes utilize AES-256 (Advanced Encryption Standard) managed by Google Cloud.

3. Authentication & Database Security

User authentication is managed securely using Firebase Authentication, protecting passwords and sessions from exposure:

• →Password Hashing: Passwords are never stored in plaintext and are hashed using secure, salted hashing functions.
• →Security Rules: Access to Firestore is protected by strict, server-side security rules that prevent users from accessing or modifying data that does not belong to them.
• →OTP Support: Support for one-time pins (OTPs) is utilized to verify identifiers and prevent credential stuffing.

4. PWA and Device Isolation

Because LoyaltyHero is built as a progressive web application (PWA), it runs inside the browser's sandbox. It has no direct access to your device's filesystem, native contacts, or hardware features unless you explicitly grant permissions (e.g., camera permission to scan QR codes). Authentication tokens are stored securely in the browser's protected local storage.

5. Anti-Abuse & Fraud Prevention

To prevent QR code abuse, stamp card exploitation, and fraud, we implement multiple automated layers of security:

• →Scan Cooldowns: Users are subject to a configurable cooldown (defaulting to 45 minutes) between consecutive scans at the same merchant.
• →Dynamic QR Verification: Temporary QR codes can be generated for single-use scan validation in delivery scenarios.

6. Incident Response & Reporting

We actively monitor system logs for suspicious patterns. In the event of a detected data breach or security incident, we follow a strict incident response framework. In compliance with the Philippine Data Privacy Act, any incident likely to cause a risk to user rights will be reported to the National Privacy Commission and affected users within 72 hours of discovery.

7. Vulnerability Disclosure

We welcome feedback from security researchers. If you believe you have discovered a vulnerability in the LoyaltyHero platform, please report it to us immediately at [email protected]. We request that you disclose it responsibly and avoid disrupting services or accessing unauthorized user data during your research.