Legal

Security and Data Handling

This page gives a practical summary of the security measures and operational controls intended to protect sepia.live systems and travel data.

Version 1.1. Effective date: May 13, 2026. Last updated: May 13, 2026.

Current security focus

  • Encryption in transit for production app traffic using HTTPS and TLS
  • Encryption at rest where supported by the underlying managed infrastructure and storage providers
  • Authentication and session controls for access to the app and admin interfaces
  • Role-based access controls for organizations and invited users
  • Operational logging and access records for security, diagnostics, and abuse prevention
  • Backup and recovery procedures designed to support service restoration
  • Incident triage, containment, and response procedures for suspected security events
  • Vendor and dependency review as part of ongoing product maintenance

Data handling principles

  • Collect only what is needed to operate the service, support users, and protect the platform.
  • Avoid sending personal information into analytics and marketing systems unless clearly intended and disclosed.
  • Restrict access to operational data to people and service providers who need it for support, hosting, or platform operation.
  • Transmit user data off-device over encrypted connections in the production service.

Retention and deletion

Data is retained for service delivery, support, troubleshooting, security, legal compliance, and legitimate business recordkeeping. Retention periods may differ by data type and operational need.

Requests for deletion, export, or access are handled through the privacy request process. Some records may need to be retained for security, fraud prevention, legal, or accounting reasons.

Operational security logs may be retained for up to 12 months, and encrypted backups may remain for up to 35 days before normal rotation completes.

Incident reporting

Suspected security issues, vulnerabilities, or data handling concerns can be reported to security@sepia.live. General privacy matters can be sent to privacy@sepia.live. Please include enough detail to reproduce the issue and a safe contact method for follow-up.