Your business runs on trust. So does ours.
Whether you cut hair, run a studio, or see clients one-on-one, people share names, contact details, and payment info with you. StayBooked is built the same way many modern apps you already use are built: proven partners handle sign-in, hosting, cards, and email, so security is not an afterthought. Here is what that means for you, without the jargon.
Card numbers never live on our computers
When someone pays a deposit or a subscription, Stripe handles the card. We never store full card numbers or security codes, so there is less for anyone to steal from us.
Your core data stays in Canada
Your bookings, client records, and files you upload with us are stored in Canada. That matters if you, or your clients, expect Canadian hosting.
Encrypted, signed-in, and carefully limited access
Connections are encrypted (the lock icon in the browser). Logins and permissions are managed by specialists. Our partners publish how they are audited, so you are not taking our word alone.
Who actually holds what
No single company does everything. Below is the split: who stores your data, who sends your emails, who runs the website, and who touches payments. Each name links to their own security and trust pages if you want to read the fine print.
Supabase: sign-in, records & file storage
Supabase powers logins, your workspace database, and who can see what inside your account. Logos, photos, and other files you upload live in storage they run for us.
Those files sit on Amazon's cloud storage in the same region as your data. For StayBooked, that region is Canada (Central).
Stripe: when clients pay you
Deposits, subscriptions, and card checkout go through Stripe, the same kind of payments stack millions of businesses already use. Cards are entered and kept inside Stripe's systems, not pasted into ours.
We do not keep full card numbers in StayBooked. Stripe is certified at the highest industry level for card processing (PCI DSS Level 1), which is what banks and card brands expect from a processor.
Resend: booking emails & reminders
Confirmations, reminders, and other automated messages go out through Resend. Messages are sent over encrypted connections, the way you would expect from a serious email provider.
If your landlord, franchise, or professional body asks for proof that vendors are audited, Resend publishes security materials including a SOC 2 Type II program you can reference.
Vercel: where the app and marketing site live
When someone opens StayBooked in the browser, the pages are served from Vercel, a hosting platform built for fast, modern web apps. Traffic is encrypted in transit (HTTPS).
Vercel undergoes independent security reviews, including SOC 2 Type II. Details and how to request reports are on their security page.
Amazon Web Services: under the hood for files
The files Supabase stores for you ultimately sit in Amazon S3in your project's region. AWS is responsible for the physical data centres and global compliance program; we and Supabase are responsible for how we configure and use those services.
That split is normal: you get enterprise-grade infrastructure without running your own servers.
Paperwork, audits, and “prove it to my bank”
Official certificates and audit reports are issued to the companies that earn them, not to StayBooked as a label we can paste everywhere. If you have strict rules (health privacy, franchise IT, insurance questionnaires), you should read each partner's terms, subprocessors list, and data-processing agreements directly. We are honest about that because your reputation matters.
- Supabase: Trust centre and security docs; SOC 2 and related reports may be available depending on their program (Supabase Security).
- Stripe: Top-tier card-industry certification (PCI DSS Level 1); SOC and similar reports often require an NDA through Stripe (Stripe Security).
- Vercel: SOC 2 Type II and more; how to request copies is on their site (Vercel Security).
- AWS: Broad compliance coverage for the infrastructure behind your stored files (AWS Compliance).
- Resend: SOC 2 Type II program and public security overview (Resend Security).
Companies behind the scenes
Names and logos belong to their owners. We show them so you know who we work with, not to imply they endorse your business.
Some behind-the-scenes activity (like support tools or email routing) may touch servers outside Canada depending on how each partner runs their service. Their sites explain exactly where and how. Need a vendor form, privacy addendum, or other paperwork? Reach out the same way you do for billing or help, and we will point you in the right direction.