Security

Sign-in is handled by a managed authentication provider — we never store plaintext passwords. You can use email and a password or a Google/GitHub account, and your session is kept in a signed, http-only cookie.

Subscriptions and top-ups go through Stripe's hosted checkout, so pogoprompt never sees or stores your card details. Payment events arrive over signature-verified webhooks, so your access reflects only real, confirmed payments.

Your plan allowances, credits, and paid access are checked on our servers — never trusted from the browser. Inputs are validated, requests are rate-limited, and each request runs under a spending ceiling, so the service stays predictable and abuse-resistant.

Every secret lives in an environment variable, never in our code or the packs we generate. Traffic is served over HTTPS, and we keep the personal data we hold to a minimum. For how your idea text is processed by AI providers, see the AI processing disclosure.

pogoprompt plans your app and hands it off — it doesn't build, run, host, or deploy your app, and it never reads your build back. The security checklist in your pack is a starting point, not an audit: get a professional security review before you launch anything that handles real users, money, or personal data.

Found something that looks wrong? Email contact@pogoprompt.ai and we'll take a look.