Security

MYSOVA LTD (company number 17154283) is a UK-registered data controller. We have filed our registration with the Information Commissioner's Office (ICO) and comply with the UK GDPR and Data Protection Act 2018.

Venue operator data is processed under the lawful basis of contract performance. Patron data that powers your analytics is received from MYSOVA as anonymised aggregates — no individual patron is identifiable in your dashboard.

Data subjects (operators and patrons) may exercise access, rectification, erasure, restriction, portability, and objection rights by contacting privacy@mysova.co.uk. We respond within one calendar month.

Full details are in our Privacy Policy.

All MYSOVA tables use Postgres Row-Level Security (RLS) enforced at the database engine level. Policies are evaluated per-row, per-query — there is no application-layer bypass.

• Venue analytics data is scoped to the authenticated venue owner for that specific venue. An operator cannot query another venue's rows, even with a valid JWT.
• Patron-level data surfaces only in anonymised aggregates. Individual patron identifiers are never accessible to venue owners via the API or dashboard.
• Service-role operations (migrations, admin tasks) run via a separate service key, isolated from public-facing API surfaces.
• All RLS policies are version-controlled and reviewed in the same pull-request workflow as application code.

All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. MYSOVA does not store, transmit, or process raw card numbers, CVVs, or full bank details on our servers.

Card data is collected directly by Stripe's hosted elements and tokenised before touching MYSOVA infrastructure. We receive only a Stripe customer ID, payment method token, and subscription status.

Subscription management (upgrades, downgrades, cancellations) is handled via the Stripe customer portal. Invoices and receipts are issued by Stripe and forwarded to your billing email.

MYSOVA verifies the authenticity of every inbound webhook using HMAC-SHA256 signatures. Requests with invalid or missing signatures are rejected with a 400 before any payload is parsed.

• Stripe events: verified using stripe.webhooks.constructEvent() with the endpoint-specific signing secret.
• Outbound operator webhooks (party/group check-ins, tier events): signed with an HMAC-SHA256 digest in the X-MYSOVA-Signature header. Rotate your signing key from the dashboard at any time.

Operators who upgrade to any paid tier for the first time can request a full refund within 30 calendar days of the charge. No questions. This matches the Notion-style standard that serious SaaS operators expect.

After 30 days or on subsequent billing cycles, subscriptions may be cancelled at any time. Access continues until the end of the paid period; no partial refunds are issued for unused time. Promotional discounts carry no cash value.

These terms are enforced in the billing system — not just in the Terms of Service. To request a refund, email billing@mysova.co.uk with your invoice number.

If you discover a security vulnerability in MYSOVA, we ask that you report it to us privately before disclosing publicly. We commit to:

• Acknowledge your report within 5 business days.
• Provide a status update within 30 days of receipt.
• Credit you in our changelog if the issue leads to a fix (unless you prefer anonymity).
• Not take legal action against researchers acting in good faith.

Email: security@mysova.co.uk