Security

The smallest data footprint we can ship.

Call-blocker apps have a bad track record. Most of them ask for your contacts, fingerprint your device for ad networks, and quietly broker your phone activity to data brokers. Ringdocket does none of that. Here's the actual posture, with the controls named so you can verify it.

Data handling

• Row-level security on every Supabase table. Default deny, granted selectively. Any new migration that adds a table ships with ALTER TABLE ... ENABLE ROW LEVEL SECURITY in the same file or it doesn't merge.
• Service-role keys are server-side only. They never ship in the iOS bundle, never run in the browser, and never appear in a client-readable env var. Privileged writes happen inside Cloudflare Workers behind JWT verification.
• User report notes are filtered for PII before write. Worker-layer regex strips E.164 phone patterns and runs a profanity filter before anything hits Postgres. Notes never render on public pages or analytics surfaces.
• The full IP is dropped after 30 days. Only the /24 subnet is retained, used for corroboration de-duplication.

Authentication

• Supabase magic-link sign-in. No passwords stored, anywhere. The login link is single-use and expires.
• JWT verification on every authenticated worker route. The token is checked against the Supabase JWKS on each request — no shared session caches across users.
• Sessions are short-lived and refresh on activity. A stolen token's window of usefulness is hours, not days.

iOS app

• Tokens live in the Keychain. Authenticated state is confined to the main app target — not the App Group. The Call Directory Extension cannot read your auth token.
• Device fingerprint is a UUID v4 in the Keychain. Generated locally at first launch. Reinstalling the app generates a new UUID. We do not use Apple's IDFA, and we do not show the App Tracking Transparency prompt because we don't need it.
• No call recording. Audio never leaves your device. There is no microphone access requested by the app.
• No contacts access. The block list is delivered to iOS through the Call Directory Extension; matching happens on-device.
• No third-party tracking SDKs. No Facebook SDK, no AppsFlyer, no Branch, no advertising attribution networks. Crash and product analytics use pseudonymous IDs only, with phone numbers and UUIDs scrubbed before transmission.

Infrastructure

• TLS for all traffic. Device to API, API to Supabase, Supabase to subprocessors.
• Cloudflare rate limiting on abuse-prone endpoints (signup, report submission, delist form).
• Point-in-Time Recovery on the primary database.
• Audit logs in R2 for forensic review of administrative actions.

What we don't do

No call recording. No on-device or cloud-side machine learning over your personal data. No third-party tracking SDKs. No contacts upload. No GPS or precise location. No selling, sharing, or transferring personal information to data brokers, advertisers, or any third party for commercial purposes. The full statement is in the Privacy Policy.

Vulnerability disclosure

If you've found a vulnerability in Ringdocket, email [email protected] with a clear description and steps to reproduce. We respond within 72 hours. Please do not run automated scans against the production domain — it triggers our rate limiters and creates noise that buries real reports.