StayKnown Security Disclosure & Platform Integrity Policy for responsible vulnerability reporting and safety-system protection.

1) Security summary

StayKnown uses security and integrity controls to protect users, contacts, minors, safety sessions, account access, location reliability, notifications, payments, and abuse-prevention systems. This policy explains how security reports should be handled and what behavior is prohibited.

2) Security principles

• Protect safety first: security testing must never endanger a user, contact, minor, responder, or the public.
• Respect privacy: do not access, copy, expose, change, delete, or share data that does not belong to you.
• Respect consent: do not test against another person’s account, device, contact list, live link, media, chat, or safety session without permission.
• Minimize harm: stop testing immediately if you discover a weakness that could expose people or disrupt safety features.
• Report privately: send security findings to support@stay-known.com and allow review before public disclosure.
• No abuse: security research must not become stalking, harassment, fraud, extortion, scraping, spam, or service disruption.

3) Reporting vulnerabilities

If you believe you found a security vulnerability, report it privately and clearly.

• Use the subject line: Security Disclosure — StayKnown.
• Describe the issue, affected page, app, API, backend, storage bucket, Edge Function, payment flow, chat flow, map flow, or feature.
• Explain the likely security or safety impact.
• Include safe reproduction steps that do not expose another user’s data.
• Include screenshots, logs, request IDs, timestamps, test account IDs, browser/device details, or app version if safe.
• Do not include personal data belonging to other users unless absolutely necessary to explain the risk.
• Do not publicly disclose sensitive details before StayKnown has had time to investigate.

4) Good-faith security research

Good-faith research means testing in a way that is limited, responsible, lawful, privacy-preserving, and safe. StayKnown values reports that help protect users without causing harm.

• Use only accounts, devices, contacts, media, sessions, payments, and data you own or have explicit permission to test.
• Keep testing limited to the minimum needed to prove the issue.
• Avoid service disruption, bulk traffic, spam, false SOS, mass contact alerts, or automated attacks.
• Stop immediately if you access another person’s data or affect safety features.
• Report promptly and privately.
• Do not demand payment, threaten disclosure, or use the issue for leverage.

5) Prohibited security testing and misuse

The following conduct is not allowed, even if described as research.

• Accessing, copying, changing, deleting, or exposing another user’s data.
• Testing against accounts, devices, contacts, live sessions, minors, or safety flows without permission.
• Triggering false SOS alerts, fake Visit sessions, fake Manual Captures, or misleading notifications.
• Sending spam, mass alerts, mass emails, repeated notifications, or mass contact requests.
• Testing that interrupts Visit, LIVE, SOS, chat, notification, payment, wallet, or contact approval flows.
• Denial-of-service attacks, load testing, stress testing, brute forcing, credential stuffing, scraping, or automated abuse.
• Reverse engineering, bypassing device integrity checks, fake GPS/spoofing, VPN bypass abuse, emulator misuse, bot activity, or API abuse.
• Attempting to defeat plan limits, rate limits, subscription checks, wallet rules, payment verification, or premium gates.
• Attempting to bypass block/report restrictions, consent flows, contact approvals, child safety protections, or anti-stalking controls.
• Publicly disclosing exploitable details before StayKnown can investigate and mitigate.

6) Account and identity security

Users are responsible for keeping account access secure. StayKnown may use authentication, device, session, and abuse-prevention controls to protect accounts.

• Do not share passwords, login links, one-time codes, recovery codes, or account access.
• Keep your email account secure because it may be used for account recovery or important notifications.
• Use a secure device lock and avoid leaving your device unlocked around people you do not trust.
• Do not impersonate another user, contact, guardian, responder, support agent, emergency official, law enforcement officer, or StayKnown staff.
• Do not create accounts for scams, stalking, harassment, fraud, false emergencies, or bypassing bans.
• Report unauthorized access or suspicious account activity immediately.

7) Device and app integrity

StayKnown safety features depend on honest device state, operating system permissions, network conditions, and user behavior.

• Do not tamper with the app, modify app code, patch runtime behavior, inject tools, hook functions, or alter network calls.
• Do not use fake GPS, spoofed sensors, rooted/jailbroken manipulation, emulator abuse, automation, or scripts to mislead safety features.
• Do not bypass biometric/device-level protection where required.
• Do not interfere with push notifications, background location, Visit state, SOS state, manual capture state, or location updates.
• Do not use another person’s device to start, stop, or manipulate safety sessions without authorization.
• Keep your phone, browser, operating system, and app updated for security and reliability.

8) Location integrity and safety signals

Location integrity is critical to StayKnown. Users must not manipulate location or reliability signals to mislead contacts, responders, support, or the platform.

• Do not spoof location, fake route movement, or create false safety records.
• Do not interfere with location permissions to mislead contacts during a safety event.
• Do not use fake location tools, automation, emulators, modified apps, or network manipulation to deceive StayKnown.
• Do not use location metadata to stalk, threaten, shame, expose, punish, or control another person.
• Treat location and time data as approximate and subject to network/device delay.
• If location is wrong during a safety event, use direct communication and emergency services where needed.

9) VPN, network, and reliability integrity

StayKnown may warn, restrict, or block certain flows when VPN or network behavior affects safety reliability, abuse prevention, or location confidence.

• Do not use VPN, proxies, Tor-like routing, network manipulation, or high-risk network tools to bypass restrictions.
• Do not use VPN to hide abusive behavior, avoid enforcement, manipulate location reliability, or bypass region/payment/security controls.
• Do not bypass app-launch VPN checks, chat VPN gates, live-map rules, or mid-Visit VPN disruption rules.
• Do not use network tools to intercept, replay, forge, alter, or modify StayKnown requests.
• Do not interfere with email delivery, push notifications, live links, map links, payment callbacks, webhook verification, or alert delivery.
• Mid-Visit VPN activation may disrupt safety confidence and may trigger warning or stop behavior where configured.

10) API, automation, and abuse controls

StayKnown may apply rate limits, device checks, API controls, plan limits, storage policies, and anti-abuse protections to maintain safety and reliability.

• Do not abuse APIs, scrape data, enumerate users, or probe private endpoints.
• Do not automate account creation, contact invites, alerts, chat messages, stickers, media uploads, story posts, reports, payments, or withdrawals.
• Do not bypass rate limits, quota limits, plan gates, subscription checks, or paid feature restrictions.
• Do not interfere with Supabase, Edge Functions, storage, signed URLs, email systems, push systems, translation systems, payment systems, or map/live-link routes.
• Do not attempt to discover private buckets, storage paths, message IDs, user IDs, token formats, webhook secrets, or link signatures by brute force.
• Do not use bots to spam reports, contacts, messages, alerts, approvals, payments, or support.

11) Chat, stories, stickers, voice, and media security

Chat and media features may carry private communication and safety context. They must not be abused, attacked, or bypassed.

• Do not access another user’s chat, attachments, stickers, voice notes, stories, profile media, files, location context, or Safety Gallery images.
• Do not upload malware, harmful files, deceptive links, spyware, phishing content, credential theft content, or abusive media.
• Do not exploit sticker, media, voice, music, video, file upload, trimming, storage, or preview flows.
• Do not bypass block, report, plan-gate, translation, VPN, media, or privacy controls.
• Do not use chat to phish for login codes, payment details, identity information, contact information, or private safety data.
• Do not use stories or profile surfaces for impersonation, stalking, harassment, coercion, or targeting.

12) Payments, coins, subscriptions, and wallet safety

If StayKnown includes subscriptions, in-app purchases, coins, wallet, transfers, withdrawals, or receipts, those flows must be used lawfully and securely.

• Do not exploit purchases, receipts, webhooks, balances, ledgers, outbox jobs, refunds, chargebacks, or withdrawals.
• Do not use payments, coins, subscriptions, or wallet features for fraud, laundering, illegal funding, scams, deception, extortion, or chargeback abuse.
• Do not impersonate another user to receive coins, payments, refunds, withdrawals, benefits, or plan access.
• Do not attempt to bypass plan entitlements, subscription expiry, failed-payment state, or server-side verification.
• Do not manipulate receipts, webhook payloads, payment provider references, subscription records, wallet balances, or ledger entries.
• Report wallet or payment security issues privately.

13) Contacts, notifications, and email security

Contact and alert systems must remain trustworthy. Abuse can cause fear, harassment, confusion, false emergency response, or unsafe escalation.

• Do not add contacts without permission, lawful basis, or a legitimate safety relationship.
• Do not spam contacts or repeatedly trigger alerts.
• Do not forge, replay, alter, or manipulate safety emails, approval pages, live links, notification payloads, or map links.
• Do not use alert links, live links, or email previews to mislead recipients.
• Do not interfere with contact approval, invite, decline, expiration, removal, or consent flows.
• Do not use notification systems for phishing, threats, scams, impersonation, harassment, or fake emergencies.

14) Data protection and access boundaries

StayKnown data access must stay limited to authorized users, lawful purposes, and required service operation.

• Do not access another person’s profile, contact list, location, Visit, SOS, chat, story, media, wallet, subscription, payment, or Safety Gallery data.
• Do not attempt to bypass row-level security, storage policies, signed URLs, JWT checks, session checks, backend validation, RPC authorization, or webhook verification.
• Do not exfiltrate data or test with real user data.
• Do not publish private records, screenshots, links, coordinates, message content, account data, payment data, or contact information.
• Do not use leaked, scraped, guessed, phished, or stolen credentials.
• Do not attempt to reverse engineer private database structure, Edge Functions, SQL rules, storage paths, or security rules for abuse.

15) Monitoring, restrictions, and enforcement

StayKnown may use monitoring, logging, rate limits, restrictions, and enforcement to protect safety and platform integrity.

• Suspicious activity may trigger review, throttling, temporary restriction, or permanent ban.
• Accounts, devices, networks, payment methods, contacts, or identifiers may be restricted when abuse is detected.
• Features may be limited to prevent spam, stalking, harassment, fraud, false SOS, payment abuse, API abuse, or system abuse.
• Reports, appeals, security events, and enforcement records may be retained where appropriate.
• StayKnown may preserve records where required by law or needed to investigate abuse, fraud, security incidents, or threats.

16) Security incident response

When StayKnown identifies a credible security issue, it may take steps to reduce harm and protect users.

• Review the report and assess severity.
• Mitigate or fix the issue where possible.
• Restrict abused features, endpoints, accounts, devices, payments, or networks.
• Rotate keys, invalidate sessions, revoke tokens, update signatures, or tighten policies where needed.
• Preserve logs relevant to the incident.
• Notify users, partners, platforms, regulators, or authorities where required by law or safety needs.
• Improve monitoring, rate limits, validation, storage policies, RLS, backend checks, and policy language after review.

17) User responsibilities

Security is shared. Users must protect their accounts, devices, contacts, and safety features.

• Keep your phone, operating system, browser, and StayKnown app updated.
• Use device lock, biometric protection where available, and secure email access.
• Do not share passwords, login links, one-time codes, or account access.
• Do not leave an active safety session unattended on an unlocked device.
• Review contacts and remove people who should no longer receive alerts.
• Report suspicious activity, unwanted alerts, unknown contacts, strange account behavior, or suspected account access.
• Use emergency services directly if immediate danger exists.

18) Minor and vulnerable-user safety

Security issues involving minors, vulnerable people, coercion, stalking, exploitation, or immediate harm are treated seriously.

• Do not test against minor accounts, guardian flows, school/community flows, or vulnerable users without explicit lawful permission.
• Do not use StayKnown to groom, exploit, threaten, control, stalk, shame, or track a minor.
• Reports involving minors may require urgent review and record preservation.
• If a minor is in immediate danger, contact local emergency services, child-safety authorities, guardians, or appropriate authorities first.
• Security reports involving minors should be sent privately and safely.

19) Nigeria, United States, United Kingdom, EU, and global security context

Security risks, privacy obligations, emergency-response expectations, payment rules, telecom reliability, and official-request processes differ by country. StayKnown may apply security and integrity controls based on risk, region, provider requirements, platform requirements, and applicable law.

• In Nigeria, network conditions, power supply, rural coverage, road conditions, device quality, and provider delays may affect safety alerts, maps, and location reliability.
• Do not use fake GPS, VPN abuse, scams, phishing, impersonation, false SOS, payment abuse, wallet abuse, or contact spam to misuse StayKnown.
• Security incidents involving fraud, extortion, kidnapping concerns, child-safety concerns, stalking, harassment, or urgent harm may require preservation and lawful review.
• If immediate danger exists, use appropriate local channels, which may include trusted family, local police, medical help, FRSC, NSCDC, NEMA, state emergency agencies, private security, child-safety authorities, or nearby responsible responders depending on the situation.
• StayKnown does not replace Nigerian police, ambulance, hospitals, fire service, road safety, civil defence, disaster management, child-protection authorities, or any official authority.

• In the United States, StayKnown is not 911, law enforcement, EMS, fire department, child protective services, or rescue service.
• In the U.K. and EU, StayKnown is not 999, 112, police, ambulance, fire service, safeguarding authority, child-protection authority, or official emergency dispatch.
• European users may have stronger privacy, security, data minimization, notification, and legal-process expectations.
• Users in all countries must follow local laws on cybersecurity, privacy, child safety, stalking, harassment, emergency-service misuse, payment fraud, telecom rules, and platform integrity.

20) Legal cooperation and preservation

StayKnown respects applicable law and may respond to valid legal process. It may preserve logs and records where required by law or reasonably needed to investigate abuse, fraud, threats, security incidents, or safety risks.

• StayKnown may preserve relevant records for security investigations.
• StayKnown may disclose information if required by law or necessary to protect rights and safety, prevent fraud, prevent harm, or enforce policies.
• StayKnown may cooperate with valid emergency or legal requests where appropriate.
• StayKnown does not support covert surveillance or unlawful monitoring.
• StayKnown may reject or narrow requests that are overbroad, unsafe, unlawful, unclear, or connected to abuse.

21) Contact and related policies

For security disclosures, abuse reports, account safety issues, legal requests, or platform-integrity concerns, contact StayKnown support. For immediate danger, contact your local emergency number first.