Security Policy

1. Introduction

We take the security of tactac.love, your data, and your personalized videos seriously. This Security Policy describes the technical and organisational measures we use to protect your information, and how you can contact us if you discover a potential issue.

This Security Policy supplements our Privacy Policy and Terms & Conditions.

2. Our Security Principles

• Data minimisation – we only process data that is necessary to provide the service.
• Confidentiality – access to data is restricted to authorized systems and personnel.
• Integrity – we aim to prevent unauthorised modification of data or content.
• Availability – we use redundant cloud infrastructure to improve service reliability.
• Transparency – we describe our security and data practices openly in this policy.

3. Infrastructure & Hosting Security

tactac.love runs on modern cloud infrastructure. We use reputable cloud providers for hosting, storage and AI processing. These providers operate secure data centres with physical and network-level protections.

Key measures include:

• encrypted transport via HTTPS (TLS) between your browser and our servers;
• segregation of production and development environments;
• access control and authentication for administrative interfaces;
• regular OS and framework updates to address known vulnerabilities.

4. Application Security

The tactac.love application is built with security in mind, following modern framework best practices and defence-in-depth concepts.

• Input validation and sanitisation for user-provided values where appropriate.
• CSRF protection and secure handling of forms and requests.
• Use of well-maintained libraries and frameworks with security updates.
• Logging and monitoring of technical errors to detect and investigate issues.

tactac.love does not use customer logins or persistent accounts. Orders are identified by secure tokens rather than user passwords, and tokens should be kept private by users.

5. Payment Security

We do not process or store credit card numbers ourselves. All payments are handled by Stripe, a certified payment provider. Stripe is responsible for:

• secure collection and transmission of payment card data;
• fraud prevention checks;
• compliance with relevant payment security standards.

Our servers receive only the information required to associate your payment with your order (such as payment status and a transaction ID), not your full card details.

6. AI & Video Processing Security

To generate your personalised video, we use AI and media services such as Google Veo, Google Transcoder and Google Cloud Storage, as described in our AI Use Policy.

Security measures in this area include:

• transmitting only the minimum necessary data (e.g. first name, template choices);
• no transmission of email addresses or payment data to AI services;
• using secure APIs and encrypted connections to cloud and AI providers;
• automatic deletion of intermediate rendering artefacts when no longer needed.

Videos are stored for a limited time (normally 30 days) and then automatically deleted from our storage environment.

7. Email, Links & Abuse Protection

We use SendGrid (Twilio) to send transactional emails such as order confirmations and video links. Links may include unique tokens to identify your order or video.

Security measures include:

• unique, hard-to-guess tokens for order and video URLs;
• Google reCAPTCHA to reduce automated abuse and fraudulent activity;
• internal checks to detect unusual or abusive usage patterns.

If you optionally provide a recipient’s email address for direct delivery, the email is sent once. You are responsible for entering the correct email and for having permission to share it with us and to send the greeting to that person.

8. Data Retention & Deletion

Personalised videos and related assets are typically stored for up to 30 days to allow playback, download, redelivery and optional “send to recipient” delivery.

After this period, videos are routinely deleted from our storage systems and are no longer available. Other data (for example payment records) may be kept longer where required by law or for legitimate business purposes, as described in our Privacy Policy.

9. Your Responsibilities

While we take reasonable measures to protect your data, security also depends on how you use the service. In particular, you should:

• keep order and video links private and share them only with trusted people;
• avoid entering sensitive personal information in optional messages;
• ensure your device and browser are up to date and free from malware;
• only provide recipient emails where you have consent or another legal basis.

10. Responsible Disclosure of Vulnerabilities

We welcome good-faith reports of potential security vulnerabilities in tactac.love or its infrastructure. If you believe you have found a vulnerability, please follow these guidelines:

• Do not access, modify or delete data belonging to other users.
• Do not perform attacks that degrade or interrupt the service (e.g. denial of service).
• Do not publicly disclose details of the vulnerability before we have had reasonable time to investigate and address it.
• Provide a clear description and, if possible, steps to reproduce the issue.

If you act in good faith and follow these guidelines, we will not take legal action against you solely for reporting the issue to us.

11. Changes to This Security Policy

We may update this Security Policy from time to time to reflect new security practices, changes in infrastructure, or legal requirements. The latest version is always available on this page.