Gumhop logoGumhopGet started

Security

Security

We take protecting your tasks seriously. Here's how Gumhop keeps your data safe — in plain terms — and how to report a problem.

How we protect your data

  • Encryption in transit. All traffic between your browser and Gumhop is served over HTTPS/TLS. Push notification payloads are encrypted to your device's keys.
  • Row-level access controls. Our database enforces, at the database level, that you can only read and write your own tasks, lists, rewards, profile, and settings — not anyone else's.
  • Password hashing. If you use email + password sign-in, your password is hashed and managed by our authentication provider. We never see, log, or store your password in plain text.
  • Secrets and keys. API keys you create are stored only as one-way hashes with a short display prefix; the full key is shown to you once at creation and can't be recovered by us. Service credentials are kept as server-side secrets and never exposed to the browser.
  • Minimal AI exposure. When AI parsing is on, only your task text (plus the date and your timezone) is sent to our AI provider — not your email or account identity. AI usage logs record token counts and timing, not your task content. You can turn AI parsing off entirely.
  • Least data shared. Each provider we rely on receives only what it needs.

What you can do

  • Use a strong, unique password (if using password sign-in), or stick with one-time code / magic-link sign-in.
  • Keep any API keys you generate secret, and revoke keys you no longer use.
  • Sign out on shared devices and disable notifications on devices you no longer control.

Reporting a vulnerability

If you discover a security issue, we want to hear from you — and we appreciate responsible disclosure.

  • Contact us privately to report the issue, with enough detail to reproduce it.
  • Give us a reasonable chance to fix it before any public disclosure.
  • Please don't access or modify other users' data, run automated attacks, degrade the service, or use destructive testing.

We'll acknowledge legitimate reports and work to address confirmed issues promptly. We don't currently run a paid bug-bounty program, but we're grateful for good-faith reports and happy to credit you if you'd like.

A note on reality

Gumhop is built and maintained by an independent maker, and no service can promise perfect security. We follow sensible practices and keep your data exposure small. For more on what we collect and why, see our Privacy Policy.