Security at Rehabfolio
Rehabfolio is an early-access product built on Cloudflare infrastructure. This page describes what the system does today, plainly — no compliance theater, no badges we have not earned.
Workspace isolation
Every record — projects, budgets, expenses, files, invites — is scoped to a workspace and checked server-side on every request. Mutations re-verify that the row being changed belongs to your workspace before writing; cross-workspace access is refused. Team members carry role-based access: owner, admin, member, or viewer.
Where your data lives
Workspace data is stored in a Cloudflare D1 database. Uploaded files — walkthrough photos, receipts, documents — live in Cloudflare R2 object storage. Infrastructure runs on Cloudflare's network; we do not operate separate data centers.
API keys & signed webhooks
Workspace API keys (fc_live_… ) are shown once at creation and stored only as a SHA-256 hash with a short prefix for identification — we cannot recover a lost key, only revoke it. Outbound webhooks and automation deliveries are signed with HMAC SHA-256 in the X-Rehabfolio-Signature header, so receivers can verify payloads against the signing secret before acting on them.
Public links you can revoke
Project update share links and the calendar feed are token-gated public URLs. Each can be rotated or revoked individually, and Settings → Security & data inside the app includes a "Revoke all public links" control that kills every active share at once. The same screen summarizes your exposure: active API keys, webhooks, and public links.
Analytics without trackers
Product analytics are first-party only: anonymous page-view and click events recorded in our own database. There are no third-party trackers, ad networks, or external analytics vendors on Rehabfolio.
AI data handling
Content you submit to AI features — listing text, walkthrough photos, receipts — is sent to third-party AI providers only when you invoke the feature, never in the background. AI outputs are drafts until you accept them. The full breakdown of providers and data sent is on the AI disclosure page.
What we do not claim
Rehabfolio has not undergone SOC 2, GDPR, or similar third-party compliance certification, and we will not pretend otherwise during early access. What exists today is described above and in the privacy policy; as billing and first-party authentication launch, material changes will be posted on those pages with new dates.
Try it with your own deals
Early access: the full product is free while billing launches — no card required.
No card · AI drafts require your accept