Data Security

• Card data: handled by Stripe under PCI DSS. We never see your card number, CVV, or expiration date.
• Other personal data: encrypted in transit (TLS 1.2+) and at rest.
• Access to user data is limited to authorized personnel under audit logging.
• Annual PCI SAQ A self-assessment.

Every time an authorized CombatScore team member accesses user data, we log it. Sensitive actions (viewing minor data, exporting data, account suspensions) require a documented reason at the time of action. The audit log is append-only — even our team can't modify it after the fact.

If we experience a security incident affecting your data, we will:

• Notify affected users in accordance with applicable state and federal law.
• Provide details about what was affected, what we're doing, and what you should do.
• Make the post-incident report publicly available where appropriate.

• Payment records: 7 years (tax and audit requirement).
• Safety-flagged content: 7 years to support investigations.
• Unflagged messages: 90 days, then deleted.
• Other user data: per our Privacy Policy.

You can request access to, correction of, or deletion of your data:

• Self-service data export from account settings (delivered within 7 days).
• Deletion request: account anonymized; payment + safety records retained per legal exceptions above.
• Correction: contact us at safety@combatscore.app with the specific record.

If you find a security vulnerability, please report it to security@combatscore.app. We respond within 72 hours and won't take legal action against good-faith research.