Trust & Privacy

How we protect your information

This page is maintained by the Worldwide Passport Club Rotary (WWPRC) to answer common security, privacy, and data-handling questions about wwprc.org. It describes the controls currently in place; it is not an independent certification or audit.

Authentication & access control

  • Sign-in supports email & password, Google, Apple, and SMS one-time codes.
  • Members can enable two-factor authentication. When enabled, the signed-in session is not established until a fresh email code is verified.
  • Administrative actions are gated by server-side role checks; role assignments live in a dedicated table and are never trusted from the browser.
  • Failed login attempts are recorded for abuse review.

Member data & privacy controls

  • Profile fields such as phone number are visible only to the owner and administrators.
  • The member business directory hides email and phone by default; listing owners must explicitly opt in to publish each contact method.
  • Database row-level security policies scope reads and writes to the appropriate user or role on every table that stores member data.
  • Comment author email addresses are kept private and never returned to the public site.

Email & newsletter

  • Newsletter subscribers can unsubscribe from any email; unsubscribe links and List-Unsubscribe headers are included on every send.
  • Bounce, complaint, and unsubscribe signals from the email provider update subscriber state automatically.
  • Webhook and scheduled-send endpoints require a shared secret so only the WWPRC backend and configured cron services can trigger them.

Platform & hosting

WWPRC runs on the Lovable platform with Supabase as the managed database, authentication, and storage backend. Secrets and API keys are stored server-side and are never shipped to the browser. Backups, encryption-at-rest, and TLS in transit are provided by those platforms; we rely on their published controls rather than operating our own infrastructure.

Reporting a security concern

If you believe you have found a security or privacy issue with this site, please contact us at security@wwprc.org with as much detail as possible. We aim to acknowledge reports within a few business days.

This page is editable content owned by WWPRC and does not imply certification by Lovable, Supabase, or any third-party auditor.