Community Guidelines

• Sign-in methods: Email + password, and Google OAuth (one-tap).
• Session security: Industry-standard JWT tokens delivered over HTTPS only. Tokens auto-refresh and expire on inactivity.
• Password handling: Passwords are never stored in plain text — they're salted and hashed by the auth provider. The app itself never sees raw passwords.
• Anonymous sign-ups: Disabled. Every account is tied to a verified email or Google identity.
• Build-before-signup flow: Users can sculpt an avatar as a guest. The draft is held in their own browser's sessionStorage only — it never touches our servers until they sign up and explicitly save.

Every sensitive table in the database is locked down at the Postgres level with RLS policies. Even if app code had a bug, the database itself refuses to return data the user isn't allowed to see.

Protected tables include:

• direct_messages — only sender and recipient can read
• user_wallets — only the wallet owner can read their coin balance
• user_inventory — items owned are private to the owner
• crushes, couples, matches — only the people involved
• cart_items, apartment_rentals, walk_thru_requests — owner-scoped
• user_blocks — only the blocker can see who they've blocked
• reports — only moderators and the reporter can read

Roles are stored in a separate user_roles table with a SECURITY DEFINER has_role() function — preventing the classic privilege-escalation bug of storing roles on the profile.

Every piece of user-generated text is screened by an AI moderator before it's saved to the database, with a server-side trigger as a second line of defense.

Moderated surfaces:

• Direct messages
• Posts and lifestyle feed entries
• Profile bios and avatar names
• Voice intro text

Blocked categories:

• Harassment, bullying, threats
• Hate speech and slurs
• Sexual harassment
• Underage content (zero tolerance)
• Impersonation and spam
• Dox / personal info leakage

If content is flagged, the user gets an instant toast explaining the reason — the message is never persisted.

Coin purchases run through Stripe. We never see or store credit card numbers.

Cryptographic safeguards:

• The Stripe webhook verifies every event signature using STRIPE_WEBHOOK_SECRET before crediting any coins.
• Idempotency: each Stripe event ID is recorded in processed_stripe_events so a replay attack can't double-credit a wallet.
• Coin grants happen via a SECURITY DEFINER SQL function — the webhook can credit, but no client can.

What this means: No one can spoof a fake purchase to inflate their wallet. Coins only come from a verified Stripe payment, a daily login claim, or a gift from another verified user.

These behaviors lead to immediate avatar removal or permanent suspension:

• Harassment, bullying, or threats of any kind
• Slurs or hate speech (race, gender, orientation, disability, religion)
• Sexual harassment or non-consensual sexual content
• Body-shaming or demeaning behavior
• Impersonating another person or brand
• Soliciting minors or pretending to be a minor
• Sharing another user's personal info ("doxxing")
• Coercion — pressuring anyone for contact, photos, money, or coins
• Scams (off-platform payment requests, fake giveaways)
• Repeated unwanted contact after being told to stop

• ✅Never share real-life contact info, passwords, or payment details inside DMs.
• ✅Block first, ask later — if someone makes you uncomfortable, block them. No explanation required.
• ✅Report screenshots aren't required — moderation can pull the original messages from logs.
• ✅Coins are virtual. Anyone asking you to send them outside the app or trade for real money is scamming you.
• ✅Bots are labeled. AI personas can flirt, but they can't meet you in real life.
• ✅Trust the toast. If a message gets blocked by moderation, that's a signal — not a glitch.

1. Your report goes straight to the moderation team — confidentially.
2. We review the avatar, the behavior, and any past reports.
3. Outcomes scale with severity: warning → avatar removal → permanent suspension.
4. Repeat or severe violations get zero second chances.

• HTTPS everywhere — all traffic is TLS-encrypted.
• No secrets in client code — API keys for Stripe, AI moderation, etc. live only in server-side secrets storage.
• Edge functions verify JWTs by default; public webhooks verify provider signatures instead.
• Rate limiting & abuse guards on DMs, crush sends, and report filings to prevent spam and griefing.
• Audit trail — coin transfers, reports, and moderation actions are all logged with timestamps.