Trust centre
Security at MacStayOn
Last updated: 16 July 2026
Account and data access
- Authentication is handled through Supabase with server-verified sessions.
- Row-level security limits customer access to their own profiles, orders, licences, devices, and events.
- Administrative mutations are checked on the server and use restricted service credentials stored outside the repository.
Licence activation
- Device identifiers are hashed before storage.
- Activation tokens are signed, short lived, device bound, and revalidated against current licence and device status.
- Device limits are enforced on the server. Deactivation preserves an audit record and invalidates later validation.
Payments and downloads
Stripe handles payment details; MacStayOn stores only operational billing identifiers and status. Download access requires an authenticated account with a current licence. Administrators publish HTTPS release URLs and may provide SHA-256 checksums.
Native app boundaries
The menu-bar app uses macOS power assertions and a required system helper for supported lid-closed behaviour. It records a limited local health history and should change only the power settings it owns. The licensing API does not receive the content of your work queue.
Reporting
Report suspected vulnerabilities privately to support@macstayon.com. Include reproduction steps and impact, but do not access other users' data or disrupt the service.