At a glance
Encrypted in transit
Every request between your phone and our server travels over HTTPS — fully encrypted. No one can intercept it.
Passwords never stored
Your password is hashed with bcrypt before it ever touches our database. Even we cannot read it.
Your data, only yours
No other artist on the platform can see your bookings, revenue, or clients. Complete isolation by design.
Sessions expire
Login sessions expire after 7 days. Tokens are signed and verified on every request.
Brute-force protection
10 failed login attempts locks the account for 15 minutes. Rate limiting applied on all sensitive endpoints.
Two-factor auth
Optional 2FA sends a 6-digit OTP to your email. Even if your password is stolen, your account stays locked.
How it works — in detail
Account & Password Security
What happens when you log in
- ✓Your password is converted into an irreversible hash using bcrypt before being stored. We store the hash, never the password itself.
- ✓Login tokens are signed with a secure secret key using JWT (JSON Web Token). Tokens expire after 7 days.
- ✓After 10 wrong password attempts in a row, the account is locked for 15 minutes automatically.
- ✓Admins can remotely revoke your session instantly if your phone is lost or stolen — this invalidates your token immediately.
- ✓When your admin resets your password, the old session is invalidated. You have to log in fresh with the new password.
Two-Factor Authentication (2FA)
An extra lock on top of your password
- ✓When you enable 2FA, every login requires a 6-digit code sent to your email after your password is accepted.
- ✓OTP codes are valid for 10 minutes only and are permanently deleted from our database the moment they are used.
- ✓The login OTP is issued via a short-lived temporary token — if you close the browser without entering the code, the session is abandoned automatically.
- ✓OTP requests are rate-limited — a maximum of 5 OTP emails per 15-minute window, to prevent abuse.
- ✓Even if someone knows your password, they cannot log in without access to your email inbox.
Data in Transit & At Rest
How your data travels and where it lives
- ✓All communication between the app and our servers uses HTTPS with TLS encryption. Data cannot be read in transit by any third party.
- ✓Data is stored on Railway — a cloud infrastructure provider with encrypted storage and isolated environments per service.
- ✓Your session token lives in your phone's local storage — it never appears in URLs or server logs.
- ✓Database access is restricted to the backend API only — no direct public access to the database is possible.
Billie AI Assistant
What data Billie sends to AI models
- ✓Billie is powered by Google Gemini API. When you ask Billie a question, your booking and revenue data is sent to Google's API to generate the answer.
- ✓No client personal data (client names, phone numbers, emails) is sent to the AI. Only booking dates, amounts, services, and statuses.
- ✓Under Google's API terms, data sent via the API is not used to train Google's AI models.
- ✓Billie is completely optional. If you never open the Billie chat, none of your data is ever sent to any AI service.
Client Portal Security
How client-facing links are protected
- ✓Each client gets a unique, private link tied only to their specific booking — no client can access another client's data.
- ✓Portal links expire automatically 7 days after the event date. Expired links return an error — they cannot be used.
- ✓Reference images uploaded by clients are stored on secure servers and are not publicly indexed or searchable.
- ✓The portal is read-only from the client's side for your business data — clients can only see their own booking details.
Third-party services that handle your data
🚂 Railway
Hosts our backend servers and database. Sees all app data as the infrastructure provider. No data is used for any other purpose.
Privacy policy →
📧 Resend
Delivers transactional emails (OTP codes, account notifications) from support@skilltobill.app. Sees your email address only. No marketing use.
Privacy policy →
✨ Google Gemini
Powers the Billie AI assistant. Receives anonymised booking and revenue data only when you actively use the Billie chat. Not used for model training.
API terms →
What we will never do
✕
Sell your dataWe do not sell your personal or business data to any third party, ever.
✕
Use your data for adsWe run no advertising network and your data is never used for targeting or profiling.
✕
Share across artistsNo artist on the platform can see another artist's bookings, clients, or revenue.
✕
Store plain-text passwordsPasswords are hashed with bcrypt immediately. We have no way to read your password.
✕
Track you with cookiesWe use no third-party tracking cookies, Google Analytics, or ad pixels.
✕
Keep data after you leaveWhen your account is closed, your data is deleted within 90 days.
Have a security question?
If you've spotted something that concerns you, or have a question about how your data is handled, reach out directly. We'll respond within 48 hours.
Contact support@skilltobill.app
Or read our full Privacy Policy · Terms & Conditions