Your Data, Protected

Your data is encrypted at rest using AES-256 and in transit using TLS 1.3. Payment processing is handled entirely by Stripe — LandedGo never stores card numbers or banking details.

Your precise GPS coordinates are never stored. LandedGo uses neighbourhood-level resolution only — we know you are in District 1, not your exact street address. On-device processing is used where possible to minimise data exposure.

Your conversations with the LandedGo AI concierge are used to generate your response and to improve the service. City context is sent to OpenAI — never your name, passport details, or identifying information. No conversation is ever shown to other users.

Documents you store in the vault are encrypted client-side on your device before being uploaded to our servers. We cannot read your documents even if we wanted to.

Community reports are anonymised before being used to improve city intelligence. Your individual reports are never attributed to you in public.

Sensitive account actions including data export and account deletion are logged. You can request a full export of your data at any time via the contact page.

LandedGo runs on the Vercel global edge network and Supabase hosted in Singapore. Both providers maintain SOC 2 compliance and enterprise-grade security.

• Passwords are never stored. We use magic link and modern auth flows so we do not hold reusable password hashes for your account in the way traditional sites do.
• Row Level Security (RLS) is enabled on our Supabase database: policies ensure users can only access their ownprivate rows, not other people's data, when using the public API.
• Service role keys (which bypass RLS) exist only in secure server environments — never in the browser or in client-side bundles.
• API routes that perform sensitive work validate authentication and intent before writing to the database, so anonymous traffic cannot act as an authenticated user.

We welcome responsible disclosure of security vulnerabilities. If you believe you have found an issue, please report it to us first via the contact page. Do not publicly disclose a vulnerability, exploit it in production, or access data you do not own, until we have had a reasonable opportunity to fix it.

We aim to acknowledge your report within 48 hours and will work with you on severity and fix timelines. We do not run a public bug bounty on this page, but we take credible reports seriously and credit researchers when they wish to be named.