Trust & Safety
Data & Security Overview
We believe you should be able to understand exactly how ApoClock handles your data without needing a law degree. This page explains our architecture and security practices in plain English.
The Short Version
Encrypted in transit
All data between your browser, our server, and database travels over TLS (HTTPS). Nothing is sent in plain text.
Private database
Your data lives in a PostgreSQL database on AWS RDS inside a private VPC โ not exposed to the public internet.
No data selling
We do not sell, rent, or broker your personal data to advertisers or third parties. Ever.
Hashed passwords
Passwords are hashed using industry-standard algorithms. We never store your plain-text password โ not even we can read it.
Export your data
Your workspace data is always exportable as JSON. You own it. Take it with you anytime via Settings โ Export.
Delete anytime
Delete your account in-app and all your data is permanently removed within 30 days. No dark patterns, no retention tricks.
Where Your Data Lives
Different types of data are handled differently. Here's exactly what goes where:
Local only
Browser cache (localStorage) โ A local copy of your workspace data is kept for offline access and performance. This mirrors your server data and is cleared when you sign out.
Our server
Account & workspace data โ Your email, password hash, workspace settings, member records, events, and groups are stored in our private PostgreSQL database on AWS RDS.
Our server
Session tokens โ Authentication tokens are stored as secure HTTP-only cookies and expire automatically.
Third-party API
City geocoding โ When you type a city name, a query is sent to Nominatim (OpenStreetMap) and timeapi.io to resolve the timezone. Only the city search string is sent โ no account info.
Third-party API
Discord API โ If you enable Discord features, your configured webhook URL or Guild Sync settings are used to communicate with Discord's API. We do not store Discord message content.
Never stored
Passwords โ Your plain-text password is never stored anywhere. Only a cryptographic hash is kept.
Never collected
Payment info, location data, device fingerprints โ ApoClock is free and does not collect payment details, GPS location, or device fingerprints.
Architecture Overview
For the technically curious, here's how the system is laid out:
[ Your Browser ]
โ React PWA ยท localStorage cache ยท service worker
โ โ HTTPS (TLS)
[ Vercel CDN ]
โ Static assets served globally
โ โ HTTPS (TLS)
[ ApoClock API Server ] โ Hono / Node.js
โ Auth (better-auth) ยท Workspaces ยท Invitations
โ Social OAuth: Discord ยท Google ยท Facebook ยท Microsoft
โ โ SSL (VPC internal)
[ AWS RDS PostgreSQL ] โ Private VPC, not public internet
users ยท workspaces ยท workspace_data ยท sessions
โ React PWA ยท localStorage cache ยท service worker
โ โ HTTPS (TLS)
[ Vercel CDN ]
โ Static assets served globally
โ โ HTTPS (TLS)
[ ApoClock API Server ] โ Hono / Node.js
โ Auth (better-auth) ยท Workspaces ยท Invitations
โ Social OAuth: Discord ยท Google ยท Facebook ยท Microsoft
โ โ SSL (VPC internal)
[ AWS RDS PostgreSQL ] โ Private VPC, not public internet
users ยท workspaces ยท workspace_data ยท sessions
Security Practices
- TLS everywhere โ All HTTP traffic is encrypted in transit. HTTP requests are redirected to HTTPS.
- Private VPC โ The database is inside an AWS Virtual Private Cloud. Only the API server (within the same VPC) can reach it. It is not exposed to the internet.
- Password hashing โ Passwords are hashed using bcrypt before storage. We cannot recover your password if lost.
- HTTP-only cookies โ Session tokens are stored as HTTP-only cookies, preventing access by JavaScript and reducing XSS risk.
- CORS restrictions โ The API only accepts requests from the official ApoClock origin.
- OAuth PKCE โ Discord member OAuth flows use Proof Key for Code Exchange (PKCE), preventing code interception attacks.
- Minimal data collection โ We only collect what is needed to run the Service. We do not build profiles or enrich data from third parties.
Sub-processors
These are the third-party services that may process your data as part of delivering ApoClock:
| Provider | Role | Data shared | Region |
|---|---|---|---|
| AWS RDS | Database hosting | All stored app data | US / configurable |
| Vercel | App hosting & CDN | IP address, request logs | Global edge |
| Discord | OAuth & webhooks | Only what you configure | Global |
| Optional OAuth sign-in | Email, name (if used) | Global | |
| Nominatim / OSM | City geocoding | City search string only | Global |
| timeapi.io | Timezone resolution | City/IANA name only | Global |
| Google Analytics | Website analytics | Anonymised page view data | Global |
Report a Security Issue
If you discover a security vulnerability in ApoClock, please report it responsibly. Do not publish details publicly until we've had a chance to address it.
Security disclosures: office@oioilab.ai
We aim to acknowledge reports within 48 hours and provide a resolution timeline within 7 days.