Your catalog. Your shoppers.
Your data.
Plain-language answers to the questions our merchants ask most. This page is maintained by Superbar — it's not an independent certification, and it's updated as the product evolves.
No SOC 2. No ISO. Not yet.
We're a small team and we haven't gone through a formal audit. Pretending otherwise would waste your security team's time. What we do have is a short list of practices we treat as non-negotiable — the same ones any sensible startup running on managed cloud infrastructure would follow.
Security is shared. Superbar runs the platform — the SDK on your store, the dashboard, the infrastructure underneath. You run your store, your team accounts, and the credentials you hand out. Most incidents we see in the wild are credential leaks, not platform breaches.
If something below doesn't match what your security team needs, write to us. We'd rather have the conversation than ship a questionnaire.
Six controls, plainly stated.
No buzzwords, no badges we haven't earned. Just what's true today.
- 01
Access is least-privilege.
Production access is limited to the engineers who need it, granted per-task, and revoked when the task ends. Team accounts require strong passwords and 2FA. No shared admin logins.
- 02
Encryption in transit & at rest.
Every Superbar surface — marketing site, SDK, dashboard, APIs — is served over HTTPS. Customer data is encrypted at rest. We use standard, well-reviewed cryptography — no homemade crypto.
- 03
What we actually collect.
The product catalog the merchant connects, anonymous interaction events from the feed (scroll, tap, dwell), and basic account info for the dashboard. We don't see payment details — checkout stays inside your store, on your platform.
- 04
What we won't do.
We don't sell data. We don't resell shopper profiles across merchants. We don't train shared models on one brand's catalog to benefit another. Your data works for your store, full stop.
- 05
Retention & deletion.
Workspace data sticks around while your account is active. On written request from an authorized admin we delete it within 30 days, minus a short backup rotation window we can't override without making things worse.
- 06
Privacy requests.
Shoppers asking to access or delete their data should contact the merchant whose store they were on. We process the request on the merchant's behalf and confirm completion. We're a processor; the merchant is the controller.
Three categories, no surprise pixels.
Strictly necessary
Session and CSRF cookies on app.superbar.com. Required to log in and use the dashboard — can't be disabled without breaking the product.
First-party analytics
Aggregated page analytics on superbar.com so we know which marketing pages work. No cross-site profile, no ad networks.
Shopper feed identifier
The on-store feed uses a local identifier scoped to that single merchant's domain. Never shared across stores, never sold.
Report a vulnerability or incident.
Suspected security issue
Email security@superbar.com with steps to reproduce. We confirm receipt within one business day and won't pursue legal action against good-faith research.
Privacy or DPA questions
Reach privacy@superbar.com for data processing agreements, subprocessor questions, or to file a privacy request.
Vendor reviews
Security questionnaires and policy documents are shared under NDA. Ask your account contact or write us.
Get the long version
from a real human.
We'll walk your security team through architecture, data flow and any custom controls you need.
The scrolling experience that powers TikTok, now in your store.