Trust & Security
What we do to keep PanoTuli safe.
This page is maintained by the PanoTuli team and describes the security controls currently in place. It is not an independent certification.
Data protection
- Every database table uses row-level security; each query is checked against the signed-in user's identity.
- Business phone and WhatsApp numbers are not exposed via direct database queries. They are revealed one record at a time via a rate-limited server function.
- Lead messages and customer contact details are visible only to the business owner (paid tier) and admins.
- All admin actions are recorded in an append-only audit log that cannot be written to directly from the client.
Abuse prevention
- Per-user and per-IP rate limits on phone reveals to prevent scraping.
- Listing submissions go through admin review before they appear in public search.
- Ownership claims require TPIN verification before a business is transferred.
Shared responsibility
PanoTuli secures the platform: authentication, database permissions, and abuse controls. Business owners are responsible for the accuracy of the information they publish and for handling customer enquiries they receive through the directory in line with applicable law.
Report a security issue
If you believe you've found a vulnerability, please email security@panotuli.com with steps to reproduce. Please do not publicly disclose the issue until we've had a chance to investigate.
See also our privacy statement.