Built to protect the calls and leads that keep local businesses moving.

Website lead data is stored in Postgres with least-privilege application credentials. IP addresses used for lead safety and analytics are hashed where practical before storage. Secrets are expected to live in environment variables or the production host secret manager, not in source code.

The website uses request size limits, JSON-only API inputs, basic rate limiting, form validation, server-side error reporting, security headers, and Content Security Policy rules to reduce common abuse paths.

The recommended home-server deployment keeps Postgres private inside Docker and exposes only the web app through Cloudflare Tunnel. Public database ports should stay closed. Backups should be encrypted or access-controlled and copied off the server.

Production access should be limited to trusted operators using strong passwords, multi-factor authentication where available, and SSH keys instead of shared passwords. Error and lead notification webhooks should be treated as secrets because they can receive operational data.

To report a security concern, contact hello@mytha.ai. Please include the affected URL, steps to reproduce, and any relevant request IDs or timestamps. Do not include sensitive customer data unless we ask for it through a secure channel.