Security

Security policy

Last updated: 2026-05-22

Raychis is built privacy-first, which makes it security-simple. Most of the obvious targets - user accounts, cloud-stored photos, a server-side database - don't exist. This page explains the model and how to report anything we've got wrong.

1. Security model

1.1 On-device processing

Plant identification, health checks, and care guidance run entirely on your phone. There is no Raychis account to compromise, no cloud copy of your plants or photos, and no server-side database holding personal data.

1.2 Site infrastructure

This marketing site is a static build deployed to Cloudflare Workers. It has no application server, no database, no user input that reaches a backend we operate. The waitlist form submits directly to Kit (ConvertKit), our email provider.

1.3 Transport and headers

All traffic to raychis.app is HTTPS-only, enforced at the edge by Cloudflare with HSTS (max-age 2 years, includeSubDomains, preload). We set X-Content-Type-Options, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, and a restrictive Permissions-Policy.

1.4 Dependencies

We track upstream advisories for the libraries the app and site depend on. Critical and high-severity issues are patched promptly; lower-severity ones are batched into routine updates.

2. Reporting a vulnerability

If you think you have found a security issue, please tell us before disclosing it publicly. We treat reports seriously and will work with you in good faith.

2.1 How to report

Email security@raychis.app with:

• A description of the issue and the impact you believe it has.
• Steps to reproduce, ideally with a minimal proof of concept.
• Affected versions or URLs.
• Your name or handle if you'd like credit (optional).

2.2 What to expect

• An acknowledgement within two working days.
• An assessment of severity and a planned remediation timeline within ten working days.
• A follow-up when the issue is fixed, with credit to you if you'd like it.

2.3 Scope

In scope:

• The Raychis mobile app (iOS and Android, current release).
• raychis.app and its subdomains.
• Anything operated by TerraRoxoAI that handles Raychis user data.

Out of scope:

• Third-party services we use (Kit, Cloudflare, Apple, Google) - report those to the respective vendor.
• Social engineering, physical attacks, and denial-of-service testing.
• Reports based solely on automated scanner output without demonstrated impact.

2.4 Safe harbour

We will not pursue legal action against researchers who act in good faith: report promptly, do not access or modify data beyond what is necessary to demonstrate the issue, do not degrade service for other users, and give us a reasonable window to remediate before public disclosure.

3. Public disclosure

We aim to credit reporters in release notes or on the news page once a fix has shipped. If you prefer to remain anonymous, say so in your report.

4. Contact

Security reports: security@raychis.app. Anything else: see Contact.