Security & privacy at Total Reward

Accounts use email + password sign-in and Google sign-in. Each user belongs to one or more organizations, and role-based access (admin, manager, analyst, viewer) controls what they can see and do inside their organization.

Data is isolated per organization at the database level using row-level security policies, so members of one organization cannot read or modify another organization’s records.

Total Reward is built on Lovable Cloud and runs on managed, reputable cloud infrastructure. Connections to the application are served over HTTPS, and data in transit is encrypted using standard TLS.

Application servers run as stateless workers — sensitive state lives in the managed database and storage layer, not on individual server instances.

We process the information your organization uploads or enters — employees, salaries, allowances, structures, bonus and merit cycles, and similar compensation data — strictly to provide the service to your organization. We do not sell personal data.

Account-level data (name, email, organization, role, audit logs of actions you take) is collected to operate and secure the service.

We rely on a small set of providers to operate the service:

• Lovable Cloud — application hosting, database, authentication, storage.
• Paylink — payment processing for subscriptions (only when you subscribe).
• Transactional email provider — for system emails (auth, invitations, notifications).

Each provider only receives the data it needs to perform its specific function.

Customer data is retained while your organization’s account is active. Admins can delete records they own from inside the application. To request deletion of an entire organization or account, contact us using the address below.

If you believe you have found a security vulnerability, or have a privacy question, please reach out through our contact page. We appreciate responsible disclosure and will respond as quickly as we can.