L
Lend Me
List itemSign in
Trust & safety

Security on Lend Me

We treat your account, your items, and your money the way we'd want ours treated. Here's what's under the hood today.

Transport & data security

  • HTTPS everywhere, enforced by HSTS for two years (with subdomains).
  • Strict response headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, scoped Permissions-Policy, and an opener policy that isolates auth popups.
  • Database access guarded by Postgres Row-Level Security — users can only read or write what their account owns.
  • Secrets and API keys live in a managed vault; never in client code or git history.

Account & identity

  • Sign in with email + password or Google. Optional 2FA coming soon.
  • Identity verification is required for high-value lenders and any borrower renting an Ultra/Premium item.
  • At pickup, lender and borrower complete a one-time handshake — a QR + 6-digit code tied to the booking — and visually check government-issued IDs.
  • Suspended or blacklisted users can't request, list, or hold deposits anywhere on the platform.

Anti-fraud & bot defense

  • Per-user rate limits on AI helpers and sensitive actions (signup, listing creation, reports).
  • Content screening on every listing — prohibited categories are blocked before publish and re-checked on edit.
  • Server-side validation on every mutation; the UI is a convenience, not the gatekeeper.
  • reCAPTCHA enterprise will be enabled on signup and high-risk forms once site keys are added.
  • Audit log (audit_log) records sensitive admin and payment events for investigations.

Payments & deposits

  • Lend Me never sees raw card data — payment fields are tokenized by our processor.
  • Deposits are held by Lend Me and auto-released 72 hours after the lender marks the item returned (see Payments policy).
  • Lenders are paid T+3 days after return (T+14 for high-value items) to allow a dispute window.

AI usage

  • AI features run server-side through a single audited gateway. Your prompts are not used to train external models.
  • Every AI request is logged (feature, model, tokens) per user for abuse detection.
  • Generated copy is a draft only — you always review and edit before publishing.

Found a vulnerability?

Please email security@lendme.example with details. We aim to acknowledge reports within two business days.