Security
Coral is built to be the safest place for family photos: no ads, no discovery, and strong boundaries between families. This page is the non-technical version of our internal threat model.
Your photos aren’t public
Coral is a closed-circle product. There are no public profiles, no search, and no “recommended families.” Access is only through membership or a magic link you create.
Permissions are enforced at the database
Even if we made an API mistake, the database still prevents cross-family access. This is called Row Level Security (RLS): the database checks “are you in this family?” before returning anything.
Encrypted in transit, encrypted at rest
Data is sent over HTTPS, and stored encrypted by our infrastructure providers. End-to-end encryption (where even Coral can’t read photos) is on our roadmap once the key-management UX is ready.
We minimize what we store
Coral stores what it needs to work (account, family membership, and photo metadata). We don’t run third-party trackers on your photo content, and we don’t sell or trade data.