Trust & Security

Your data and your money, handled plainly.

The short version: Baited never touches a card number, your customers stay yours, and everything moves over encryption. Here is exactly how, with no certifications we haven't earned.

01 What we promise

Five commitments, each one concrete.

Not a values statement — specific things Baited does and does not do with your account and your anglers' information.

Baited never touches card numbers

Payments run on Stripe Checkout. Card details are entered into Stripe's own hosted fields and go straight to Stripe — they never reach a Baited form or server. We build on Stripe's PCI-certified infrastructure rather than handle raw card data ourselves.

Your customers are yours

Bookings, customers, and manifests export in full, any time, with no lock-in and a literal $0 per-booking fee. Leaving is a download, not a negotiation.

Encrypted in transit

Every request — widget, admin, API — is served over HTTPS. There is no plain-HTTP path to your data or your anglers' details.

Least-privilege access

Internal access is scoped to what a task needs and no more. Payment credentials live with Stripe; Baited holds references, not secrets it doesn't need.

Public data only for weather

Forecast and tide come from NOAA and other public sources. Marine intelligence never depends on anything private about you or your customers.

02 How payments flow

A deposit never stops at Baited.

The deposit moves from the angler to the operator's own Stripe account. Baited sits beside that path to record the booking — it is not a middleman that holds the funds.

  1. Angler enters the deposit

    Card details are typed into Stripe's hosted, PCI-certified fields — not into a Baited form, and never onto a Baited server.

  2. Stripe charges the card

    Stripe authorizes and captures the deposit. We pass Stripe's processing fee through at cost and add nothing on top.

  3. Funds settle to your account

    The deposit lands in the operator's own connected Stripe account. Baited is not in the money path and holds no balance.

  4. We record the booking

    Baited stores the booking, the Stripe reference, and the manifest — the trip details, never the card number.

Baited holds no funds. There is no Baited balance, no payout you wait on us to release, and no per-booking commission skimmed in between. The money is Stripe's job and the account is yours.

03 Responsible disclosure

Found something? Tell us before anyone else.

If you believe you've found a security issue in Baited — the widget, the admin, or the API — email us with the details and we'll get back to you. We don't run a bounty program yet, but we read every report, act on the real ones quickly, and will credit you if you'd like.

Please give us a reasonable window to fix an issue before disclosing it publicly, and don't run tests that degrade service or access data that isn't yours.

hey@baited.dev

04 The honest footnote

We'd rather tell you what's true than borrow a badge we haven't earned.

Straight answers

Have a security question we didn't cover?

Email the same address and a human will answer. No ticket queue, no AI phone tree.

Email hey@baited.dev See how the model works