Security for Sticki.ly

Sticki.ly does not require camera, microphone, contact, or location access to function. The only user content it can access is the note text you type and the single file you explicitly choose to attach to a sticki.

Mobile photo-library or file-picker prompts appear only when you choose to add an attachment. Desktop apps use standard file-open panels for the same purpose.

Guest mode stays local. Once you sign in and enable sync, Sticki.ly stores your note text, timestamps, attachment metadata, and optional attachment file so the same stickis can appear on your other devices.

Sync data is stored on Cloudflare-hosted infrastructure used by Bravely Studios: Workers for the API, D1 for app metadata, and R2 for attachments.

Web purchases are handled by Paddle. Mobile purchases are handled by Apple App Store or Google Play billing via RevenueCat. Sticki.ly uses email-based verification codes instead of passwords, so account recovery flows through the email address associated with your purchase.

We keep the minimum entitlement data required to restore Pro access and enforce the 10-device limit. Payment card details never reach our servers.

The web app updates automatically when a new version is deployed. Desktop builds use signed update frameworks: Sparkle on macOS and Velopack on Windows.

Update checks contact bravely.dev to look for newer signed builds. Those checks do not transmit your note contents or attachment contents.

Sticki.ly uses PostHog for product analytics such as onboarding completion, paywall views, purchase restore attempts, sync failures, and update events. Sticki contents, filenames, and attachment bytes are not sent to PostHog.

Every client includes a Settings control to disable analytics. Required account and billing requests, such as purchase restoration or entitlement checks, continue to work even if analytics is off.

Contact Sticki.ly support for account recovery, billing questions, or bug reports.

For security-sensitive reports, email security@bravely.dev.