Trust & Safety

Public Find My Booking is OTP-protected. We never expose full booking details from a public search — only masked previews and a one-time 6-digit code sent to the contact on file.

OTPs expire, have attempt limits, and are single-use.

Login, public verification requests, OTP requests, and booking-related public actions are rate-limited per IP, per identifier, and per contact.

Repeated abuse triggers temporary blocks.

Every database query is scoped by company. One business cannot read another business's bookings, customers, employees, vehicles, incidents, or notifications.

Owners decide what each employee can do — view-only, bookings, vehicles, incidents, reminders, settings, employees, reports. Permissions can be changed any time.

Important actions are recorded in an audit log (status changes, plan changes, manual payments, incident updates, etc.).

Customer confirmation links use tokens with a single-use design. Tokens can be reissued if needed.

When a vehicle is damaged, in maintenance, late, or otherwise affecting bookings, we automatically detect directly-affected, nearby-risk, and watch-only bookings.

The reminder engine surfaces pending confirmations, pre-pickup checks, return-prep, and similar items before they become problems.

Active business actions (creating bookings, vehicles, sending notifications) require an active subscription or unexpired trial.

Fleet capacity and staff limits are enforced; over-limit attempts are blocked with a structured error.

Add-on idempotency and double-click protection prevent duplicate charges.

Until real email / SMS / payment providers are switched on with proper keys, the platform stays in a safe mocked state — recording what would have been sent but not contacting external services.

ConfirmPH cannot replace your direct responsibility as a business or as a customer. We provide transparency tools; you still need to communicate, inspect, and decide.