Skip to main content
OneCount
Security

Built for operators who need to trust their data.

OneCount handles stocktake data for hospitality venues. This page explains how access is controlled, how data is protected, and how you can always get your records out.

Role-based access
Staff count, managers review, owners govern. Access is scoped to what each role needs — no shared credentials, no over-permission.
Full audit trail
Every session is preserved with entries, timestamps, and the user who made each count. History is never overwritten.
Export and recoverability
CSV and Excel export is available for every session, always. Your data is never locked in — you can take a copy at any time.
Operational reliability
Session data syncs from the mobile app to the dashboard in real time. Counts are committed as they happen, not in batch.
Access control

Permissions follow your structure.

OneCount uses role-based access at the organization and venue level. You control who can count, who can review, and who can make changes.

Staff
  • Start and run sessions from the mobile app
  • Enter counts for assigned venues
  • View their own session history
  • Dashboard management features
  • Other users' data
  • Billing or account settings
Manager
  • All Staff permissions
  • Review and close sessions
  • View venue-level variance and history
  • Add catalog items and locations
  • Invite or remove team members
  • Delete the organization
Owner
  • All Manager permissions
  • Invite, manage, and remove team members
  • Access all venues in the organization
  • Manage organization settings
Audit trail

Every count is on the record.

Stocktake history is never deleted or overwritten. Sessions are preserved with entry-level detail — what was counted, by whom, and when.

Each session captures the following for every entry: the item counted, the quantity entered, the user who entered it, and the timestamp. This record persists after the session is closed.

Managers and owners can review session history from the dashboard at any time. Sessions cannot be silently edited after closing — any correction would create a new session record.

For venues with Square POS connected, the audit trail includes the theoretical usage data derived from sales, alongside the actual count — giving a complete record of variance origin.

Export and recoverability

Your data, your records.

OneCount is not a system of lock-in. Export is a control mechanism — use it for compliance, internal reporting, or backup.

CSV and Excel export
Every session can be exported to CSV or Excel from the dashboard. No approval required, no additional cost.
No vendor lock-in
Your session data, entries, and variance records belong to you. If you stop using OneCount, export your data first.
On-demand access
Exports are available immediately, for any closed session. There is no archive delay or export queue.
Useful for compliance
If your operation requires local records for compliance or audit purposes, CSV exports can support that workflow.
Infrastructure

Auth and data storage.

OneCount uses Supabase for authentication and data storage — an established, open-source backend with strong security defaults.

Authentication is email and password based. OAuth (Google, Apple, etc.) is not currently required. All authentication is managed by Supabase Auth, which handles token issuance, session management, and credential storage.

Data is stored in a managed PostgreSQL database with row-level security enforced. Only authenticated users with the correct organization membership can read or write their organization's data.

The OneCount dashboard and API routes run on Vercel's serverless infrastructure. Static assets are served via Vercel's CDN.

If you have specific hosting or data residency requirements, contact us to discuss.

Responsible Disclosure

Report security issues

We take vulnerability reports seriously and will respond promptly.

If you discover a security vulnerability in OneCount, please report it to us privately. We will acknowledge receipt within two business days and work with you to understand and address the issue before any public disclosure.

Contact: hello@onecount.ai

security.txt — Standard security contact and disclosure policy file.

FAQ

Security questions

Common questions before rolling out to a team.

No. Access is scoped to the venues within your organization. Staff only see what they've been given access to. Managers can review all venues in the organization. Owners have full visibility.
Next

Bring reliability to every count.

If governance and audit trail matter to your operation, start with a controlled pilot rollout.

Contact usJoin the waitlist