Is my payment information stored on your servers?

Full credit card numbers, CVV codes, and bank details never touch our servers (Stripe). They're handled directly by our PCI-DSS Level 1 certified payment processor, which is the highest security standard in the credit-card industry. We store only a tokenized reference (so you can re-use a saved card if you opt in) and the last four digits for your receipt. If our systems were ever compromised, your card data would not be accessible because we don't have it.

Tokenization is the technical mechanism that makes saved-card functionality possible without storing actual card data. When you choose to save a card, the payment processor returns a token — a meaningless string that represents the card within their system — and we store the token instead of the card number. Future transactions reference the token, the processor looks it up against the actual card data they hold, and the charge proceeds. The token is useless to anyone outside our payment processor's system; even if our entire database were stolen, the tokens couldn't be used to charge cards anywhere else.

The architectural choice to keep card data outside our systems is part of why PCI compliance is meaningful rather than a checkbox. The strictest level of PCI-DSS compliance — Level 1 — applies to processors handling more than six million transactions per year and includes annual on-site audits, quarterly network scans, and continuous monitoring. Drivers worried about payment security on online platforms can specifically ask any provider whether they store card data on their own servers; the right answer is "no, we use a tokenized PCI-compliant processor." Any other answer is a sign the provider has a structurally weaker payment security posture.