diff --git a/web/supabase/migrations/20260224070000_storage_payment_proofs_policy.sql b/web/supabase/migrations/20260224070000_storage_payment_proofs_policy.sql
new file mode 100644
index 00000000..8a21d755
--- /dev/null
+++ b/web/supabase/migrations/20260224070000_storage_payment_proofs_policy.sql
@@ -0,0 +1,18 @@
+-- Storage policies for p2p-payment-proofs bucket
+-- Users are wallet-based (no auth.uid()), so policies must be open
+-- Proof files auto-expire in 1 day via cleanup-proofs edge function
+
+-- Allow anyone to upload payment proofs
+CREATE POLICY "Allow payment proof uploads"
+  ON storage.objects FOR INSERT
+  WITH CHECK (bucket_id = 'p2p-payment-proofs');
+
+-- Allow anyone to read payment proofs (public bucket)
+CREATE POLICY "Allow payment proof reads"
+  ON storage.objects FOR SELECT
+  USING (bucket_id = 'p2p-payment-proofs');
+
+-- Allow deletion (for cleanup-proofs edge function via service role)
+CREATE POLICY "Allow payment proof deletes"
+  ON storage.objects FOR DELETE
+  USING (bucket_id = 'p2p-payment-proofs');