Data & Security

Last updated: 6 May 2026

The short version

• Encrypted at rest, in transit, and on backups.
• Never sold. Never shared with advertisers or data brokers.
• Never used to train AI models. Including ours.
• One-tap export and delete. Your data, your call.
• Hosted on infrastructure we control — no third-party data warehouses.

Encryption

• In transit: all client ↔ server traffic uses TLS 1.2+ via Let's Encrypt certificates. HTTP is auto-redirected to HTTPS.
• At rest: the PostgreSQL database is encrypted at the disk level. Backups are encrypted with separate keys.
• Passwords: hashed with bcrypt (cost 12). Never stored in plaintext, never logged.
• Tokens: JWT access + refresh, with refresh tokens hashed in the DB so a backup leak can't be used to impersonate users.

Access control

• Every API endpoint that touches user data is auth-gated by JWT middleware.
• Every database query is scoped to the authenticated user. There is no admin-impersonation path.
• The single founder (Abhishek Sivaraman) is the only person with production server access. SSH is key-based; passwords are rotated regularly.

What we send to AI providers

• Chat questions, scan photos, and lab images you submit are sent to a third-party model provider for processing.
• Per the provider.s published policy, paid API content is not used to train their models.
• We don't include your name, email, phone number, or other identifiers in prompts. The AI sees only the inputs the feature needs.

Logging & analytics

• Server logs include request paths, status codes, and timestamps — used for reliability and abuse prevention.
• No third-party analytics on health screens. No Mixpanel, no Amplitude, no Segment, no Facebook SDK.
• Logs auto-redact authorization headers, cookies, passwords, and refresh tokens.

Data residency

Primary data lives on a single dedicated server we control. Daily backups are encrypted and stored in the same region.

Incident response

If we detect a security incident affecting your data, we'll notify you in-app and by email within 72 hours and explain exactly what happened and what you should do.

Reporting a vulnerability

Found something? Email zafitai1234@gmail.com with a subject line starting [SECURITY]. We take responsible-disclosure seriously and will respond within 48 hours.

Contact

Questions about security — email zafitai1234@gmail.com.