Trust & Security

Built for the most sensitive data there is

Mental health data deserves the strongest protection. Here is exactly how we protect yours.

Encryption

Every field. Every time.

Your journal entries, mood data, and conversations are each encrypted individually before they ever reach our database.

Field-level encryption on every sensitive data point

Each piece of personal data is encrypted individually with its own unique key before storage

Keys rotate automatically

Encryption keys rotate on schedule without re-encrypting existing data; previous keys retained for decryption only

Tamper detection on every record

Authenticated encryption ensures any modification to stored data is immediately detected

Built on industry-standard cryptographic libraries

Constant-time operations with no timing side-channels, using battle-tested open-source implementations

Infrastructure

Hardened from the ground up

Every layer of our stack is chosen for security first, from containers to DNS.

Google Cloud Run

Containerized, hardened chiseled images with no shell access

MongoDB Atlas

Managed database with TLS 1.2+, connection pooling, hosted on Google Cloud

Cloudflare

DDoS protection, edge caching, and DNS security

Data Governance

Clear rules. No exceptions.

Your data belongs to you. We enforce strict policies on how long we keep it and who can see it.

Configurable retention policies

Check-ins kept 3 years, conversations archived at 6 months and deleted at 2 years

7-year tamper-proof audit logs

Every access event is logged with chain-hash tamper protection

No data sold. Ever.

Never shared with advertisers, never used to train AI models

Complete data export

One-click JSON export of everything we have on you

Full account deletion

Cascade deletion across all collections, no data left behind

Crisis Safety

Safety is not a feature. It's the foundation.

When someone is in crisis, the technology needs to get out of the way and connect them with real help immediately.

Dual-layer crisis detection

Client-side keyword detection plus server-side validation ensures nothing slips through

Immediate resource surfacing

988 Suicide & Crisis Lifeline, Crisis Text Line, RAINN, and more surfaced contextually based on what's shared

On-device safety plans

Stored locally, accessible offline, always available even without a connection

Compliance

Meeting the standards that matter

HIPAA

Health Insurance Portability and Accountability Act

Enterprise-grade encryption, comprehensive audit logging, and Business Associate Agreement available. Designed from day one for healthcare-grade data handling.

GDPR

General Data Protection Regulation

Full data portability, right to deletion, and transparent processing. You can export or erase everything we have on you at any time.

CCPA

California Consumer Privacy Act

No data sold to third parties, full deletion rights, and clear disclosure of what we collect and why.