Encryption in transit and at rest
All data is encrypted via TLS 1.3 in transit. At rest, data is encrypted using AES-256 via Supabase's infrastructure. We do not store plaintext health information anywhere outside the encrypted database.
Security & privacy
Health data is the most sensitive data you own. We treat it that way.
Row-level security
Every database query is scoped by user ID through Supabase RLS policies. Your data is inaccessible to other users — even in the event of a database breach, the RLS policies prevent cross-user data access.
No tracking, no ads, no data selling
TrackPep does not use third-party analytics, advertising networks, or data brokers. We run self-hosted PostHog for basic product usage metrics (page views, feature usage) — fully anonymised, no IP storage, no personal data sent to third parties. We will never sell your data.
Infrastructure
We run on Supabase (Postgres + Auth + Storage) hosted on AWS in the US region. Backend compute is on Vercel (Edge Network). Logs are retained for 30 days for operational debugging and then permanently deleted.
Data deletion
You can delete your account and all associated data at any time from Settings. Deletion is permanent and irreversible — we do not maintain backups after account deletion. For GDPR deletion requests, email privacy@trackpep.com.
GDPR & CCPA compliance
We comply with GDPR and CCPA requirements. You have the right to access, export, correct, and delete your personal data. Data processing is based on explicit consent at sign-up. You can withdraw consent at any time by deleting your account.