Security
Your health data is sensitive, and we treat it that way. This page summarises how we protect it. For how we collect and use data, see our Privacy Policy.
Encryption
All traffic to superhumanlab is encrypted in transit with HTTPS/TLS, and your data is encrypted at rest in our database. Your session cookie is HttpOnly and, in production, secure — it’s the only cookie we set.
Access & isolation
Every request is authenticated, and the API is scoped so your data is only ever returned to your own account — there is no “read everyone’s data” path. We follow the principle of least privilege for the small team and systems that operate the service.
Data minimisation — and no advertising
We collect only what we need to run the service, we use cookie-less analytics (no tracking cookies), and we never sell your data or share it for advertising.
Our partners
The service partners that process data on our behalf (hosting, AI, email, bot protection) do so under contract and only to provide the service. Our AI partner does not store your inputs or use them to train AI models. See the Privacy Policy for details.
Your controls
From your Profile and Settings you can download a complete copy of your data at any time and permanently delete your account, which removes your profile, readings, notes, sessions and consent records.
Reporting a vulnerability
We welcome reports from security researchers. If you believe you’ve found a vulnerability, please email [email protected] with the details and steps to reproduce. We will not pursue legal action against researchers who act in good faith, avoid privacy violations and data destruction, and give us reasonable time to fix an issue before disclosing it publicly. Please don’t access or modify data that isn’t yours while testing.
Keeping your account secure
Use a strong, unique password (or a social login), and contact us at the address above if you notice anything suspicious about your account.