Your health data is protected.
We treat health data with the seriousness it deserves. Here's exactly how we protect it.
Encryption at Rest
All data is stored in an encrypted database on infrastructure we control. Passwords are hashed with bcrypt. API keys are stored as SHA-256 hashes. Automated encrypted backups run nightly.
Encryption in Transit
All connections use TLS 1.3. HSTS is enforced with preload. Cloudflare provides DDoS protection and edge caching for static assets only — your health data never touches the CDN.
Session Security
Session tokens are SHA-256 hashed before storage. CSRF protection on all forms. Password changes invalidate all other sessions. Rate limiting on all authentication endpoints.
Zero Tracking
No Google Analytics. No Mixpanel. No tracking pixels. No third-party analytics of any kind. We don't sell your data, don't serve ads, and don't share with data brokers.
Self-Hosted Infrastructure
LongevityGraph runs on dedicated infrastructure (Hetzner), not shared cloud platforms. We control the hardware, the network, and the data. No multi-tenant risks.
Bring Your Own Key
Optionally provide your own AI API key. When configured, AI requests go directly to the provider using your key — we never store your key in plaintext (encrypted at rest).
Data Export & Deletion
Export your biomarker data as CSV or your full dataset as JSON. Delete your entire account from Settings — immediate, irreversible, complete removal of all health data.
Input Validation
All file uploads are validated with content-type checks, magic byte verification, and size limits. All SQL queries use parameterized inputs. All AI-generated HTML is sanitized before rendering.
Backup & Recovery
Automated encrypted backups run nightly with a 7-day, 4-week, 12-month, and 3-year retention policy. In the unlikely event of data loss, we can restore from the most recent backup.