Security

How we protect your family's data

A straight technical explanation — no marketing fog. If something here is unclear or missing, email us and we'll answer directly.

What we commit to

Your data is yours. Export or delete anything, any time.
No ad networks. No marketing pixels. No data sold — ever.
Transcripts stay private to the user who wrote them. Parents see summaries, not content.
Two-layer safety on every message, with transparent escalation.
Responsible disclosure for researchers — no legal threats for good-faith reports.

•All traffic between your device and our servers is encrypted with TLS 1.3.
•Conversation data lives in a managed PostgreSQL database with encryption at rest.
•Secrets (passwords, auth tokens, webhook signatures) are never logged and never exposed to client code.

•Passwords are hashed with bcrypt (cost factor 10+). We never store or transmit plaintext passwords.
•Sessions use short-lived JWT tokens with configurable 'remember me' for 7 or 30 days.
•Optional biometric login via WebAuthn / FIDO2 — supports Face ID, Touch ID, Windows Hello, and hardware keys.
•Google OAuth available as an alternative sign-in method with standard OAuth 2.0 flows.

•All expensive endpoints (chat, voice, auth, billing) are rate-limited per-user and per-IP.
•Repeated failed login attempts trigger temporary account lockouts.
•Verification codes for email-based signup expire after 10 minutes.
•Child invite codes expire after 30 days and are single-use.

•Every message is screened by two independent safety layers on every turn: a deterministic keyword detector (13-region aware) and OpenAI's moderation API.
•Crisis-level detections immediately pause the conversation, display region-specific resources, and (for minor accounts) notify the parent.
•Elevated-level detections are rate-limited to one parent email every 4 hours to avoid flooding during a rough day of venting.
•All safety events are logged for audit with a 200-character message preview — never the full transcript.

•OpenAI — conversation generation, voice (Realtime API), moderation, TTS, Whisper transcription. API data is not used to train models.
•Stripe — billing and subscription management. Payment card data is handled exclusively by Stripe; we never see or store card numbers.
•Resend — transactional email (welcome, password reset, safety alerts).
•Anam.ai — optional live avatar streaming for premium users.
•We do not use ad networks, analytics that track identifiable individuals, or marketing pixels.

•Each account's data is scoped by user_id at the database level. One user cannot query or enumerate another user's data.
•Parent → child visibility is mediated by explicit parent-child links and the child's privacy-level setting.
•Admin tooling (/admin) is gated by a server-side role check, not a client-side flag. Only designated administrators have access.
•API endpoints that handle personal data require a valid session token on every request.

•You can export all your data as JSON at any time (Profile → Your Data → Download).
•You can permanently delete your account and all linked data. Deletion is immediate; there is no soft-delete or grace period.
•Deleting a parent account cascades to every linked child account.
•Safety event logs retain a message preview for audit purposes; these are deleted with the account.

•If you discover a security issue, please email [email protected] with details. We respond within 48 hours.
•Please do not publicly disclose vulnerabilities until we have had a reasonable time to investigate and patch.
•We welcome good-faith research. We do not pursue legal action against researchers who follow responsible disclosure.

We want to be precise so families can make informed choices:

•We do not claim HIPAA compliance. Hearth is not a covered entity — it is a wellness companion, not a healthcare provider.
•We do not yet have SOC 2 or ISO 27001 certification. These are on our roadmap.
•We do not end-to-end encrypt conversations in a zero-knowledge sense — the server must decrypt messages to run moderation and generate responses. We describe this as "private by design" and not "end-to-end encrypted."

Security questions? [email protected]