← Back to home

Security

Last updated: July 8, 2026

How we protect your data and your members' conversations — and what you can do to help.

Encryption in transit

All traffic uses TLS. Your data is never sent over an unencrypted connection.

Mandatory admin MFA

Platform admins must use two-factor authentication. No admin access without a second factor.

Isolated per gym

Each gym's data is row-level isolated. Your members' conversations are private to your gym.

Least-privilege access

Admin tools are scoped and audited. We log every impersonation and privileged action.

How your data is protected

  • Authentication: passwords are hashed by our auth provider (Supabase). Admin accounts require TOTP two-factor authentication.
  • Row-level isolation:database policies enforce that a gym owner can only access their own gym's data — never another gym's members or content.
  • Per-member privacy:the coach maintains separate memory per member. One member's goals and history are never surfaced to another member.
  • Audited admin access:any time a platform admin views a gym's data (“View as”), it's read-only and logged. There is no silent access.

What you can do

  • Use a strong, unique password for your account.
  • Limit dashboard access to staff who need it.
  • Deactivate departing staff promptly.
  • Review your member list periodically and remove inactive members.

Reporting a vulnerability

If you believe you've found a security issue, please report it responsibly through our contact page rather than publicly. We investigate every report and will work with you on disclosure.

Data retention & deletion

We keep your data only as long as your account is active. Deleting your account removes your uploaded content and your members' conversation histories. Member-level data can also be deleted individually from your dashboard at any time.

Questions about this policy? Get in touch.