Security

Last Updated May 5, 2026

1. How We Protect Your Account

1.1 Passwords

We never store or transmit your password in plaintext, and no one on our team can see it — not now, not ever. When you create an account or change your password, we hash it using an industry-standard password-hashing function configured to current best-practice parameters. Only the hash is stored. When you sign in, we compare your entry against that hash. If our database were ever compromised, attackers would find hashes, not passwords. We also enforce industry-standard password complexity requirements when you choose a new password.

1.2 Sessions

After you sign in, the app uses a signed bearer session token that the server verifies on every request, which means tokens cannot be tampered with or forged. If a token is invalid, the request is rejected.

1.3 Rate Limiting

Sign-in, sign-up, and general API requests are rate-limited to levels consistent with industry guidance to defeat credential-stuffing and brute-force attacks. We do not publish specific thresholds because doing so would simply tell an attacker their budget.

1.4 Where Sign-In Lives

All sign-in happens inside the mobile app. The marketing site you are reading does not host login, signup, or session-bearing account surfaces — those all live in the app under Settings. We use Supabase Auth as our authentication processor. Email and password is the only sign-in method today; multi-factor and third-party sign-in (Google, Apple, etc.) are on our roadmap but not yet available.

The one exception is the password reset flow at /forgot-password and /reset-password. Those pages exist because Supabase recovery emails need a web landing page to receive the recovery token. They use the publishable (anon) Supabase key, never persist a session to browser storage, and call signOut() the moment your new password is saved. The marketing site holds nothing about you past that single call.

2. How We Protect Your Data

2.1 Transport

All traffic between your device, our marketing site, and our API is carried over HTTPS using modern TLS. We use HSTS preload so that compliant browsers will refuse to connect over plain HTTP at all. Requests that arrive without TLS are rejected.

2.2 Storage

Your records and uploaded documents (PDFs and images) are stored in encrypted form by our database and storage providers, with encryption at rest. The exact storage layout is an implementation detail we may change to improve performance or durability. Whichever layout we use, your documents live inside the same encryption boundary as the rest of your account data. Each document is also associated with a content hash so we can detect duplicates without re-storing identical files.

2.3 Access Controls

Only the application code that needs to read or write your records can do so, and only in the context of a request authenticated as you. Employees do not have routine access to customer data. Any access for debugging or support is limited to what is necessary and is never used for marketing, profiling, or model training.

2.4 Third-Party Risks

Our Services rely on third-party infrastructure providers (hosting, database, storage, analytics, authentication, AI). We exercise reasonable care in selecting providers but we do not control their internal security practices. A security incident at one of our providers could affect data we have entrusted to them, despite our safeguards.

2.5 No Guarantees

No method of electronic transmission, storage, or processing is 100% secure. While we use commercially reasonable safeguards, we cannot guarantee absolute security and you use the Services at your own risk.

3. Document Extraction and Google Gemini

Plain-English disclosure: When you upload a document to MyPetVault, its contents are sent to Google's Gemini API so that Google can read the document and return structured data (for example, extracting a vaccination name and date from a vet receipt). The structured prompt we send alongside the document does not include any information from your MyPetVault account — we do not pass your email, your account ID, your name, your address, your subscription tier, or any other account-derived identifier in the request. We do not, however, modify, redact, or strip the document itself before sending it. Vet receipts, prescriptions, vaccination cards, and similar documents commonly have personal and contact information printed on them — for example, the pet owner's name and address, the veterinarian's name and clinic, phone numbers, and email addresses. Whatever is printed on the document is part of what Google receives. If you do not want a particular piece of information to leave our system, you can either redact it on the document before uploading, skip the upload entirely and enter the record manually, or contact us to discuss alternatives. Google processes the request under its own API terms and privacy practices.

Once Google returns the extracted fields, MyPetVault presents them to you as candidate records, card by card, and you review and confirm each one before anything is saved to your pet's profile. Nothing is added to your records automatically.

If you would prefer not to have a document processed by Google Gemini, you do not have to upload it. You can always enter records (visits, medications, vaccinations, weights, allergies) manually in the app. Manual entry never involves any third-party processor.

For the full list of what data is handled and by whom, see our Privacy Policy.

4. What We Do Not Do

Some security protections come from things we structurally do not do. MyPetVault does not:

Use session replay tools, full-keystroke recorders, or screen-capture instrumentation that would let us reconstruct your interactions with the app.
Fingerprint your device using browser, OS, or hardware characteristics in an attempt to identify you across other apps or websites that are not ours.
Sell, transfer, or otherwise disclose payment-card data to third parties — payment processing happens entirely inside Apple App Store or Google Play and we never see your card details.
Read or process documents you have not uploaded — manual record entry never sends data to our document-extraction provider.
Use your account password for any purpose other than verifying your sign-in. We never store, transmit, or display your password in plaintext, and no one on our team can see it.

What we may do — including using analytics inside the app and working with advertising partners — is described in our Privacy Policy. The Privacy Policy is the authoritative description of our data practices and may be updated from time to time as the Services evolve. Where applicable law gives you a right to opt out of any of these practices, the Cookie Settings page and the Data Rights page describe how to exercise that right.

We do collect anonymous web analytics on the marketing site for visitors from the United States and Canada, automatically, in line with the opt-out privacy frameworks those jurisdictions use. Analytics are processed in PostHog's US region. We do not load analytics for visitors with Do Not Track or Global Privacy Control enabled. See Privacy Policy Section 11 for what is collected and the Cookie Settings page to opt out at any time.

5. Reporting a Security Issue

If you believe you have found a security vulnerability in MyPetVault, we would like to hear about it. We support responsible disclosure and will not take legal action against researchers who act in good faith, avoid privacy violations, and give us a reasonable window to investigate and fix the issue before public disclosure.

Please email support@mypetvault.org with the subject line Security disclosure and include:

A clear description of the issue and its potential impact.
Steps to reproduce, or a proof of concept if you have one.
Any relevant URLs, request payloads, or screenshots.
How you would like to be credited, if at all.

We aim to respond to security reports as soon as practicable and will keep you informed throughout our investigation.

We also publish a security contact in /.well-known/security.txt per RFC 9116.

6. Questions

If you have general questions about how MyPetVault handles your data, the Privacy Policy and Data Rights pages are the best starting points. You can also reach us at:

Iterrum LLC
Email: support@mypetvault.org
Mailing address: TODO: add Iterrum LLC mailing address before publishing legal pages