NutriLoop
FeaturesHow it worksPricingPrivacyTermsSecurity
Log inStart for free

Security

Last updated: 25 May 2026

Our commitment

NutriLoop handles sensitive health and nutrition data on behalf of practitioners and their clients. We treat security as a foundational requirement, not an afterthought.

Infrastructure

  • Hosting — application deployed on Vercel's global edge network with automatic DDoS protection and TLS termination.
  • Database — Supabase (PostgreSQL) hosted in the EU with automated backups, point-in-time recovery, and network isolation.
  • CDN & DNS — Cloudflare with always-on SSL/TLS, WAF rules, and bot mitigation.

Encryption

  • In transit — all connections use TLS 1.2 or higher. HSTS is enforced across all domains.
  • At rest — database storage is encrypted using AES-256. Backups are encrypted with separate keys.

Authentication & access control

  • Passwords are hashed using bcrypt with a cost factor that exceeds industry recommendations.
  • OAuth 2.0 (Google) available as a passwordless alternative.
  • Row-level security (RLS) policies in PostgreSQL ensure practitioners can only access their own data.
  • Internal team access follows least-privilege principles with role-based access control.

Application security

  • Input validation and parameterised queries to prevent SQL injection.
  • Content Security Policy (CSP) headers to mitigate XSS attacks.
  • CSRF protection on all state-changing requests.
  • Dependencies are monitored for known vulnerabilities and updated promptly.

Data handling

  • Client health data is logically isolated per practitioner account.
  • We do not sell, share, or use practitioner/client data for training models or advertising.
  • Data exports are available on request so you always retain ownership.
  • Account deletion permanently removes all associated data within 30 days.

Incident response

In the unlikely event of a data breach, we will notify affected users and relevant supervisory authorities within 72 hours as required by GDPR, along with a clear description of the impact and remediation steps.

Responsible disclosure

If you discover a security vulnerability, please report it to security@nutriloop.co. We ask that you give us reasonable time to address the issue before public disclosure. We do not pursue legal action against good-faith security researchers.

Questions

For security-related questions, contact us at security@nutriloop.co.