Security & Privacy

Your data is yours.

Bilateral Calm exists to help people regulate their nervous systems in private moments. The data that's created while you do that is some of the most personal there is. Here's exactly how we protect it — and what we promise never to do with it.

We will never sell or share your data.

Not to advertisers, not to data brokers, not to social platforms, not for AI training. The list of companies we share data with is short, public, and only ever functional (billing you, emailing you a password reset).

Encrypted in transit and at rest.

Every byte travelling between your device and our servers is encrypted with TLS 1.2+ (the same protocol your bank uses). Anything stored on disk is encrypted at the database layer, and any sensitive free-text field is additionally encrypted with a separate per-app key — so even a database dump leaks nothing usable.

We never see your password — or your card.

Passwords are hashed with bcrypt before they ever touch our database, so even our engineers can't read them. Credit cards never reach our servers at all — Stripe handles every payment, and we only store the customer ID Stripe gives back to us.

Minimal data collection, by design.

We collect the smallest amount of data needed to run the app: an email, your practice progress (so you can pick up where you left off), and your subscription state. We don't track you across the web, we don't run Facebook Pixel or Google Analytics on member pages, and we don't fingerprint your device.

One-click deletion. Really.

Open Settings → Privacy → Delete my account. It permanently removes your practice history, progress, favorites, reminders, sessions, and login from our servers. We retain only the legally required payment receipts, with your identifying details stripped.

Brute-force protection on every sign-in.

After 5 failed login attempts from the same device, sign-in is locked for 15 minutes — so even leaked password lists from other sites can't be tried against your account in bulk. Optional Face ID / biometric login adds another layer your device alone controls.

The complete list of companies that touch your data

Every modern app relies on a small handful of trusted providers for payments, email, and infrastructure. We list ours in full — including what they see, and why we use them. We will publish updates to this list before any new provider is added.

Stripe

Payment processing.

What they see: Email, name, card details (handled entirely by Stripe — never touches our servers).
Why: Required to process subscriptions. PCI DSS Level 1 certified.

Resend

Transactional email (password resets only).

What they see: Your email address, the one-time reset link.
Why: Required to deliver password reset emails. SOC 2 Type II certified.

Google (OAuth)

Optional 'Sign in with Google'.

What they see: Your Google email + basic profile (only if you choose Google sign-in).
Why: Lets you skip creating a password. Bilateral Calm requests the minimum scopes possible.

MongoDB Atlas

Database hosting.

What they see: Your account record, practice progress, favorites.
Why: Encrypted at rest, IP-restricted, daily backups. SOC 2 Type II certified.

RevenueCat (iOS)

App Store subscription management.

What they see: An anonymous app user ID linked to your Apple transaction.
Why: Required by Apple for subscription receipt validation on the native iOS app.

Some of the engineering choices behind this

HTTPS everywhere, enforced by the browser. Every request to Bilateral Calm is delivered over TLS, and the server tells your browser to refuse insecure connections for the next year via the HSTS header. There is no plain-text version of this app.

Strict security headers. Every page returned by our servers includes X-Frame-Options: DENY (no one can embed Bilateral Calm in a malicious iframe to trick you into clicking), Referrer-Policy: strict-origin-when-cross-origin (we don't leak the page you were on when you click outbound links), and a strict Content-Security-Policy that blocks scripts from anywhere we don't explicitly trust.

Session cookies marked HTTP-only and Secure. Even if a malicious browser extension tried to read your session token, it can't — the cookie is invisible to JavaScript and only sent over HTTPS.

Logs that don't leak. Our backend logs are written without personal identifiers like email addresses. An engineer triaging an issue sees opaque IDs only.

Field-level encryption for sensitive notes. Any free-text reflection or journal entry you write inside the app is encrypted with a separate per-app key before being stored. Even our engineers cannot read those entries by querying the database.

Your rights, in one place

Right to access. Download a complete JSON of everything we have stored about you, any time, from Settings → Privacy → "Download my data".

Right to erasure. Permanently delete your account and all associated data with one click — Settings → Privacy → "Delete my account". The deletion executes immediately; it is not a "marked for deletion" placeholder.

Right to portability. The export above is in standard JSON, so you can hand it to a successor service or just inspect it.

Right to ask questions. Email hello@bilateralcalm.com and a real person — not an AI agent — will reply.

If something goes wrong

In the unlikely event of a data breach affecting Bilateral Calm users, we commit to notifying affected users by email within 72 hours of discovery, with a clear description of what happened, what data was involved, and what steps you should take. We will publish a public post-mortem on this page within 30 days.

Practice in private. Always.

Bilateral Calm is built for the moments most apps don't deserve to see. We've designed every part of it to keep those moments yours.