All traffic to and from Home Health Intel is served over TLS. Data at rest in Supabase Postgres and storage buckets is encrypted by the platform. Photos in storage are private by default and require a signed URL to retrieve.

Accounts are managed by Supabase Auth. Passwords are never stored in plaintext. Supabase hashes them using industry-standard algorithms. We support email-based password reset and plan SSO and MFA in a future release.

Database access uses Postgres Row Level Security (RLS). A user can only read or modify their own properties, assessments, photos, and reports. RLS is enforced at the database layer, not just the app layer, so a bug in the app cannot expose another user’s data.

You. By default, no one else. Our team can access your data only when you ask us to (for example, to debug an issue you opened a support ticket about) and we log that access. We do not share, sell, license, or syndicate your reports to carriers, agents, contractors, or data brokers.

Our subprocessor list lives on the privacy policy. If we add or change a subprocessor in a way that affects how your data is handled, we update that page and email account holders.

Every photo is SHA-256 hashed on upload and the hash is bundled into the NGDS JSON record. Original EXIF (timestamp, GPS, device model) is preserved in the source file so a carrier can re-verify provenance. C2PA + PAdES-LTV PDF signing ships in a later phase once our commercial X.509 certificate is issued. Today’s PDFs are unsigned but the evidence bundle hashes give downstream readers a verifiable chain.

Supabase performs continuous Postgres backups for our project. Reports stay in your account until you delete them. On account deletion, your data is removed from primary stores within 30 days and from backups within the rolling backup window.

If you find a security vulnerability, please email info@homehealthintel.com with the subject line “Security”. Please give us a reasonable window to investigate and remediate before public disclosure. We don’t currently run a paid bug-bounty program, but we credit researchers who report responsibly.

Out of scope: denial-of-service, social engineering, physical attacks, and reports that require physical access to a user’s unlocked device.

If a security incident affects your data, we will notify you by email within 72 hours of confirming the impact, along with what we know, what we’re doing about it, and what you should do.