CalmPilot AI Icon CalmPilot AI
Get the app

Security Policy

01 Our approach

CalmPilot AI is built around a simple idea: collect as little as possible, encrypt what we do collect, and limit who can see it. Security is reviewed continuously and treated as a shared responsibility across the team.

02 Encryption

  • In transit — all communication between the app and our servers uses TLS 1.2 or higher. We disable obsolete protocols and weak ciphers.
  • At rest — your data is stored on encrypted volumes using AES-256 or equivalent industry-standard algorithms.
  • On device — sensitive entries (mood notes, chat) are stored in protected storage that takes advantage of your device’s secure-enclave features when available.

03 Storage & access controls

  • Production data is hosted on reputable cloud infrastructure with physical, network, and operational security certifications (SOC 2 / ISO 27001 family).
  • Access to production systems is restricted to a small number of named engineers, gated by single sign-on and multi-factor authentication.
  • Engineer access is logged and audited. Access to wellness or chat data follows least-privilege principles and is granted only when needed for support, debugging, or legal compliance.
  • Backups are encrypted, geographically isolated, and rotated on a regular schedule.

04 Authentication on your device

The app uses a device-generated identifier instead of a password. You can enable an additional Fingerprint Lock in Settings to require biometrics each time the app opens. We strongly recommend enabling it on shared devices.

05 Secure development

  • Code changes are reviewed by at least one engineer before being deployed.
  • Dependencies are scanned for known vulnerabilities, and security patches are applied promptly.
  • Regular automated and manual testing is performed against common web and mobile risks (OWASP Mobile Top 10).
  • Independent security reviews are commissioned periodically as the app evolves.

06 Incident response

If we detect or are notified of a security incident, our team triages it, contains the issue, and investigates the cause. If a confirmed incident affects your personal data, we will notify affected users and the relevant authorities within the timelines required by applicable law (typically 72 hours under GDPR-style regulations).

07 What you can do

  • Keep your device’s operating system and the CalmPilot AI app up to date.
  • Use a screen lock and, where supported, enable Fingerprint Lock in the app.
  • Do not install the app from unofficial sources — use only the App Store or Google Play.
  • Be cautious about who has physical access to your unlocked device.

08 Responsible disclosure

If you discover a vulnerability, please give us a chance to fix it before sharing it publicly. We welcome reports from the security community and treat them as a partnership.

Subject line
“Security report — CalmPilot AI”
Acknowledgement
Within 3 business days
Triage and update
Within 14 days for confirmed issues

Please include reproduction steps, a brief impact statement, and your contact details. Do not access, modify, or delete data that does not belong to you, do not run automated scanners against production systems, and do not disrupt the service. Acting in good faith under these guidelines, we will not pursue legal action.

09 No absolute guarantee

No service connected to the internet can be made completely secure. We work continuously to protect your data with reasonable, industry-standard controls, but we cannot guarantee that the app, its servers, or any data transmitted will be free from unauthorized access, loss, or alteration. Your use of the app is at your own risk, subject to the limits in our Terms & Conditions and Privacy Policy.

10 Contact

For security questions or concerns:

General contact
hello@calmpilotai.com