How we protect your data

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Sensitive fields like authentication secrets are additionally encrypted with separate keys.

We use industry-standard secure password handling with bcrypt hashing. Admin accounts require two-factor authentication (TOTP) through standard authenticator apps like Google Authenticator, Authy, or 1Password.

All users can optionally enable two-factor authentication on their accounts in Settings.

Every admin action and Coach interaction is logged with timestamp, IP address, and user agent. This creates an audit trail for accountability and dispute resolution.

Your data is isolated at the database level using row-level security policies. Users cannot access each other's data, even at the database query level.

We use a small number of trusted third-party services:

• Lovable Cloud for database and authentication (SOC 2 Type II infrastructure)
• Stripe for payment processing (PCI-DSS Level 1)
• Anthropic for AI Coach interactions
• PostHog for product analytics

None of these services share your data with each other or with third parties beyond their stated purpose.

You can export all your data at any time from Settings. You can delete your account and all associated data permanently from Settings. We honor these requests within 24 hours.

If you discover a security vulnerability, please report it to security@poiseplan.com. We respond within 24 hours and work with researchers to resolve issues before public disclosure.

• Use a unique, strong password (consider a password manager)
• Enable two-factor authentication on your account
• Keep your email account secure — it can be used to reset your password
• Be cautious of phishing emails — we will never ask for your password
• Review your account activity periodically in Settings