How Your Data Is Protected

Security is built into every layer of TRANSFORMR. Here's a technical overview of how we protect your data.

Encryption in Transit

All communication between the TRANSFORMR app and our servers uses TLS 1.3 — the latest and most secure version of the Transport Layer Security protocol. This means every data packet sent from your phone (meals, workouts, health metrics) is encrypted in transit and cannot be read by any third party.

Encryption at Rest

All data stored in our databases is encrypted at rest using AES-256, the industry-standard symmetric encryption algorithm used by banks and government agencies.

Business and Financial Data: Enhanced Encryption

Your business metrics (revenue, income data) and goal-staking transaction records are encrypted with an additional end-to-end encryption layer before being stored. This means even TRANSFORMR's own engineers cannot read your business financial entries in plain text.

Password Security

Passwords are never stored. Instead, they're hashed using bcrypt with a per-user salt before storage. If our database were ever breached, your actual password would not be exposed.

Access Controls

Internal access to your data at TRANSFORMR follows the principle of least privilege:

  • Engineers can only access anonymized, aggregated data for debugging
  • Accessing an individual user's record requires multi-factor authentication and is audit-logged
  • No employee can access your AI Coach conversation history or your business data

AI Coach Privacy

When you use the AI Coach, your messages are processed by Anthropic's Claude model. Per Anthropic's enterprise API agreement:

  • Your conversations are not used to train Anthropic's models
  • Queries are not stored by Anthropic beyond 30 days for safety logging
  • TRANSFORMR stores your conversation history only in your account, accessible only to you

Incident Response

In the event of a security incident affecting user data, TRANSFORMR will:

  1. Notify affected users via email within 72 hours of discovery (in compliance with GDPR Article 33)
  2. Publish a public incident report within 7 days
  3. Provide specific guidance on what to do (e.g., change passwords)

We have never had a data breach. This protocol exists so you know what to expect if we ever do.

Compliance

  • GDPR (EU): Full compliance for EU users, including data portability and right to erasure
  • CCPA (California): Full compliance for California residents
  • COPPA: TRANSFORMR is not intended for users under 13; accounts for minors require parental consent