Security & Data Protection
Your trust is our top priority. Learn how we keep your data safe and secure.
π
End-to-End Encryption
All data transmitted between your device and our servers is encrypted using industry-standard TLS/SSL protocols. Your personal information, health data, and payment details are encrypted both in transit and at rest.
- AES-256 encryption at rest
- TLS 1.3 for data in transit
- Encrypted database backups
π
Secure Authentication
We use Firebase Authentication, a battle-tested system trusted by millions of apps worldwide. Your passwords are never stored in plain text.
- Phone number verification (OTP)
- Apple Sign-In integration
- Bcrypt password hashing
- Multi-factor authentication support
π‘οΈ
Privacy by Design
We collect only the minimum data necessary to provide our services. You control what you share, and we never sell your personal or health data to third parties.
- Minimal data collection
- No sale of personal data
- Granular privacy controls
- HIPAA-aware practices
π³
PCI-DSS Compliant Payments
We partner with industry leaders (Stripe, Apple, Google) for payment processing. We never store your credit card information on our servers.
- Stripe for web payments
- Apple/Google for in-app purchases
- PCI-DSS Level 1 compliance
- Tokenized payment data
ποΈ
Access Controls
Strict internal policies limit who can access your data. Only authorized personnel with a legitimate need can view user information, and all access is logged.
- Role-based access control (RBAC)
- Principle of least privilege
- Audit logs for all access
- Regular access reviews
π
Regular Security Audits
We conduct regular security assessments, vulnerability scans, and penetration testing to identify and fix potential issues before they become problems.
- Quarterly vulnerability scans
- Annual penetration testing
- Code security reviews
- Third-party security audits
Infrastructure Security
CARROT is built on Google Cloud Platform (Firebase), one of the most secure and reliable cloud infrastructures in the world. Google's infrastructure provides:
- Physical Security: Data centers with 24/7 monitoring, biometric access controls, and redundant power supplies
- Network Security: DDoS protection, advanced firewalls, and intrusion detection systems
- Data Redundancy: Automatic backups, geographic distribution, and disaster recovery plans
- Uptime Guarantee: 99.95% uptime SLA backed by Google Cloud
- Compliance: SOC 2, ISO 27001, and other industry certifications
Health Data Protection
Your health and fitness data is particularly sensitive, and we treat it with the utmost care:
- Consent-Based Collection: We only collect health data (steps, activity) after you explicitly grant permission
- Limited Sharing: Health data is never shared with third parties for advertising or marketing purposes
- HIPAA Awareness: While CARROT is not a covered entity under HIPAA, we follow HIPAA-inspired best practices for health data protection
- HealthKit/Google Fit: Integration follows Apple and Google's strict privacy and security guidelines
- Anonymization: When sharing aggregate data, we ensure it cannot be traced back to individuals
Data Retention and Deletion
You have full control over your data:
- Right to Delete: You can delete your account and all associated data at any time through the app
- 30-Day Deletion: Once you delete your account, all personal data is permanently erased within 30 days
- Backup Retention: Encrypted backups are retained for 90 days for disaster recovery, then permanently deleted
- Legal Holds: Data may be retained longer if required for legal compliance (e.g., financial records, fraud investigations)
Compliance and Certifications
π SOC 2 Type II (via Google Cloud)
β
ISO 27001 (via Google Cloud)
π³ PCI-DSS Level 1 (via Stripe)
πΊπΈ CCPA Compliant
πͺπΊ GDPR Ready
π Apple App Store Guidelines
π€ Google Play Security Standards
Incident Response
In the unlikely event of a security breach, we have a comprehensive incident response plan:
- Immediate Containment: Affected systems are isolated and secured within minutes
- User Notification: Affected users are notified within 72 hours (or as required by law)
- Remediation: We work with security experts to fix vulnerabilities and prevent recurrence
- Transparency: We publish security incident reports and lessons learned
- Support: Dedicated support channels are available for affected users
Your Security Responsibilities
Security is a shared responsibility. Here's how you can protect your account:
- Strong Passwords: Use a unique, complex password (if using email/password login)
- Protect Your Phone: Enable device lock (PIN, Face ID, Touch ID) to prevent unauthorized access
- Enable Two-Factor Authentication: Use phone verification when available
- Keep Apps Updated: Install the latest version of CARROT for security patches
- Beware of Phishing: CARROT will never ask for your password via email or text
- Report Suspicious Activity: Contact us immediately if you notice unusual account activity
π¨ Report a Security Vulnerability
If you discover a security vulnerability in CARROT, please report it to us responsibly. We appreciate the security research community's efforts to keep our users safe.
Contact: security@carrotwellness.com
Please include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact and severity
- Your contact information for follow-up
We aim to respond within 48 hours. Responsible disclosure is appreciatedβplease allow us time to fix issues before public disclosure.
Third-Party Security
We carefully vet all third-party services we integrate with:
- Google Firebase: SOC 2, ISO 27001 certified cloud platform
- Stripe: PCI-DSS Level 1 certified payment processor
- Apple HealthKit / Google Fit: Secured by Apple/Google's privacy frameworks
- Email Providers: TLS-encrypted email delivery with SPF/DKIM/DMARC
- Gift Card Partners: PCI-compliant reward fulfillment providers
All third-party vendors sign Data Processing Agreements (DPAs) committing to protect your data.
Last Updated: December 10, 2025 | We continuously improve our security practices and update this page to reflect changes.