Skip to main content

Security

We build Assistant Coach with the understanding that you're trusting us with sensitive client information — health data, body measurements, progress photos, and personal details. Here's how we protect it.

Infrastructure

Hosting

Assistant Coach runs on trusted cloud infrastructure. Our setup includes:

  • Managed database — Our database is hosted on a managed service that handles automated patching, maintenance, and high availability
  • Firewall protection — Network-level firewalls restrict access to only the ports and services that need to be exposed. Database access is locked down to our application servers only — it's not reachable from the public internet
  • Isolated environments — Production, development, and testing environments are fully separated

File storage

Progress photos and uploads are stored in secure cloud storage with:

  • Access controls — Files are not publicly accessible. Each access request is authenticated
  • Time-limited URLs — When you or a client views a photo, the URL expires after a short period. Even if someone obtained a URL, it would stop working quickly
  • Encrypted storage — Files are encrypted at rest

Data encryption

In transit

All data moving between your browser and our servers is encrypted using HTTPS (TLS). This is the same encryption that protects online banking and e-commerce — it ensures that no one can intercept or read your data while it's being transmitted.

This applies to everything: login credentials, client data, check-in submissions, photo uploads, API calls, and AI tool connections.

At rest

Data stored in our database and file storage is encrypted at rest. This means even if someone gained physical access to the storage hardware, the data would be unreadable without the encryption keys.

Authentication

Coach accounts

Coach accounts are protected by secure authentication. Sessions are managed server-side with proper expiration and invalidation.

Client portal

Clients access their portal through a secure, authenticated link. Each client can only see their own data — check-ins, plans, goals. There's no way for a client to access another client's information.

AI tool connections (OAuth)

When you connect an AI tool like ChatGPT or Claude, the connection uses OAuth 2.1 — the latest industry standard for secure authorization. Here's what that means in practice:

  • You explicitly grant access through a consent screen (you see exactly what's being requested)
  • The AI tool receives a separate access token — it never sees your password
  • Tokens are hashed before storage (the raw token is never saved on our servers)
  • Access is limited to read-only — connected AI tools cannot modify your data
  • You can revoke access instantly from Settings, which invalidates all tokens immediately

Data isolation

Coach-to-coach isolation — Each coach's data is completely separate. There is no mechanism for one coach to see another coach's clients, plans, or data. Queries are scoped to the authenticated coach at the database level.

Client-to-client isolation — Within a coach's roster, clients can only see their own data through the portal. Client A cannot see Client B's check-ins, photos, or plans.

Backups and recovery

Your data is backed up automatically on a regular schedule. Backups are:

  • Stored separately from the primary database
  • Protected with the same security controls as production data
  • Tested to ensure they can be restored if needed

This means if something goes wrong — a software bug, a hardware failure — we can recover your data.

What we don't do

To be transparent about our practices:

  • We don't sell your data — Not to advertisers, data brokers, or anyone else
  • We don't use your data for training AI models — Your coaching data stays yours. The built-in AI features process data in-memory to generate drafts but don't store or learn from it beyond that session
  • We don't share data with third parties — Beyond the infrastructure providers we need to operate, your data stays within the platform
  • We don't access your data without reason — Our team only accesses data for infrastructure maintenance, debugging, or if you specifically ask for support

Your role in security

Security is a partnership. Here are a few things you can do:

  • Use a strong, unique password — Don't reuse passwords from other services
  • Keep your login credentials private — Don't share your account access
  • Review connected apps — Periodically check Settings to see what AI tools are connected and disconnect any you're no longer using
  • Be cautious with shared devices — Log out when using a shared or public computer

Ongoing commitment

Security isn't a one-time project — it's an ongoing practice. We regularly:

  • Update dependencies and patch known vulnerabilities
  • Review our code for security issues
  • Monitor our infrastructure for unusual activity
  • Test our backup and recovery procedures

We're building Assistant Coach for the long term, and security is foundational to that. If you have specific security questions, don't hesitate to reach out.