Your health data, locked down.
How TTL protects the personal health information you bring into the app — in plain English first, with the technical details below.
In plain English: “PHI encrypted at rest.”
PHI stands for Protected Health Information — your labs, your symptoms, your medications, anything personal you tell the app about your health.
“Encrypted at rest” means: PHI columns in our database are encrypted at the application layer using authenticated symmetric encryption (Fernet, AES-128-CBC + HMAC-SHA256) before they hit disk. The encryption key is held in our hosting provider’s encrypted environment-variable secret store — a separate access plane from the database itself. Anyone with a database snapshot but not the key sees ciphertext.
Translation: a leaked database snapshot is unreadable. A leaked snapshot plus the key would be readable, which is exactly why the key is held under stricter access controls than the data, and why the next milestone on our security roadmap is moving the key into a dedicated KMS (AWS KMS or GCP KMS) so it can never be exported by a single operator.
Six commitments we hold ourselves to.
Encrypted at rest
PHI columns are encrypted at the application layer (Fernet, AES-128-CBC + HMAC-SHA256) with a key held in our hosting provider’s encrypted environment-variable secret store. The data lives in PostgreSQL. Neither is useful without the other; KMS migration is on the roadmap.
Encrypted in transit
All traffic between your device and our servers uses TLS 1.2 or higher. The lock icon in your browser means the data on the wire is unreadable to anyone in the middle.
No raw PHI in logs
Our application logs are scrubbed of identifying health fields. We log enough to debug, never enough to reconstruct your record. Crash dumps follow the same rule.
Least-privilege access
Engineers don’t routinely touch production PHI. Access is role-scoped, audited, and time-bounded. Reads on PHI tables are logged with the actor, the row, and the reason.
Hard-delete with audit
When you delete your account — or when an unconverted free trial expires — PHI is purged from the live database. We keep a salted hash of the email (for re-trial detection) and an audit row of the deletion event.
No data sales, ever
We don’t sell, rent, or trade your data, and we don’t run ads against it. Our revenue is the subscription you pay us. That’s the whole business.
HIPAA-aligned, not a covered entity.
TTL is an information platform, not a clinic, lab, or insurer — so we are not, on our own, a HIPAA covered entity. We still operate against HIPAA technical and organisational safeguards because the data you bring us behaves like PHI, regardless of who’s on the other end of the line.
That posture means: encryption at rest and in transit, role-scoped access, audit logs on PHI reads and deletions, breach-notification process aligned with the FTC Health Breach Notification Rule (16 CFR Part 318), a designated privacy contact (privacy@ttlongevity.com), BAAs in process with our hosting and AI subprocessors, and a reviewed list of subprocessors. When we begin handing off to a clinician network in the Lane Rx tier, the clinical entity that prescribes will be a covered entity, and the handoff will run through a written BAA.
Where your data actually lives.
Application + database
The TTL backend (FastAPI) and managed PostgreSQL run on Render in US-region datacenters. Database snapshots are encrypted at the storage layer; PHI columns are additionally encrypted at the application layer. Access is restricted to a small operations roster.
Authentication + sessions
JWT-based auth with rotating signing secrets. OAuth provider tokens (Google / Apple) are stored encrypted; we never receive your provider password.
AI providers
We use OpenAI, Anthropic, and Google’s commercial APIs under enterprise/business terms that prohibit training on your data. We send only the fields the model needs to answer; identifiers are stripped where possible.
Payments
Stripe handles all card-on-file data. We never touch raw card numbers; we receive only a Stripe customer ID and the subscription status.
A more detailed list of every third-party service we send data to is on the Subprocessors page.
Found a security issue?
We welcome reports from independent researchers. Email security@ttlongevity.com with a description of the issue, reproduction steps, and any supporting evidence. We’ll acknowledge within two business days and work with you on a fix and a coordinated disclosure timeline.
See our full Responsible Disclosure policy for scope and safe-harbor language.
Built so you can trust the platform with your labs.
Free trial intake. Encrypted by default. Hard-delete on demand.