How we keep your readings safe.

Selfie video is processed on your phone; raw frames never leave the device. Voice journal audio is processed by Vertex AI in the EU region (or APAC for users in our Thai pilot) and is not used to train models. Every Pulse Stamp carries an Ed25519 signature applied at the moment of capture. Storage is encrypted at rest and in transit. Your Stamps are encrypted; access is gated by your sign-in.

• EU users: Firestore + Cloud Storage + Vertex AI in europe-west1 (Belgium).
• Thai pilot users: asia-southeast1 (Singapore), the closest EU-adequacy-compatible region.
• Cross-region transfers: happen only when you explicitly share a Pulse Record with a recipient in another region.

• Selfie video frames stay on the phone. MediaPipe Face Detection runs in the browser via WebAssembly.
• The rPPG signal-processing pipeline computes the heart-rate estimate locally. Only the extracted value (a number) is transmitted.
• Voice journal audio is streamed to Vertex AI Gemini Live; the raw audio is not retained beyond the live session.

• Each Pulse Record is signed with an Ed25519 keypair held in Google Secret Manager.
• The signature covers the canonical JSON form of the record (sorted keys, deterministic encoding).
• Anyone with the public key can verify a record offline. Verification does not contact our servers.
• Keys are rotated on a documented schedule. Old public keys remain published so historical records stay verifiable.

• We do not train AI models on your identifiable health data.
• We do not sell or share health data with advertisers, data brokers, or insurers.
• We do not maintain a centralised health dossier on you outside of what you explicitly create through the app.
• We do not embed third-party analytics or advertising SDKs in the app.

• Sign-in via Firebase Authentication (Google identity or email link).
• Pulse Records are scoped to your account; family-timeline access is granted only to invitees you authorise.
• Internal access by the Pulse team is restricted to named engineers, requires multi-factor authentication, and is audit-logged.

• In transit: TLS 1.3 for all client-server traffic.
• At rest: Google Cloud default encryption (AES-256) for Firestore, Cloud Storage, and Secret Manager.
• Share links: scoped tokens with a configurable time-to-live; the recipient can verify without holding any long-lived credential.

• Application logs are captured in Cloud Logging within the same region as the user.
• Logs are scrubbed of personal identifiers and retained for 90 days for incident response and abuse prevention.
• Health readings are never written to logs.

If a security incident affects your data we will notify you within 72 hours of confirming the impact, in line with GDPR Article 33. The notification includes what happened, what we are doing about it, and what you can do to protect yourself. Report a suspected issue at security@aqta.ai.

We are not yet certified to SOC 2 or ISO 27001. We follow the control families those frameworks describe (access management, encryption, change management, incident response, vendor management) and intend to pursue formal certification as the team scales. Honest framing: aligned, not certified.

We use the following processors to run the service:

• Google Cloud (Vertex AI, Firestore, Cloud Storage, Cloud Run, Secret Manager, Cloud Logging)
• Firebase Authentication
• Stripe or Revolut for payments (no health data shared)

A current list with sub-region and purpose is available on request at hello@aqta.ai.

We welcome security research. If you find a vulnerability, email security@aqta.ai with a clear description and steps to reproduce. We respond within 5 working days. We do not yet operate a paid bug bounty; we will credit responsible reporters in release notes where consent permits.