On-device crypto
Optional client-side encryption with AES-256-GCM. The 256-bit key is derived locally from your encryption password via PBKDF2 (100,000 iterations) and stored only in iOS Keychain or Android Keystore. It never leaves your device.
In transit
All traffic between your device and our backend is encrypted with TLS 1.2 or higher.
At rest
Personal data is hosted by Supabase in the United States, encrypted at rest with AES-256. EU regions are available through Supabase and we will move EEA data when traffic warrants.
Access controls
Principle of least-privilege access for our team. Row-level security in the database. Authentication logs are retained for 90 days by Supabase.
Audits
Independent third-party security review on the roadmap. We will publish the report in full when complete.
Disclosure
Suspected vulnerabilities or breaches → contact@ameleva.com. Per GDPR Articles 33 and 34, we commit to notifying users and the relevant supervisory authority within 72 hours of becoming aware of a personal data breach with material risk.
How we protect your data.
Ameleva is built privacy-first. Optional client-side encryption, encrypted-at-rest infrastructure, and a transparent disclosure process. Operated by 1001511837 ONTARIO INC. in Cambridge, Ontario.
What we store
Stored at rest, not E2EE
- · Email address (account, login, password reset)
- · Full name (first + last)
- · Avatar URL (optional)
- · Account password (hashed by Supabase Auth)
- · Language preference and device timezone
- · Subscription tier (mapped to your account via RevenueCat)
- · Habit and template titles, action and challenge metadata
- · Streak counters and completion timestamps
- · Action notes and reflection text (the body of your action notes is not encrypted by default)
- · Aggregate, non-identifying product analytics
Optionally end-to-end encrypted (when you enable it)
- · Journal entries
- · Custom habit log values and notes
- · Feedback answers
Infrastructure
Personal data is hosted by Supabase in the United States. EU regions are available through Supabase but are not currently in active use; we will move EEA data when traffic warrants and update this page. Subscription state is processed by RevenueCat (United States) on top of Apple In-App Purchase and Google Play Billing. Web edge runs on Cloudflare Pages with the Workers runtime; static assets are cached at edge.
Access controls
Our team operates on a principle of least-privilege access to production data. The database enforces row-level security so application users only see their own rows. Supabase retains authentication logs for 90 days. Database backups are taken daily and purged within 30 days.
Notifications
Ameleva uses local notifications scheduled by your device's operating system. We do not store remote push tokens on our servers and we do not send remote push notifications.
What we do not collect
- Phone number
- Date of birth
- Postal address (other than the optional region you may type into a journal entry)
- GPS or precise location
- Third-party analytics SDKs, advertising SDKs, error-monitoring SDKs in production
- AI/ML model training on your personal content
- Your contacts, calendar, microphone, or camera (other than photos you attach to a moment card)
Disclosure
Suspected vulnerabilities → contact@ameleva.com. PGP scaffolding is on the disclosure page. We acknowledge in-scope reports promptly, publish a triage decision, and offer credit when a confirmed report is fixed. For breaches with material risk to users we follow GDPR Articles 33 and 34 (notification within 72 hours).
Read the encryption explainer.
PBKDF2 (100,000 iterations) + AES-256-GCM, the threat model, and what happens if you forget your encryption password.