Phase
Get the app

Security

Effective: 29 April 2026

Your food logs and symptom data are deeply personal. We understand the trust you place in us when you use Phase to track what you eat and how your body responds. That's why security isn't just a feature - it's fundamental to everything we do.

🔒Our Security Commitment

  • No passwords stored—login via Google, Apple, or secure one-time codes
  • Your food logs, meals, and symptom data are encrypted at rest and in transit
  • We never sell your data, and no human reads your personal logs
  • You can permanently delete your data at any time
  • Additional protection with Face ID/Touch ID or PIN code

1. Data Encryption

In Transit

All data transmitted between your device and our servers is encrypted using TLS 1.3, the latest industry standard. This means your food logs and symptom data are protected from interception while traveling across the internet.

At Rest

Your food logs and symptom data are encrypted using AES-256 encryption when stored in our databases. This military-grade encryption ensures that even if someone gained unauthorized access to our storage systems, your data would remain unreadable.

Backup Encryption

All backups are encrypted using the same standards as our primary storage, with encryption keys stored separately from the data itself.

2. Authentication & Access Control

🔐No Passwords Stored

Phase uses modern authentication methods that eliminate traditional password vulnerabilities:

  • Single Sign-On (SSO): Sign in securely with Google or Apple, leveraging their advanced security infrastructure
  • One-Time Passwords: Email login uses time-limited codes sent to your verified email address—no passwords to remember or steal

Additional Security Layers: Once logged in, you can add extra protection to your data:

👤Face ID / Touch ID

Use your device's biometric authentication for quick, secure access

🔢PIN Code

Set a personal PIN code as an additional layer of protection

Session Management: Sessions expire automatically after periods of inactivity, requiring re-authentication to protect your data from unauthorized access.

Device Security:We leverage your device's secure storage APIs to protect authentication tokens and ensure your data remains private even if your device is compromised.

3. Infrastructure Security

Hosting Provider: We use enterprise-grade cloud infrastructure providers that maintain SOC 2, ISO 27001, and other industry certifications.

Data Centers: Your data is stored in secure data centers with 24/7 monitoring, biometric access controls, and redundant power and cooling systems.

Network Security: We employ firewalls, intrusion detection systems, and DDoS protection to safeguard our infrastructure.

Regular Updates: Our systems are regularly updated with the latest security patches and undergo continuous monitoring for vulnerabilities.

4. Data Retention & Deletion

Your Data, Your Control

  • Active Account Data: Your food logs and symptom data are retained as long as your account is active. You can delete individual entries or all data at any time.
  • Account Deletion: When you delete your account, all your personal data, food logs, and symptom history are permanently removed from our active systems within 24 hours.
  • Backup Retention:Deleted data may remain in encrypted backups for up to 30 days for disaster recovery purposes, after which it's permanently erased.
  • Export Options: You can export all your food and symptom logs in common formats before deletion, ensuring you always have access to your personal history.

5. Employee Access Policies

Zero Access Architecture: Our systems are designed so that employees cannot access your personal logs. Technical and organizational measures prevent unauthorized access.

Principle of Least Privilege: Employees only have access to systems necessary for their specific roles, with all access logged and regularly audited.

Background Checks: All employees with potential access to infrastructure undergo background checks and sign strict confidentiality agreements.

Security Training: Regular security awareness training ensures our team understands and follows best practices for data protection.

6. Third-Party Security

We carefully vet all third-party services for security practices and only work with providers that meet our standards:

  • All third parties sign data processing agreements with security obligations
  • We regularly review third-party security certifications and practices
  • Third parties cannot access your personal logs
  • We minimize data sharing to only what's necessary for service operation

7. Incident Response

Despite our best efforts, no system is 100% secure. We have a comprehensive incident response plan:

If a security incident occurs:

  1. We immediately investigate and contain the issue
  2. We assess the impact and determine affected users
  3. We notify affected users within 72 hours with clear information about the incident
  4. We provide guidance on any recommended actions
  5. We conduct a thorough post-incident review to prevent recurrence

8. Compliance & Audits

We maintain compliance with data protection regulations and undergo regular security assessments:

  • GDPR compliant for European users
  • CCPA compliant for California residents
  • Annual third-party security audits
  • Continuous automated vulnerability scanning
  • Regular penetration testing

🛡️ Responsible Disclosure

We welcome security researchers to help us maintain the highest security standards. If you discover a potential vulnerability:

  • • Email us at security@phasediet.com
  • • Include detailed steps to reproduce the issue
  • • Allow us reasonable time to address the issue before public disclosure
  • • We'll acknowledge your contribution (with your permission)

9. Security Questions?

If you have any questions about our security practices or need to report a security concern:

Security Team

Email: security@phasediet.com

For urgent security matters, please include "URGENT" in your subject line