%20--%3e%3ccircle%20cx='32'%20cy='32'%20r='30'%20fill='rgba(99,102,241,0.05)'%20stroke='url(%23icon-gradient)'%20stroke-width='1.5'/%3e%3c!--%20Left%20bracket%20%3c%20--%3e%3cpath%20d='M12%2020L4%2032L12%2044'%20stroke='url(%23icon-gradient)'%20stroke-width='4'%20stroke-linecap='round'%20stroke-linejoin='round'%20fill='none'/%3e%3c!--%20Central%20E%20--%3e%3cpath%20d='M22%2018H42V24H28V29H40V35H28V40H42V46H22V18Z'%20fill='url(%23icon-accent)'/%3e%3c!--%20Right%20bracket%20%3e%20--%3e%3cpath%20d='M52%2020L60%2032L52%2044'%20stroke='url(%23icon-gradient)'%20stroke-width='4'%20stroke-linecap='round'%20stroke-linejoin='round'%20fill='none'/%3e%3c!--%20Decorative%20dots%20--%3e%3ccircle%20cx='32'%20cy='10'%20r='2'%20fill='%23818CF8'%20opacity='0.7'/%3e%3ccircle%20cx='32'%20cy='54'%20r='2'%20fill='%236366F1'%20opacity='0.7'/%3e%3c/svg%3e){kind=small}
Security
Your data security is our top priority. Here is how VitaPulse protects your information at every level.
Encryption & Transport
All communications between your browser and VitaPulse are encrypted using TLS (HTTPS). Passwords are hashed with bcrypt before storage — we never store plaintext passwords. Session cookies are configured as HTTP-only and SameSite to prevent cross-site attacks.
Data Storage
Your data is stored in MongoDB databases hosted in Europe. We collect only the minimum data necessary to provide the service: your email, hashed password, and scan results. Scan data belongs to you — we never use it for advertising, analytics, or any purpose other than delivering your audit results.
Access Control
Every API endpoint is protected by authentication middleware. All actions are verified for ownership — you can only access your own projects and scans. Associate access is strictly limited to shared projects with read-only permissions on settings. Rate limiting protects all endpoints against abuse.
Security Practices
VitaPulse applies industry security best practices: HTTP security headers via Helmet (CSP, HSTS, X-Frame-Options), input validation and HTML escaping on all user inputs, CORS restricted to authorized domains, and rate limiting by endpoint category (authentication, scans, general API).
Privacy First
We never sell your data. We do not track you with advertising cookies. We do not share your information with third parties. Your scan results, project data, and personal information are yours alone. Read our Privacy Policy for full details.