Back to home

Security

Your health data is personal. We take its protection seriously and are committed to implementing strong security practices as we grow.

Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS. We enforce HTTPS across all connections.

Secure Authentication

User accounts are protected through Firebase Authentication with secure credential handling. We never store passwords in plain text.

Access Controls

We follow the principle of least privilege. Firestore security rules ensure users can only access their own data. Administrative access is tightly restricted.

Cloud Infrastructure

Our backend runs on Google Cloud (Firebase), which provides built-in DDoS protection, automatic security patches, and data redundancy.

Our Practices

  • All API secrets and credentials are stored using Google Cloud Secret Manager
  • Firestore security rules enforce strict per-user data isolation
  • We use write-only rules for public-facing form submissions to prevent data leakage
  • Dependencies are regularly updated to address known vulnerabilities
  • Source code and deployment artifacts exclude sensitive files (.env, source maps)

Data Handling

  • Health data synced from HealthKit stays on your device unless you explicitly share it
  • We collect only the data necessary to provide our service
  • You can delete your account and all associated data at any time
  • We do not sell personal data to third parties

Responsible Disclosure

Found a potential security issue? We appreciate responsible disclosure. Please report it to support@nour.you and we will investigate promptly.

Our Commitment

As a young product, we are continuously improving our security posture. We are committed to transparency about our practices and will update this page as we implement additional measures.