Security

Last updated: May 2026

Security isn't something we bolted on after the fact. We designed around it from the start. Here's what we do to keep your data safe.

Encryption in transit

All communication between WithYou and our servers happens over HTTPS with TLS. Your data is never sent over an unencrypted connection.

Infrastructure

WithYou runs on Supabase, which provides a managed Postgres database with row-level security (RLS). RLS policies ensure that each user can only access data belonging to their own paired relationship. This is enforced at the server level, not just in application logic.

Authentication

Authentication is handled by Supabase Auth. Passwords are never stored in plain text. We use secure session tokens with appropriate expiry. You can sign out of all devices from your profile settings.

Data minimisation

We only store what you put in. We don't collect device identifiers, IP address logs, or behavioural data. There is no data we hold that we don't need.

Data deletion

Deleted content is removed immediately, not soft-deleted or archived. When you delete your account from your profile page, every record associated with your account is permanently purged from our database. There is no recovery.

Analytics

We use Google Analytics in anonymous mode to understand aggregate device and platform usage. We do not collect personal identifiers through analytics. IP addresses are anonymised before any data is recorded.

No telemetry

We do not collect crash reports, usage telemetry, or in-app event tracking beyond anonymous aggregate analytics. We have no instrumentation that can be tied back to a specific user or session.

Responsible disclosure

If you discover a security vulnerability, please report it responsibly to hello@withyou.app before disclosing it publicly. We'll respond within 48 hours and work with you to address it.