Trust & Safety
Security at Calorie0
We take the security of your personal and health data seriously. This page explains the technical and organisational measures we have in place to protect your information.
Passwords never stored in plain text
All passwords are hashed using bcrypt with a per-user salt before being stored. We never have access to your actual password — not even our own engineers.
All data encrypted in transit
Every connection to Calorie0 is encrypted using TLS 1.2 or higher (HTTPS). Plain HTTP requests are automatically redirected to HTTPS. This applies to our API, web app, and all third-party service connections.
Database encrypted at rest
Your data is stored in Supabase (built on AWS), which encrypts all data at rest using AES-256. This means your data is protected even if physical storage were ever compromised.
Row-Level Security (RLS)
Our database enforces row-level security, meaning every query is scoped to your user ID. Even a misconfigured query cannot return another user's data. Direct client access to the database is fully revoked — all reads and writes go through our authenticated server layer.
Email OTP verification
Verification codes (OTPs) sent to your email are hashed before storage — the plain code is never saved. Each OTP expires in 10 minutes and is limited to 3 attempts before it is invalidated. A new code must be requested after 3 failed attempts.
Google OAuth
If you sign in with Google, Calorie0 never sees your Google password. Authentication is handled entirely by Google's OAuth 2.0 infrastructure. We receive only the profile information you authorise (name and email) via a secure token.
Session management
Sessions are managed by Supabase Auth with short-lived access tokens and rotating refresh tokens. If you suspect your account has been compromised, sign out from your current session immediately and contact us at hello@calorie0.com. We are working on adding a 'sign out all devices' feature.
Bot and abuse protection
All signup and login endpoints are protected by Cloudflare Turnstile (CAPTCHA) and server-side rate limiting. Repeated failed attempts trigger automatic lockouts to protect your account.
API security
All API endpoints require authentication via short-lived JWT tokens. Tokens are validated server-side on every request. API keys and secrets are stored as environment variables and never exposed to the client.
What you can do to stay secure
- → Use a strong, unique password not used on any other site.
- → Never share your login credentials or OTP codes with anyone — including people claiming to be Calorie0 staff. We will never ask for your password.
- → If you use Google sign-in, keep your Google account secure with 2-factor authentication.
- → Log out of Calorie0 on shared or public devices.
- → If you receive a suspicious email claiming to be from Calorie0, do not click any links — forward it to hello@calorie0.com.
Responsible Disclosure
We welcome reports from security researchers and members of the public. If you discover a vulnerability in Calorie0, please report it to us before disclosing it publicly so we can investigate and remediate it.
How to report: Email hello@calorie0.com with the subject line "Security Vulnerability". Include:
- → A description of the vulnerability and its potential impact.
- → Steps to reproduce, including any relevant URLs, parameters, or payloads.
- → Your contact details (optional, but helpful for follow-up).
We commit to acknowledging your report within 48 hours, providing a status update within 7 days, and notifying you when the issue is resolved. We ask that you do not exploit the vulnerability, access other users' data, or disclose the issue publicly until we have had a reasonable opportunity to fix it.
We do not currently offer a formal bug bounty programme, but we genuinely appreciate responsible disclosures and will acknowledge your contribution if you wish.
For security concerns, account compromise, or vulnerability reports, contact us at hello@calorie0.com