Where Your Data Lives
Your data never sits on a personal device or local server. It lives in a purpose-built, enterprise-grade cloud infrastructure.
All infrastructure is hosted on Supabase, powered by Amazon Web Services (us-east-1). Supabase holds SOC 2 Type II certification, meaning its security controls have been independently audited and verified.
How Your Data is Protected
Four layers of security work together to protect every piece of data you share with Street TLT.
Encryption at Rest
AES-256 encryption is applied to all database rows. Your health metrics, daily logs, and personal data are encrypted before they ever touch storage.
Encryption in Transit
All data travels over TLS 1.3. Between your device and our servers, your information cannot be intercepted or read by any third party.
Row-Level Security
Your data is isolated by your unique user ID at the database level. No other user — and no coach without explicit authorization — can access your records.
Trainer Access Controls
Only your explicitly assigned trainer can view your data. All coach access is logged, auditable, and can be revoked by you at any time through Profile settings.
What We Never Do
These are absolute commitments — not marketing language.
- We never sell your data to advertisers, data brokers, or any third party
- We never share your health information with insurance companies or employers
- We never use your personal data for advertising targeting or profiling
- We never store your payment card information — Stripe handles all billing with PCI DSS Level 1 certification
Health Data Handling
Your health logs — weight entries, calorie data, sleep records, stress scores — exist for one purpose: to power your personalized coaching experience within Street TLT.
Anonymized, aggregated data (with all personal identifiers removed) may be used for platform research to improve coaching methodologies. You will always be notified of any research use of your data and may opt out at any time by contacting privacy@streettlt.com.
We do not use your individual health data for any purpose outside your coaching experience without your explicit consent.
Your Control
You maintain full ownership and control of your data at all times.
-
Export your data at any time via Data Export in your Profile settings. Receive a full copy of all your health logs and account data.
-
Delete your account and all associated data. Deletion is completed within 30 days of your request with confirmation sent by email.
-
Revoke trainer access at any time through Profile settings. Access is removed immediately upon revocation.
-
Any data request can be submitted to privacy@streettlt.com. We respond within 30 days.
Our Commitments to You
-
Breach notification within 72 hours. If a security incident affects your data, we will notify you within 72 hours of discovery — not weeks later.
-
Regular security audits. We conduct periodic security reviews of our infrastructure, access controls, and data handling practices.
-
We never have access to your password. Supabase Auth handles all authentication using bcrypt hashing. Your password is never stored in recoverable form — not even by us.
Third-Party Services We Use
We maintain a minimal, deliberately limited set of third-party integrations. Below is a complete list of vendors with access to any portion of your data.
| Service | Purpose | Data Shared | Certification |
|---|---|---|---|
| Supabase | Database & authentication | Account info + health data | SOC 2 Type II |
| Stripe | Payment processing | Email + payment info only | PCI DSS Level 1 |
No other third-party services have access to your health data. We do not use analytics platforms, advertising networks, or data enrichment services that touch personal health information.
Questions About Your Data?
Our privacy team is reachable directly. We do not route data inquiries through general support — privacy questions go straight to the people responsible for it.
privacy@streettlt.comStreet TLT LLC | streettlt.com