Life Tracker takes security and privacy seriously. This document outlines our security practices, how we protect your data, and how to report security vulnerabilities.

• Firebase Authentication — Industry-standard authentication system
• Email verification — Required for account activation
• Secure password storage — Passwords are hashed and never stored in plain text
• Session management — Automatic session expiration and secure token handling

• Encryption in transit — All data is transmitted over HTTPS
• Encryption at rest — Data stored in Firebase Firestore is encrypted
• User isolation — Each user can only access their own data
• Firestore Security Rules — Advanced rules prevent unauthorized access

• Firebase Hosting — Secure, scalable hosting with automatic SSL certificates
• Cloud Functions — Backend logic runs in isolated, secure environments
• European data centers — Data stored in Europe (region: europe-west1)
• Regular updates — Dependencies and libraries are kept up to date

• Input validation — All user inputs are validated on both client and server
• XSS prevention — HTML sanitization to prevent cross-site scripting attacks
• CSRF protection — Firebase Authentication provides built-in CSRF protection
• Rate limiting — Protection against brute-force attacks and abuse
• Audit logging — Critical operations are logged for security monitoring

Life Tracker collects only the data you explicitly provide:

• Account information: Email, name, profile details
• Health data: Weight, sleep, calories, steps, vital parameters, meals, medications
• Usage data: Timestamps, device information (for sync purposes)

• ❌ We do NOT track your browsing behavior
• ❌ We do NOT sell your data to third parties
• ❌ We do NOT use your data for advertising
• ❌ We do NOT share your data without your consent

• All data is stored in Firebase Firestore (Google Cloud)
• Data is stored in European data centers (region: europe-west1)
• Data is encrypted at rest and in transit
• You can export or delete your data at any time

Life Tracker integrates with:

• Google Fit (optional) — Only if you explicitly authorize it
• Telegram (optional) — Only if you provide your bot token and chat ID

These integrations are opt-in and can be disconnected at any time.

If you discover a security vulnerability in Life Tracker, please report it responsibly.

1. DO NOT open a public issue on GitHub
2. Contact me directly via GitHub profile or email
3. Provide details: Description, steps to reproduce, potential impact
4. Wait for response: I will acknowledge your report within 48 hours

• Acknowledgment within 48 hours
• Investigation and assessment of the vulnerability
• Fix deployed as soon as possible (depending on severity)
• Credit in the acknowledgments section (if you wish)

Please allow reasonable time for the vulnerability to be fixed before public disclosure. I appreciate your cooperation in keeping Life Tracker secure for all users.

To keep your account secure:

• ✅ Use a strong, unique password (at least 8 characters, mix of letters, numbers, symbols)
• ✅ Verify your email after registration
• ✅ Log out when using shared devices
• ✅ Don't share your password with anyone
• ✅ Enable two-factor authentication (if available in the future)
• ✅ Keep your browser updated for the latest security patches

Life Tracker implements the following security measures:

• HTTPS encryption for all connections
• Firebase Authentication with email verification
• Firestore Security Rules for data isolation
• Input validation and sanitization
• XSS and CSRF protection
• Rate limiting on sensitive operations
• Audit logging for critical actions
• Regular dependency updates
• Secure password storage (hashed)
• Session management and automatic expiration
• European data centers (GDPR compliant)
• Data export and deletion capabilities

Security updates are deployed automatically:

• Critical vulnerabilities: Fixed within 24-48 hours
• High-priority issues: Fixed within 1 week
• Medium-priority issues: Fixed within 2 weeks
• Low-priority issues: Fixed in the next regular update

Users are automatically updated when they reload the application (PWA auto-update).

Life Tracker is designed with privacy and security in mind:

• GDPR compliant — Data stored in European data centers
• Data portability — Export your data in CSV format
• Right to deletion — Delete your account and all data at any time
• Transparency — Clear information about data collection and usage

For security-related questions or concerns:

• GitHub: @AndreaBonn
• Security issues: Contact me directly via GitHub profile

For general support, see the README.

I would like to thank the security researchers and users who have helped improve Life Tracker's security.

If you have reported a vulnerability and would like to be acknowledged, please let me know.

Last updated: January 2025

© 2025 Andrea Bonacci — All Rights Reserved