Back to home

Security

Your cycle data is personal. Here's exactly how we protect it.

Your data is encrypted before it leaves your device

When you set your PIN, Lunarosa derives an encryption key on your device using PBKDF2 with 200,000 iterations of SHA-256. Your health data — period dates, flow, symptoms, notes — is encrypted locally with AES-GCM before being sent to our servers. We store ciphertext. We cannot read it. Period.

Zero-knowledge architecture

We never see your decrypted health data. Not our engineers, not our servers, not anyone. The only way to decrypt your data is with your PIN or recovery key — and we don't have either of those.

We don't sell your data

No advertisers, no data brokers, no "anonymous" data sharing. We make money through optional Premium subscriptions, not by monetizing your information. Your data is not the product.

No third-party tracking

No marketing analytics, no ad pixels, no session replay, no behavioral tracking. The marketing pages set no tracking cookies and load no third-party scripts. Crash reporting (Sentry) only operates inside the authenticated app, with health-data routes filtered out. The full list of service providers is on the subprocessors page.

Authentication security

Your email is hashed with HMAC-SHA256 before storage — we don't store plaintext emails in our database. Login uses short-lived magic links and one-time verification codes. All connections use HTTPS with TLS 1.3.

Infrastructure

Lunarosa runs on Vercel. Production database is in São Paulo (Brazil); static assets cache at edge nodes globally. Data at rest is encrypted. We use a strict Content Security Policy without unsafe-inline for scripts, HSTS with includeSubDomains, secure HTTP-only cookies, and short-lived JWT sessions. Automated security scanning (Semgrep) runs on every commit.

You can delete everything

Account deletion removes all your data permanently — encrypted health records, authentication methods, billing information, everything. There's no "soft delete" or hidden archive. When it's gone, it's gone.

Questions about security? Reach us at support@lunarosa.app

Get Started — Free