Security Policy

1. Authentication & Access

• Secure authentication via Supabase Auth with email/password or OAuth providers
• Session tokens with automatic expiration and refresh
• Row-Level Security (RLS) policies ensure users can only access their own data

2. Data Protection

• All data transmitted over HTTPS (TLS 1.3)
• Data at rest encrypted using AES-256
• Database hosted on Supabase with automatic backups
• Uploaded images processed securely and not publicly accessible

3. AI Processing

Screenshots are processed using Google's Gemini AI to extract step counts. Images are transmitted securely and processed in real-time. We do not use your images to train AI models.

4. Verification System

Our AI verification system attempts to validate step counts from submitted screenshots. While we strive for accuracy, automated verification is not infallible. League admins can review and flag submissions for manual verification if needed.

5. Reporting Security Issues

If you discover a security vulnerability, please report it through our feedback form. We take all security reports seriously and will respond promptly.