This page describes what actually protects your data in Salve today, and what is still in progress. We would rather under-promise than describe a protection that is not fully in place yet.
Your records are stored in a Supabase PostgreSQL database. Every table has row-level security scoped to your authenticated account, so normal in-app reads and writes can only ever touch your own rows. The most sensitive health tables additionally require a higher authentication level (AAL2) at the database layer for accounts that have set up two-factor authentication, so a stolen lower-level session token cannot read that data directly.
The first time you sign in you set a passphrase only you know and save 24 backup words. From then on, when you add something to one of the protected sections, your browser locks it with your passphrase before it is sent to us, and the locked version is what we store. We cannot unlock it, reset your passphrase, or recover it for you.
Being honest about where this is: while we finish migrating the app onto this lock, newly added entries in those sections are also still kept in their older readable form for now so the rest of the app keeps working, and anything you added before you set up the lock is still in the older form until a later cleanup step. The protection is real and grows with every release, but it does not yet cover all of your older data.
Two-factor authentication with a TOTP authenticator app is available under Settings, Security. One-time email codes have escalating brute-force cooldowns. If you lose your authenticator, recovery is by email to salveapp@proton.me with a deliberate 5 business day cooling-off period, so that someone who has only taken over your email cannot quickly bypass the second factor.
AI features only run with your explicit, revocable consent. By default your profile text is pseudonymized before it is sent (names, contact details, and similar identifiers are reduced). The two AI providers differ on training: per Google's terms, free-tier Gemini requests can be used to improve Google's models; per Anthropic's terms, premium Claude requests are not used for training. Pseudonymization lowers exposure but is not a zero-retention guarantee, and we do not claim one. See Methodology and Transparency.
Crash reporting (Sentry) drops request bodies, scrubs known health fields and free-text user data, and drops local variables and console breadcrumbs before anything is sent. Product analytics is self-hosted in your own database as a strict allowlist of event names only, with no properties, no third-party analytics vendor, and no ad or cross-site identifiers.
You can erase all your data or permanently delete your account yourself in Settings. Account deletion cascades across every table and cancels any active subscription. It cannot be reversed.
Salve is a personal health record app, not a HIPAA covered entity, so the FTC Health Breach Notification Rule is the federal rule that applies to a breach of identifiable health data here. Our commitment: assess scope, revoke affected tokens, notify affected users (within the timelines that rule and any stricter state law require), patch, and publish a post-mortem.
If you find a security issue, please email salveapp@proton.me. We read every report and will not pursue good-faith security research.