Security & data practices overview

Effective: June 12, 2026

Families share genuinely personal things inside HiDoula. Here is, in plain English, how we protect them — and the honest limits of any system.

Encryption in transit and at rest

All connections to HiDoula use TLS, and data stored by our managed infrastructure providers (Supabase for the database, Vercel for hosting) is encrypted at rest. Payments are handled by Stripe; card data goes directly to Stripe and never touches our servers.

Client-side encryption of care content

HiDoula is designed to minimize our access to user-created care content. Where supported, messages, birth plan text, and notes are encrypted on your device before they sync. The encryption keys live on your devices — not on our servers — so we do not intend to read that content in plaintext. The trade-off is real: if your keys are lost and no recovery method is available, that encrypted content may be unrecoverable.

What remains operational metadata

Some information has to be processed by our systems for the product to work: timestamps, due dates, appointment times, labor-status category, names, and who is connected to whom. This operational metadata is protected with access controls and encryption at rest, but it is not client-side encrypted. Our Privacy Policy describes exactly what falls in each bucket.

Who can see what

Care spaces are private to the people in them, enforced by row-level access rules in the database. Staff access is limited to operational data needed to run and support the service; we do not browse care content, and client-side encryption is designed to make plaintext access to that content unavailable to us where supported.

No trackers

There are no advertising trackers, behavioral analytics, or session-replay tools in the product.

Reporting a vulnerability

If you believe you have found a security issue, please tell us at security@hidoula.app. We read every report and appreciate responsible disclosure — include enough detail for us to reproduce the issue, and give us a reasonable window to fix it before sharing publicly.

Honest limits

  • Data on your own device may be accessible to anyone with access to your unlocked device — use a passcode and screen lock.
  • People you invite into a care space can see what you share with them.
  • No security or encryption system eliminates all risk.

Questions

Security questions: security@hidoula.app. Privacy questions: privacy@hidoula.app.