1. Our approach

Security at Merios is designed in, not bolted on. Every system that touches your health data — from the moment a biomarker is parsed, to the long-term store that powers your score — is built around three principles: encrypt by default, collect the minimum, and never treat health data as a commercial asset.

Your health data belongs to you. We act as a custodian, not an owner. Everything that follows — our infrastructure choices, our retention windows, our disclosure posture — flows from that commitment.

2. Data encryption

All personal and health data is protected with industry-standard encryption at every layer:

At rest: AES-256 encryption applied to the managed Postgres database provided by Supabase, including automated backups.
In transit: TLS 1.3 for every client-to-server connection across our marketing site, API, and mobile app.
Secrets: API keys and service credentials are stored as encrypted environment variables on Vercel and Supabase. They are never checked into source control and never exposed to the browser.

3. Infrastructure

Merios runs on two carefully scoped platforms, each chosen for its security posture:

Marketing site — Deployed on Vercel with a global CDN, automatic HTTPS, and DDoS protection at the edge. The marketing site is fully statically generated and does not store user health data.
Application database — EU-hosted managed Postgres on Supabase. Row-Level Security (RLS) is enforced on every table that stores user-scoped data, including waitlist_signups, newsletter_signups, and contact_inquiries. A user can only ever read or modify rows that belong to them.
Backups — Daily automated backups are retained for a minimum of 7 days, with point-in-time recovery available for incident response.

4. Authentication

Account creation and authenticated sessions ship with the mobile app at launch. Until then, the marketing site exposes only non-authenticated forms — the waitlist, newsletter, and contact endpoints.

Every public form is rate-limited and CAPTCHA-protected at the middleware level to prevent abuse, credential stuffing, and automated scraping. Submissions are scoped to a single, purpose-specific table and never commingled with health data.

5. Data retention & deletion

You can request deletion of any personal data we hold about you at any time. There is no cost, no justification required, and no retention carve-out for marketing purposes.

Submit a deletion request through our contact form with type General.
Primary deletion from production systems is completed within 30 days of your request.
Backups containing the deleted data are purged on a rolling 30-day cycle after the primary deletion, ensuring complete removal within roughly 60 days worst case.
Data we are legally required to retain (e.g. transactional records for tax purposes) is isolated and retained only for the minimum statutory period.

6. Third-party services

Every vendor in our stack is listed below. We do not use ad networks, analytics resellers, or data brokers.

Vercel — Hosts the marketing site (static assets, edge middleware). No health data is processed or stored here.
Supabase — EU-hosted application database and backend. Stores user-scoped records under Row-Level Security.
OpenAI — Powers AI-generated health insights under a zero-retention policy. Prompts and completions are not stored by OpenAI and not used for model training. See our Privacy Policy for full detail.
RevenueCat — Subscription billing and receipt validation, active once the Merios mobile app ships. PCI-DSS compliant, with no access to health data.
Apple HealthKit — Optional on-device integration the user explicitly grants. Data stays on the user's device and is synced only to categories the user has approved.

7. Breach notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of detection, as required by GDPR Article 33.

Notifications will describe the nature of the breach, the categories of data involved, the likely consequences, and the remediation steps we have taken. Notifications are sent to the email address on file and, where appropriate, surfaced in-app.

8. Responsible disclosure

We welcome security research. If you believe you have found a vulnerability in any Merios property, please report it to security@merios.life with as much detail as possible — affected endpoint, reproduction steps, and impact.

We will not pursue legal action against researchers acting in good faith under standard responsible-disclosure practices, which means:

Do not access, modify, or delete data beyond what is strictly necessary to demonstrate the issue.
Do not exfiltrate data beyond a minimal proof-of-concept sufficient to show impact.
Give us a reasonable period — typically 90 days — to investigate and remediate before any public disclosure.
Do not run denial-of-service, social-engineering, or physical attacks against our staff or infrastructure.

We will acknowledge receipt of your report within 3 business days and provide a status update within 10.

9. Compliance

GDPR. Merios is GDPR-compliant for users in the European Union. The data controller is Merios LLC. Our legal bases for processing are consent and contract performance — see the Privacy Policy for full detail, including your rights of access, rectification, erasure, portability, and objection.

HIPAA. Merios is not currently a HIPAA covered entity. We are progressively aligning our operations with HIPAA-style controls — encryption at rest and in transit, role-based access controls, audit logging, and the minimum necessary access principle — so that covered-entity partnerships are possible as the app matures.

10. Contact

For security issues and vulnerability reports: security@merios.life.

For general data questions, deletion requests, or compliance inquiries, please use our contact form.