Trust & Security
Last updated: April 24, 2026
LVL-5 LIFE exists to help you transform. That only works if you trust us with your data — your coaching conversations, your goals, your health metrics, and (if you choose) your financial accounts. This page is the plain-English version of how we handle that responsibility.
If something here is unclear or missing, email privacy@gynergy.com. If you find a security issue, email security@gynergy.com and see our security policy.
Our commitments
- Transparency over jargon. We tell you what we collect, why, and who processes it. You'll find the full list below.
- Your data, your call. Export everything we have about you at any time. Delete your account at any time. We honor both within 30 days.
- 72-hour breach notice. If something happens that affects your data, we will tell you within 72 hours of confirmation — not 60 days later when regulation requires it.
- No surprise sub-processors. The list on this page is it. When we add someone, we update this page before the change goes live.
- Your coaching data isn't training data. We do not sell your data. We do not share your data with advertisers. Your conversations with ARIA are not used to train third-party AI models — we use zero-retention API endpoints where available and disclose the posture below.
What we collect and why
Account basics — email, name, password (managed by Clerk, not stored by us). Needed to create your account.
Coaching data — your ARIA conversations, assessment responses, goals, and reflections. Used to give you relevant coaching. Stored in our Supabase database in the US.
Health-adjacent data — sleep, stress, energy, recovery, exercise targets if you choose to track them. This is wellness data, not medical data. LVL-5 LIFE is not a medical service and nothing here is medical advice.
Financial data (LEDGER, optional) — if you link a bank account via Plaid, we store encrypted access tokens (not your login), account names, balances, and transaction records for your personal view. Your bank credentials never touch our servers. You can disconnect at any time.
Payment data — Stripe handles all card details. We store a customer ID and subscription status, never card numbers or CVCs.
Usage data — pages viewed, features used, errors encountered. Kept pseudonymously where possible. Used to improve the product and fix bugs.
Sub-processors
We work with the following companies to deliver the platform. Each is held to its own security commitments, most of which are independently audited (SOC 2).
| Provider | Purpose | Region | Certification |
|---|---|---|---|
| Supabase | Primary database (Postgres) and file storage | United States (AWS us-east-1) | SOC 2 Type II |
| Vercel | Application hosting and edge network | Global edge, primary compute in United States | SOC 2 Type II |
| Clerk | Authentication and user identity | United States | SOC 2 Type II |
| Stripe | Payment processing (cards never touch our servers) | United States | SOC 2 Type II |
| Plaid | Financial account linking for LEDGER (optional feature) | United States | SOC 2 Type II |
| Anthropic | Claude models powering ARIA coaching and ATHENA | United States | SOC 2 Type II |
| OpenAI | GPT models for select features | United States | SOC 2 Type II |
| Sentry | Error monitoring (PII scrubbed before send) | United States | SOC 2 Type II |
| PostHog | Product analytics and feature flags | United States | SOC 2 Type II |
| Resend | Transactional email delivery | United States | SOC 2 Type II |
| UploadThing | User-uploaded file storage | United States | SOC 2 Not public |
How your data is protected
- Encryption in transit. Every connection to LVL-5 LIFE is TLS 1.2+ with HSTS enforced in production.
- Encryption at rest. Disk-level encryption on our Supabase database (AES-256) and Vercel storage. Sensitive columns (Plaid access tokens) are additionally encrypted at the application layer.
- Access controls. Clerk-managed authentication with session cookies using
SameSite=lax. Admin routes require elevated role and are audit-logged. Founder accounts enforce phishing-resistant passkey authentication. - Row Level Security. Our database enforces row-level ownership checks so one user's data cannot be accessed by another user's session.
- Content Security Policy. Strict CSP limits which scripts can run on our pages, reducing the impact of any script injection.
- Rate limiting. API endpoints are rate-limited per IP and per user to limit abuse and credential-stuffing attempts.
- Error monitoring with PII scrubbing. We use Sentry to catch bugs, and we strip personal data from error reports before they leave our servers.
- Audit logging. Sensitive actions — admin logins, payment changes, data exports, data deletions — are recorded to an audit log.
AI and your data
ARIA is our AI coaching companion. Because AI handles sensitive conversations, we hold it to a higher standard than typical product telemetry.
- User-scoped retrieval. ARIA can only retrieve conversations and context for the user it is currently serving. Cross-user access is blocked at the database layer.
- No training on your data. We use Anthropic and OpenAI API endpoints with provider-documented retention policies. Where zero-retention options are available, we use them. We do not fine-tune public models on your data.
- Model transparency. ARIA is primarily powered by Anthropic's Claude family (Sonnet and Opus tiers, depending on the task). We disclose this rather than obscure it.
- Red-team tested. We run prompt-injection and cross-user isolation tests against ARIA as part of our release process.
Data retention
- Active account data. Kept for as long as your account is active.
- After you delete your account. 30-day grace period (in case you change your mind), then your personal data is permanently removed from our primary systems.
- Backups. Database backups are retained for 30 days for disaster recovery. After that, deleted data is removed from backups through normal rotation.
- Plaid connections. When you disconnect a financial account, we revoke the token with Plaid within 24 hours and retire the stored token.
- Logs and metrics. Operational logs kept 30-90 days depending on system. Aggregate metrics (no PII) may be kept indefinitely.
- Payment records. Retained by Stripe per financial compliance requirements.
Your rights
You can always:
- See what we have about you. Request a full data export from Account Settings → Privacy.
- Delete your account. Account Settings → Delete Account. 30-day grace period, then permanent.
- Correct inaccurate data. Edit from your profile, or email privacy@gynergy.com.
- Opt out of non-essential analytics. We respect Do Not Track and GPC signals. CCPA residents: you can use the "Do Not Sell or Share" link in the footer even though we do not sell your data.
- Limit use of sensitive personal information. California residents have the right to limit our use of sensitive categories (health, financial, precise location). Email privacy@gynergy.com.
Where we serve users
LVL-5 LIFE is currently available to users in the United States. We're not serving European Union or UK residents at this time while we complete our GDPR readiness work. If you're in the EU/UK and want to be notified when we launch there, email hello@gynergy.com.
Certifications and audits
- SOC 2 Type I — in progress. Target report: Q3 2026. Run via a third-party CPA partner.
- External penetration test — scheduled for Q2 2026. Scope includes authentication, payment flows, ARIA AI surface, and admin privilege boundaries.
- HIPAA — we are not a covered entity. LVL-5 LIFE is a wellness and coaching platform, not a medical service. We are architecting toward HIPAA readiness in case we partner with a clinical provider in the future.
- CCPA / CPRA — we honor California residents' rights as described above.
- FTC Health Breach Notification Rule — we are subject to the 2024 expanded rule and have a breach notification runbook with 60-day regulatory and 72-hour user commitments.
Service status
Live service status and incident history: status.lvl5.life. (Coming online during beta — subscribe there for incident notifications.)
Reporting a security issue
See our security policy for scope, safe harbor, and disclosure timelines. Email security@gynergy.com. We'll acknowledge within two business days.
Researcher hall of fame
Security researchers who have responsibly disclosed issues to us will be listed here (with their consent). Thank you to everyone who helps keep LVL-5 LIFE safe for the people building their best lives here.
Questions
Privacy questions: privacy@gynergy.com
Security issues: security@gynergy.com
Anything else: hello@gynergy.com