Security

Data Security Requirements

This page describes LifeSync's general data security approach for the website and app features found in the current codebase.

Security controls

• Use Firebase Authentication for account access and require authentication before reading or writing user data.
• Store OAuth/calendar credentials in secure local storage, not in Firestore.
• Protect device-local databases and preferences with operating-system controls where available.
• Request Health Connect, Apple Health, notification listener, app usage, overlay, and calendar permissions only for the related feature.
• Keep Firebase rules restrictive. The reviewed Firestore rule allows any authenticated user to read/write any document, so it should be narrowed to per-user access before production use.
• Use TLS/WSS for production API and WebSocket endpoints. The current WebSocket config uses local ws:// endpoints in debug and a placeholder production WSS URL.
• Review Firebase, Google, Microsoft, health, notification, and app-usage dependencies before release and patch known vulnerabilities.
• Avoid storing payment card data, passwords, or unnecessary sensitive data in Firestore or local preferences.

User responsibilities

Users should download LifeSync only from official LifeSync links, keep their operating system updated, review optional permissions before enabling them, and protect device access with a strong password, PIN, biometric lock, or equivalent control.

Security notices

If a future feature creates a risk of unauthorized access to personal data, LifeSync should investigate, mitigate, document the event, and provide any legally required notices.

Official references

• FTC data security guidance
• European Commission GDPR overview

No method of electronic storage or transmission can be guaranteed to be completely secure.