Security Measures

All communications between your browser and our servers are encrypted using TLS 1.3. Data stored in our database (PostgreSQL managed by Supabase) is encrypted at rest with AES-256. Passwords are stored with a bcrypt hash and per-user salt — never in plain text.

Access to the platform requires authentication via email+password or verified OAuth providers (Google). Sessions have automatic expiration and can be revoked remotely. Our technical staff operates under the least-privilege principle: only strictly necessary personnel access personal data, with full traceability.

Every relevant action on personal data (sign-up, deletion, rectification, access to sensitive information, administrative operations) is recorded in an immutable log. IP addresses are never stored in plaintext: we apply SHA-256 hashing with salt, truncated to 16 characters, which allows us to detect abuse patterns without identifying the person.

We only collect the data strictly necessary to provide the service. We do not store raw IPs, we do not apply invasive device fingerprinting, and we do not track behavior outside our platform. In analytics cookies, the IP is anonymized at source.

We apply automated retention policies:

• Cancelled appointments: sensitive data (message, phone, internal notes) is deleted after 12 months, preserving only aggregate data needed for anonymous statistics.
• General activity logs: 2 years.
• Financial and data-subject-rights logs: 6 years (tax and legal obligation).
• Inactive accounts: after 3 years without activity, the account is automatically pseudonymized (see section 8).

The database is automatically backed up daily by Supabase, with Point-in-Time Recovery (PITR) for 7 days. Backups are encrypted at rest and restore capability is verified periodically.

We maintain a formal security-breach response procedure. If a breach were detected that could pose a risk to the rights and freedoms of users, we would notify the Spanish Data Protection Agency (AEPD) within a maximum of 72 hours (Article 33 GDPR) and the affected individuals where applicable (Article 34 GDPR).

When you request deletion of your account (Article 17 GDPR), we apply a pseudonymization process: your email is replaced by an anonymous identifier, all identifying fields (name, phone, city, etc.) are nulled, and your active sessions are revoked. Published reviews are kept without your identity, based on the legitimate interest of other users (Article 17.3 GDPR).

Software dependencies are audited automatically on every deployment. Critical security patches are applied with maximum priority. We periodically review the practices of our providers (see Data Processors).

If you detect a potential vulnerability or have a security-related concern, please write to privacidad@longevitymap.co. We respond within 72 hours at most.