Security & Privacy

• Two-factor authentication on every login. After entering your password, a one-time code is sent to your email. It expires in 10 minutes and is invalidated after 5 incorrect attempts — so a stolen password alone is not enough to access your account.
• Google Sign-In. We never see or store your Google password. Authentication is handled entirely by Google.
• Passkey & biometric login (WebAuthn). Log in with Face ID, Touch ID, or a hardware security key. Your biometric data never leaves your device — we only receive a cryptographic proof that you authenticated successfully.
• Biometric-protected persistent login. On iOS, the app stores your refresh token in the iOS Keychain. Face ID or Touch ID is required to use it — a stolen device cannot silently re-authenticate.
• Refresh token rotation. Every time a new access token is issued using a refresh token, the old refresh token is immediately invalidated and a fresh one is issued. This limits the window of exposure if a refresh token were ever compromised.
• Short-lived access tokens (1-hour TTL). Access tokens expire after 60 minutes. Refresh tokens expire after 30 days. Pre-authentication OTP tokens expire after 2 minutes.
• Passwords are hashed with bcrypt (cost factor 12). We store a one-way mathematical fingerprint, not your actual password. Even in the unlikely event our database were ever compromised, your password would not be directly exposed.
• Account lockout after 5 failed attempts (15-minute lockout). This makes automated password-guessing attacks impractical.
• Strong password requirements enforced on both client and server: min 8 characters, uppercase, lowercase, number, special character, no common passwords, no use of your own name or email.
• Email verified before account activation. Unverified accounts cannot log in.

• All connections use HTTPS/TLS. We enforce HTTP Strict Transport Security (HSTS) — plain HTTP is never allowed, even if a link tries to force it.
• Security headers on every response: X-Frame-Options (clickjacking protection), X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and XSS protection headers.
• Every API endpoint verifies your session before returning any data. There are no unauthenticated back-doors.
• Ownership checks on every operation. You can only access your own workouts, routines, nutrition logs, and body weight data. It is not possible for one user to read or modify another user's data.
• Strict input validation (Zod schemas) on all API inputs. This prevents mass assignment attacks where a malicious request tries to modify fields it should not have access to.
• PostgreSQL with parameterised queries throughout. There is no raw string-concatenated SQL in the codebase — SQL injection is not possible.

• Sensitive endpoints — login, registration, OTP, password reset, and AI features — are rate-limited by both IP address and per-user account.
• OTP sessions are invalidated after 5 incorrect attempts, preventing distributed brute-force attacks even across multiple IPs.
• Constant-time comparisons are used for security-sensitive operations, closing timing-based side-channel attacks.

• All workouts are private by default. Nothing you log is visible to other users unless you explicitly choose to share it.
• When you tap “Share” after a workout, a public page is generated at pushd.fit/share/[id]. It contains your workout title, exercise list, summary stats, and any photo you choose to attach. This page requires no login to view — treat it like a public social post.
• Social features (likes, comments) only work on workouts you have made public.
• You can make a shared workout private again at any time, which removes the public share page.
• Workout photos and videos are stored on Cloudinary with access-controlled URLs. Private workout media is not accessible without authentication.

We use a small number of established services, each limited to its stated purpose:

We do not sell data to any of these providers for advertising purposes.