Security

Effective Date: May 23, 2026

PushNcare designs and operates its platform with administrative, technical, and organizational safeguards intended to protect account information, health-related information, nutrition data, practitioner information, enterprise audit information, payment metadata, AI workflows, and operational infrastructure.

This Security page describes current security practices at a high level. It does not create a warranty, guarantee uninterrupted availability, guarantee absolute security, or replace the binding terms in our Terms of Service and Privacy Policy.

1. Security Governance

PushNcare applies a risk-based security approach appropriate for a nutrition, dietetics, wellness technology, practitioner marketplace, personal health blueprint, and enterprise nutrition insights platform.

Our security program is designed to:

  • protect confidentiality, integrity, and availability of the Platform;
  • reduce unauthorized access to personal and health-related information;
  • limit access based on user role and operational need;
  • protect sensitive credentials and configuration values;
  • monitor platform reliability, errors, suspicious activity, and deployment health;
  • support incident response, auditability, and recovery.

We do not claim that PushNcare is certified under any specific security, privacy, or healthcare framework unless that certification is expressly published by PushNcare in a separate official statement.

2. Infrastructure Security

PushNcare uses cloud infrastructure and managed services to operate the Platform. Current systems may include Google Cloud, Cloud Run, Firebase, Firestore, Cloud SQL/PostgreSQL, BigQuery, Cloud Storage, Secret Manager, monitoring, logging, and related cloud security controls.

Infrastructure safeguards may include:

  • managed cloud hosting with provider-level physical and environmental controls;
  • separation between application, database, analytics, secrets, and storage functions;
  • restricted service-account access to sensitive resources;
  • environment-variable and Secret Manager patterns for credentials and API keys;
  • deployment guardrails designed to validate critical runtime configuration;
  • backup, recovery, logging, and monitoring capabilities where applicable.

Cloud providers and subprocessors maintain their own security obligations, terms, certifications, and infrastructure controls.

3. Authentication and Session Protection

PushNcare uses authentication and session mechanisms intended to confirm user identity and protect account access. Depending on feature and role, this may include Firebase authentication, secure session cookies, server-side session verification, role normalization, protected routes, and administrative access controls.

Users are responsible for protecting their login credentials, devices, email accounts, authentication sessions, and any public or shared links they choose to distribute.

4. Access Controls

PushNcare applies access controls designed to limit access to information based on role, account status, authorization, and operational purpose.

Examples include:

  • patient, nutritionist, and admin role separation;
  • protected dashboard and account routes;
  • role-based dashboard routing;
  • professional-profile and storefront visibility controls;
  • administrative restrictions for privileged actions;
  • limited access to production secrets and sensitive infrastructure.

No access-control system can eliminate every risk. PushNcare may suspend, restrict, or revoke access where we believe access creates security, legal, privacy, fraud, or platform-integrity risk.

5. Data Protection and Encryption

PushNcare uses reasonable safeguards designed to protect data in transit, data at rest, and selected sensitive fields.

Current safeguards may include:

  • HTTPS/TLS for data transmitted between users, browsers, APIs, and supported service endpoints;
  • managed database and storage controls provided by cloud infrastructure;
  • AES-256-GCM encryption for selected sensitive assessment contact fields;
  • hashing for selected lookup or verification fields;
  • Secret Manager storage for selected API keys and credentials;
  • reduced exposure of sensitive values in code and deployment workflows.

PushNcare does not represent that every data element is end-to-end encrypted or field-level encrypted. Data may be decrypted or processed where necessary to provide the Platform, generate reports, support users, process payments, comply with law, secure the Platform, or enforce agreements.

6. AI and Data Minimization Safeguards

PushNcare may use AI systems, including Google Gemini, Vertex AI, and related infrastructure, to support nutrition guidance, food search, food scanning, Personal Health Blueprint reports, enterprise insights, and practitioner tools.

For AI-enabled workflows, PushNcare designs controls intended to:

  • limit unnecessary direct identifiers where feasible;
  • sanitize selected free-text health assessment inputs before external AI processing where supported by the workflow;
  • use encrypted or hashed contact fields in selected assessment flows;
  • retain audit metadata needed for report integrity, fraud prevention, payment reconciliation, and support;
  • require human judgment and professional review where AI outputs may affect care, nutrition, wellness, enterprise, or safety decisions.

AI outputs may be inaccurate, incomplete, outdated, or unsuitable for a specific person. Security controls for AI workflows reduce risk but cannot remove all risk.

7. Payment and Mobile Money Security

PushNcare uses payment providers and mobile money partners, such as Stripe, PawaPay, banks, card networks, and mobile money operators, to process payments, subscriptions, deposits, refunds, payouts, chargebacks, and reconciliation.

PushNcare does not directly control every third-party payment environment. Payment providers are responsible for their own security programs, payment credentials, authentication flows, network availability, compliance obligations, and transaction processing controls.

PushNcare may store payment metadata, transaction identifiers, checkout identifiers, deposit IDs, status values, amounts, currencies, payout metadata, and reconciliation records as needed to operate the Platform and comply with financial, tax, legal, fraud-prevention, and dispute obligations.

8. Monitoring, Logging, and Auditability

PushNcare may maintain operational logs, security logs, analytics events, audit trails, payment events, assessment events, report-generation metadata, error logs, and deployment records.

These records help PushNcare:

  • monitor availability and reliability;
  • investigate errors and suspicious activity;
  • verify payment and report delivery status;
  • support fraud detection and abuse prevention;
  • troubleshoot user and practitioner issues;
  • enforce Terms of Service and protect platform integrity.

Logs may contain personal information, identifiers, IP addresses, device data, timestamps, role data, and event metadata where necessary for security and operations.

9. Incident Response

PushNcare maintains processes intended to identify, investigate, contain, remediate, and document security incidents. If we determine that a security incident requires notification under applicable law, we will provide notices as required by that law.

Incident response may involve service providers, cloud providers, payment processors, legal advisors, forensic support, regulators, law enforcement, affected users, enterprise customers, or professional users where appropriate.

10. Vulnerability Reporting

If you believe you have discovered a security vulnerability, contact security@pushncare.com.

When reporting a vulnerability:

  • include a clear description of the issue;
  • include affected URL, endpoint, account type, or workflow if known;
  • include reproduction steps, screenshots, or logs where safe to share;
  • do not access, modify, delete, download, or disclose data that does not belong to you;
  • do not perform denial-of-service testing, social engineering, spam, phishing, physical attacks, or destructive testing;
  • do not publicly disclose the issue before PushNcare has had a reasonable opportunity to investigate and remediate.

PushNcare may restrict, suspend, or take legal action against activity that exceeds good-faith vulnerability reporting or violates law, user privacy, or platform integrity.

11. User Responsibilities

Security is a shared responsibility. You must:

  • use strong and unique passwords;
  • keep email, device, browser, and operating-system security up to date;
  • protect one-time codes, reset links, session cookies, and account credentials;
  • avoid sharing accounts;
  • limit access to public report links and confidential assessment links;
  • verify payment prompts and mobile money authorization requests before approval;
  • report suspicious activity, unauthorized access, or suspected account compromise promptly.

PushNcare is not responsible for losses caused by your failure to protect credentials, devices, payment approvals, public links, or information you choose to share.

12. Security Limitations

No internet-connected service can be guaranteed completely secure, uninterrupted, or error-free. Security controls may fail, third-party providers may experience incidents, user devices may be compromised, payment networks may fail, and attackers may bypass safeguards.

PushNcare continuously seeks to improve security practices, but we do not guarantee absolute protection, permanent availability, or complete prevention of unauthorized access.

13. Contact

For security concerns:

PushNcare, Inc.

  • Security: security@pushncare.com
  • Privacy: privacy@pushncare.com
  • Legal: legal@pushncare.com
  • Support: support@pushncare.com
  • Address: 1111B S Governors Ave, STE 27833, Dover, DE 19904, United States
Security