How we protect your data.

Last updated: April 2026

Security isn't just a checkbox for us. When you're using tools for nervous system regulation, you're in a vulnerable state. We treat that seriously.

Infrastructure

  • Hosted on Hetzner (Germany) — GDPR-native data protection baked in at the infrastructure level
  • Cloudflare for DDoS protection and SSL/TLS encryption at the edge
  • All connections are encrypted — HTTPS only, HSTS enabled
  • No third-party services have access to user data

What we don't use

The absence of certain things is a security feature. We've deliberately excluded:

  • Google Analytics, Facebook Pixel, or any tracking service
  • Third-party fonts loaded from external CDNs (all fonts are self-hosted)
  • Advertising networks
  • Data brokers
  • Session recording tools

Every external script is a potential attack surface. We use none. Everything that runs on our sites is code we wrote and control.

SHIFT app security

SHIFT's security model is simple: we don't collect data we don't have, so there's nothing to breach.

  • All data stays on your device — local-only architecture
  • No server-side data collection of any kind
  • No account creation required
  • No behavioral tracking or analytics in the app

Email security

If you signed up for launch notifications:

  • Your email is stored on our Hetzner servers in Germany
  • Emails are sent via encrypted SMTP
  • No open-rate tracking pixels
  • No link tracking
  • One-click unsubscribe in every email

Security headers

Our servers are configured with a full set of modern security headers:

  • Content Security Policy (CSP) — restricts which external resources can load
  • X-Frame-Options — prevents clickjacking attacks
  • Strict Transport Security (HSTS) — enforces HTTPS for all connections
  • Referrer Policy — limits data leakage when you navigate away
  • Permissions Policy — disables unnecessary browser APIs (camera, microphone, geolocation)

Reporting security issues

Found something? Please tell us.

Email [email protected] with details of what you found. We take all reports seriously and will respond within 48 hours. We don't have a bug bounty program, but we will thank you genuinely.

Last updated: April 2026