We've rebranded! HF Health AI is now Caraly — same trusted platform, better name. Learn more →
Caraly

Security & Privacy

We built Caraly with security as a foundation, not an afterthought. Here is exactly how we protect your data and your account — including our Google OAuth integration.

Google OAuth 2.0Trusted sign-in
TLS 1.3 EncryptionAll data in transit
AES-256 at RestAll stored data
bcrypt PasswordsNever stored plain text
Stripe PaymentsPCI-compliant checkout

Sign in with Google — now available

Caraly now supports Google Sign-In via OAuth 2.0. Your Google password is never shared with us — authentication happens entirely on Google's servers. We receive only your name and email to create your account. You can revoke access at any time from your Google Account permissions page.

Secure Login Methods

  • Caraly supports two secure login methods: Google OAuth 2.0 and email/password — both protected by the same session infrastructure.
  • Google Sign-In uses OAuth 2.0, an industry-standard authorization protocol. We never see or store your Google password — authentication is handled entirely by Google's servers.
  • When you sign in with Google, we receive only your name, email address, and Google account ID. No other Google account data is accessed.
  • Google OAuth tokens are validated server-side on every login request. Expired or revoked tokens are rejected automatically.
  • Email/password accounts use bcrypt hashing with a high work factor — your password is never stored in plain text and cannot be retrieved, only reset.
  • Both login methods issue the same cryptographically signed JWT session token, which expires automatically after inactivity.
  • If you previously created an email/password account with the same Gmail address, signing in with Google automatically links your accounts — no duplicate accounts are created.
  • Account lockout is enforced after repeated failed login attempts to prevent brute-force attacks regardless of login method.

Infrastructure & Hosting

  • Caraly is hosted on enterprise-grade cloud infrastructure with 99.9% uptime SLA.
  • All data is encrypted at rest using AES-256 encryption.
  • All data in transit is protected with TLS 1.3 — the same standard used by major banks.
  • Our infrastructure is isolated per-environment with strict network access controls.
  • Regular automated backups ensure your data is never permanently lost.
  • Content Security Policy (CSP) headers are enforced on all pages to prevent cross-site scripting (XSS) attacks.

Session & Token Security

  • Session tokens are cryptographically signed using JWT (JSON Web Tokens) with a secure server-side secret.
  • Tokens are transmitted via HttpOnly, Secure, SameSite cookies — inaccessible to JavaScript and protected against CSRF attacks.
  • Automatic session expiry protects your account if you forget to log out on a shared device.
  • Logging out immediately invalidates your session server-side — not just on your device.
  • OAuth state parameters include CSRF tokens to prevent cross-site request forgery during the login flow.
  • Two-factor authentication (2FA) is available to add an extra layer of protection to email/password accounts.

Bot & Abuse Protection

  • Cloudflare Turnstile (invisible CAPTCHA) is active on all signup and login forms to block automated bots.
  • Server-side rate limiting prevents brute-force and credential stuffing attacks on all authentication endpoints.
  • All API endpoints are protected against common web vulnerabilities (OWASP Top 10).
  • Suspicious login activity is logged and monitored continuously.
  • OAuth redirect URIs are strictly validated — only pre-approved domains are accepted as callback destinations.

Privacy & Data Handling

  • We collect only the minimum data necessary to provide the service: your name, email, and conversation history.
  • For Google Sign-In users, we store only your name, email, and Google account ID — no access tokens or refresh tokens are retained after login.
  • Your health conversations are stored to provide continuity across sessions. They are never sold or shared with third parties.
  • We do not sell, rent, or trade your personal information to advertisers or data brokers.
  • Analytics are collected using privacy-respecting tools. IP addresses are anonymized.
  • Cookie consent is required before any non-essential tracking is activated.

API & Payment Security

  • All API keys and secrets are stored in secure environment variables — never hardcoded in source code.
  • Google OAuth client credentials are stored server-side only and never exposed to the browser.
  • Stripe payment processing is handled entirely by Stripe's PCI-compliant infrastructure. We never see or store your full card number.
  • Payment data (card numbers, CVV, expiry) is processed directly by Stripe and never touches our servers.
  • Third-party integrations use scoped API keys with least-privilege access.

Data Retention & Deletion

  • You can request full account deletion at any time by contacting us at [email protected].
  • Upon account deletion, your personal data and conversation history are permanently removed within 30 days.
  • For Google Sign-In accounts, revoking Caraly's access in your Google Account settings will immediately prevent future logins via Google.
  • Inactive accounts are subject to our data retention policy outlined in our Privacy Policy.
  • Anonymized, aggregated usage statistics may be retained for platform improvement after deletion.

HIPAA & Educational Disclaimer

  • Caraly is an educational platform, not a medical device or covered entity under HIPAA.
  • We do not store Protected Health Information (PHI) as defined by HIPAA — conversations are educational in nature.
  • We have designed our systems with healthcare-grade security practices as a baseline.
  • Enterprise customers requiring formal BAA agreements should contact us at [email protected].
  • Nothing on this platform constitutes medical advice, diagnosis, or treatment.

Questions about security?

If you have a security concern, discovered a vulnerability, or need to request data deletion, contact us directly.

[email protected][email protected]