Security

How Bionico protects your health data

Data Architecture

Your health data is stored in your browser, not on our servers.

localStorage-First Design

Bionico's core principle: your health data never leaves your device unless you explicitly ask. All biomarker data, genomic information, wearable metrics, and health records are stored in your browser's encrypted localStorage.

Your data remains under your complete control. When you request AI coaching or analysis, only the data you choose to share is sent securely to Anthropic's Claude API for processing.

Encryption Standards

Industry-leading encryption protecting your data at rest and in transit.

At Rest

AES-256 encryption (planned for future server-side features)

Planned

In Transit

TLS 1.3 for all data transmission, including Claude API calls

Active

API Security

How your API interactions are protected.

Anthropic API Key Protection

Your browser never handles API keys directly. Anthropic API credentials are stored exclusively on Netlify Functions (server-side only), which act as a secure proxy between your device and Claude AI.

  • API keys never transmitted to your browser
  • All Claude API calls routed through TLS 1.3 encrypted connections
  • Request/response data never logged or retained
  • Requests are ephemeral and immediately discarded after processing

Hosting & Infrastructure

Enterprise-grade hosting with compliance certifications.

Netlify SOC 2 Type II

Bionico runs on Netlify, which maintains SOC 2 Type II certification — an industry standard for security, availability, processing integrity, confidentiality, and privacy controls.

  • Automatic HTTPS on all connections
  • Distributed global infrastructure with redundancy
  • DDoS protection and rate limiting
  • Automatic security patches and updates

Security Headers

Preventing common web vulnerabilities.

All Bionico pages include strict security headers:

  • X-Content-Type-Options: nosniff — Prevents MIME-sniffing attacks
  • X-Frame-Options: SAMEORIGIN — Prevents clickjacking and iframe attacks
  • Referrer-Policy: strict-origin-when-cross-origin — Protects against referrer leakage
  • Permissions-Policy — Blocks access to camera, microphone, and geolocation APIs

No Third-Party Tracking

Zero analytics, zero advertising, zero surveillance.

Bionico contains no third-party scripts.

  • No Google Analytics, Mixpanel, or other analytics trackers
  • No advertising SDKs or ad networks
  • No social media pixels or retargeting
  • No heatmap or session recording tools
  • No customer data platforms or marketing automation

The only external API call is to Anthropic's Claude API when you explicitly request AI processing. All other data remains entirely within your device or our Netlify infrastructure.

Data Minimisation

We collect only what's necessary.

  • No user accounts required for the demo environment
  • No email harvesting or marketing lists
  • No cookies beyond essential functionality (HTTPS secure flag, SameSite protection)
  • No browser fingerprinting or identification
  • No persistent user tracking across sessions

Swiss Data Protection

Governed by one of the world's strongest privacy frameworks.

Bionico GmbH is a Swiss company subject to the nDSG (Bundesgesetz über den Datenschutz — Federal Data Protection Act), which provides some of the strongest privacy protections globally. This includes:

  • Strict limitations on data collection and processing
  • Requirement for explicit user consent for sensitive health data
  • Right to access, correction, and deletion of personal data
  • Data protection impact assessments for high-risk processing
  • Swiss Federal Data Protection Commissioner oversight

Found a security issue?

We take security seriously. If you discover a vulnerability, please report it to:

security@bionico.ch