oryn← Back to oryn.app
Trust

Security & Trust

Oryn handles email, financial, health, and calendar data, so security is built into the architecture rather than bolted on. This page describes our practices in plain language.

Data minimization

  • Apple Health stays on your device. We read health metrics locally and send only rounded daily totals for summarization — never raw HealthKit samples.
  • No third-party tracking. Oryn ships with no analytics, advertising, or tracking SDKs.
  • We request the narrowest permissions each integration needs (e.g. Gmail archive-by-label rather than full mailbox deletion).

Encryption

  • In transit: all traffic between the app, our servers, and third-party providers uses TLS.
  • At rest: sensitive connected-account credentials — Gmail and Plaid tokens — are encrypted in our database using authenticated symmetric encryption (PostgreSQL pgcrypto). Encryption keys are held in a secrets vault and are accessible only to privileged server-side functions, never to the app.
  • On device: OAuth tokens stored on your device are kept in the iOS Keychain (Secure Store).

Access control

  • Row-level security (RLS) enforces that you can only ever read or write your own data.
  • Token isolation: raw account credentials are never exposed to the app. The app can check that a connection exists but cannot read the underlying tokens; only server-side functions can decrypt them, through a controlled function layer.
  • Least privilege: API keys for AI, financial, and content providers live only on the server as protected secrets, never in the app bundle.

Authentication

  • Sign in with Apple or a one-time email code. We don’t store passwords.
  • Sessions are managed by our authentication provider (Supabase Auth).

Third-party providers

We rely on established providers — Supabase (infrastructure), Anthropic (AI), Plaid (financial connectivity), Apple and RevenueCat (sign-in and subscriptions), and Expo (notifications). Plaid and our infrastructure provider maintain their own industry security certifications.

Compliance & certifications

Oryn is not currently SOC 2 audited. We follow many of the underlying practices today — encryption in transit and at rest, least-privilege access, per-user data isolation, and no third-party tracking. As Oryn grows, we plan to pursue formal third-party security assessments. If you’re evaluating Oryn for your organization and need specific security information, contact us at [Contact email].

Your controls

  • Disconnect any integration at any time; access is revoked and stored data for that connection is deleted.
  • Delete your account in-app to permanently remove your data and revoke third-party access.
  • Revoke Oryn’s Google access anytime at myaccount.google.com/permissions.

Reporting a vulnerability

If you believe you’ve found a security issue, please email [Contact email]. We appreciate responsible disclosure and will respond promptly.