Trust
Security And Data Retention
Last updated: 21 May 2026
Security Measures
- HTTPS for web traffic.
- Supabase authentication for portal and admin access.
- Club-based access controls and tenant isolation in application routes.
- Private storage buckets for raw sessions and generated files.
- Provider-managed encryption for hosted databases, storage, and infrastructure.
- API-key protection for non-public processing routes.
- Restricted administrative access to Supabase, Vercel, Railway, and GitHub.
- Operational logging for debugging, abuse prevention, and incident response.
Credential Handling
Intervals.icu API keys and TrainingPeaks OAuth tokens are sensitive. Connected-service tokens are encrypted at application level before storage using AES-256-GCM, with separate keyed hashes for operational matching or audit. Decryption happens only inside trusted server routes when CatchLab needs to call the connected service.
Retention Defaults
- Raw Peach archives and generated session files are retained while the relevant club subscription or pilot is active so coaches can reload and compare historical sessions.
- Deleted sessions are removed from the application database and associated storage paths where the product deletion flow supports it.
- Deleted clubs trigger deeper cleanup across club records, athletes, sessions, pieces, storage files, licenses, devices, and related data.
- Inactive athletes may remain in the club database unless separately deleted or disconnected.
- Backups, logs, and provider-level retention may continue for a limited period after deletion from the live application.
Incident Response
If CatchLab becomes aware of a personal-data breach affecting customer data, CatchLab will investigate, contain the issue, and notify affected customers without undue delay, with information reasonably available at the time.
Responsible Disclosure
Security concerns can be reported to [email protected]. Please include enough detail to reproduce the issue and avoid accessing or disclosing data that is not yours.