← Back to Active Transport

Security & Privacy

We take protecting your data seriously. This page plainly describes how Active Transport secures your information — for students and for institutions evaluating us.

What we collect

• Account info — your email and a hashed password (or a Google sign-in token if you use Google).
• Study materials you upload — lecture notes, PDFs, or Anki decks you choose to submit, used only to generate practice questions for you.
• Usage data — quizzes taken, performance, and review history, to power your dashboard and spaced-repetition queue.
• Payment info — handled entirely by Stripe. We never see or store your credit card details.

How we protect it

Encryption

All traffic to and from Active Transport is encrypted with TLS (HTTPS). Your data is stored on managed infrastructure that encrypts data at rest.

Passwords

Passwords are never stored in plaintext. They're hashed with PBKDF2-HMAC-SHA256 (100,000 iterations) and a unique per-user salt. We can't see your password, and a database leak would not expose them in usable form.

Payments

Billing is processed by Stripe, a PCI-DSS Level 1 certified payment provider. Card numbers go directly to Stripe and never touch our servers.

Infrastructure

Active Transport runs on Render, a SOC 2 Type II–certified cloud platform, with an isolated, access-controlled database. (Note: this refers to our hosting provider's certification, not a certification of Active Transport itself.)

Application security

• Secure, HTTP-only, same-site session cookies signed with a private key.
• Parameterized database queries throughout (protection against SQL injection).
• Login rate-limiting to slow brute-force attempts.
• Administrative access restricted to a small, explicit allowlist.
• Regular internal security reviews of the codebase.

What we don't do

• We don't sell your data — ever. Your uploaded materials are used only to generate your questions.
• We don't store credit card numbers (Stripe does).
• We don't handle protected health information. Active Transport works with study questions and educational materials, not real patient data — so it's outside the scope of HIPAA.

Your control

You can change your password or delete your account at any time from your account settings. Deleting your account removes your data from our systems. See our Privacy Policy for full details.

For institutions

Reporting a vulnerability

If you believe you've found a security issue, please email support@activetransport.app with the details. We take reports seriously and will respond promptly. Please don't publicly disclose an issue before we've had a chance to address it.

Security FAQ

Your data is encrypted in transit, stored on SOC 2 Type II–certified infrastructure, and passwords are irreversibly hashed. We follow standard security practices and review our code regularly.

No. All payments are handled by Stripe; we never see or store card numbers.

HIPAA doesn't apply to Active Transport. We work with study questions and educational materials — not real patient health information — so there's no protected health information to safeguard under HIPAA.

Yes — students and programs use Active Transport. We only process the materials and account info you provide, we don't sell data, and for institutional use we're glad to sign a Data Processing Agreement and complete a security review. Reach out at support@activetransport.app.

Hashed with PBKDF2-HMAC-SHA256 (100k iterations) plus a unique salt — never in plaintext. We cannot recover or view your password.

On Render, a SOC 2 Type II–certified cloud platform, on US-based infrastructure.

Your uploaded materials are used only to generate your own practice questions. They aren't sold or shared, and administrative access is limited to a small allowlist for support and maintenance.

Yes, anytime, from your account settings.

Questions? support@activetransport.app