Skip to content
Regimio

Security

The engineering behind a promise.

Privacy is a posture. Security is the architecture that makes the posture real. Here's how Regimio is built.

OS sandboxingTLS 1.3 in transitNo Regimio cloud databaseSandboxed file storage

Architecture

A four-layer model.

1. Storage

Domain data lives in app-local storage controlled by the mobile OS sandbox. Other apps cannot read Regimio data without explicit user action through export or share flows.

2. Local control

The MVP does not require a Regimio login or cloud sync. Users can erase local Regimio data from Settings, and subscription access is handled by Apple, Google, and RevenueCat.

3. Transit

The network surfaces in the MVP are store subscription checks through Apple, Google, and RevenueCat, optional Sentry crash reports, support links opened by the user, and user-controlled export or share flows.

4. Future sync

Multi-device sync is not part of the MVP. If it ships later, it should require explicit opt-in, clear privacy copy, and updated store privacy disclosures before release.

Threat model

What we defend against · and what we don't.

An honest read on a real product.

Lost or stolen device

Yes

Optional Face ID / Touch ID / biometric lock gates the app and Settings. Apple/Google device encryption protects data at rest with the device passcode.

App-level data leak via OS

Mitigated

iOS app sandboxing isolates Regimio's data. No public Share extension that includes raw values. Doctor PDF is generated on-device, AirDropped or emailed by you.

Compromised cloud infrastructure

Yes

Regimio does not run a cloud database for user health data in the MVP, which removes a major server-side breach path for stack, dose, lab, and check-in data.

Targeted forensic compromise

No

If a state-level actor has physical custody of your unlocked device with biometrics bypassed, no consumer app stops them. The one-tap erase exists precisely for the moment before a hand-off.

Phishing or social engineering

N/A

There is no Regimio account to phish in the MVP. Users should still protect their Apple ID or Google account because subscriptions are managed through the stores.

Insider threats at Regimio

Mitigated

We don't run a server that stores your data. There is no Regimio employee with a button that can read your stack. We can't get to it even with intent.

Practices

Engineering hygiene.

  • TypeScript strict mode across the entire codebase
  • Dependency review on every release. No deprecated packages in production.
  • Crash reports scrubbed of compound names, doses, and lab values before submission
  • Sentry is opt-in. Default = OFF.
  • Public changelog · every release notes what changed for privacy and security
  • Bug bounty (coming once v1 ships) · responsible disclosure at security@regimio.app
  • No third-party analytics SDKs (no Mixpanel, no Amplitude, no Segment)
  • No advertising SDKs ever
  • Pen test before public launch (planned q3 2026)
  • Math verified against published peptide and ester reference tables

Found something?

Responsible disclosure

Email security@regimio.app. We respond within 72 hours, even pre-launch.