Security
This page summarizes the controls we can currently describe from the public Libby marketing site and signup flows. We keep stronger app-specific, health-data, HIPAA, and infrastructure claims out of this page unless they have been reviewed against the production product and approved for public use.
Marketing site data boundary
The marketing site is designed for public pages, newsletter signup, waitlist signup, checkout handoff, privacy requests, and basic product analytics. It should not be used to submit lab reports, clinical notes, diagnoses, symptoms, or other health records.
Transport and browser protections
The site is served over HTTPS by our hosting platform. The application also sets common browser security headers for public routes, including:
- X-Content-Type-Options set to nosniff.
- Referrer-Policy set to strict-origin-when-cross-origin.
- X-Frame-Options set to DENY.
- Permissions-Policy disabling camera, microphone, and geolocation for this site.
Forms and abuse protection
Public forms validate inputs on the server and use rate limiting. The waitlist, checkout, and privacy-delete request flows use Cloudflare Turnstile checks when configured in production.
- Signup and newsletter forms accept email and attribution fields.
- Checkout uses Stripe-hosted payment flows.
- Privacy-delete requests are recorded for operator follow-up.
- Server responses avoid exposing internal error details.
Payments
Payments and subscription management are handled through Stripe. We do not receive or store full card numbers on this site. Stripe may collect payment details, billing address details, tax information, and related payment metadata under its own terms.
Analytics
The public site uses PostHog for product analytics with memory persistence, autocapture disabled, session recording disabled, and identified profiles limited to explicit identification flows. Signup and newsletter endpoints also send server-side events when configured, so we can understand whether the site is working.
Health data and app security claims
Libby is intended to help people organize sensitive health information, so health-data security matters. However, this marketing repository does not prove the full product security architecture. We do not publicly claim specific PHI encryption design, key-management model, upload storage controls, audit logging coverage, AI-provider retention terms, HIPAA compliance, or Business Associate Agreement availability unless those details have been confirmed against the production app and approved for publication.
If you are evaluating Libby for sensitive health records, covered-entity use, business-associate use, or a regulated workflow, contact us before uploading data or relying on any compliance representation.
Responsible disclosure
If you discover a security vulnerability, please report it to us before disclosing it publicly. Email security@zebradx.ai with a description of the issue and enough detail for us to reproduce it. We aim to respond promptly and work with good-faith researchers to resolve valid reports.
Also see our Privacy Policy and Terms of Service.