Security

This page summarizes the controls we can currently describe from the public Libby marketing site and signup flows. We keep stronger app-specific, health-data, HIPAA, and infrastructure claims out of this page unless they have been reviewed against the production product and approved for public use.

Marketing site data boundary

The marketing site is designed for public pages, newsletter signup, waitlist signup, checkout handoff, privacy requests, and basic product analytics. It should not be used to submit lab reports, clinical notes, diagnoses, symptoms, or other health records.

Transport and browser protections

The site is served over HTTPS by our hosting platform. The application also sets common browser security headers for public routes, including:

Forms and abuse protection

Public forms validate inputs on the server and use rate limiting. The waitlist, checkout, and privacy-delete request flows use Cloudflare Turnstile checks when configured in production.

Payments

Payments and subscription management are handled through Stripe. We do not receive or store full card numbers on this site. Stripe may collect payment details, billing address details, tax information, and related payment metadata under its own terms.

Analytics

The public site uses PostHog for product analytics with memory persistence, autocapture disabled, session recording disabled, and identified profiles limited to explicit identification flows. Signup and newsletter endpoints also send server-side events when configured, so we can understand whether the site is working.

Health data and app security claims

Libby is intended to help people organize sensitive health information, so health-data security matters. However, this marketing repository does not prove the full product security architecture. We do not publicly claim specific PHI encryption design, key-management model, upload storage controls, audit logging coverage, AI-provider retention terms, HIPAA compliance, or Business Associate Agreement availability unless those details have been confirmed against the production app and approved for publication.

If you are evaluating Libby for sensitive health records, covered-entity use, business-associate use, or a regulated workflow, contact us before uploading data or relying on any compliance representation.

Responsible disclosure

If you discover a security vulnerability, please report it to us before disclosing it publicly. Email security@zebradx.ai with a description of the issue and enough detail for us to reproduce it. We aim to respond promptly and work with good-faith researchers to resolve valid reports.

Also see our Privacy Policy and Terms of Service.

← Back to home