Security

Security Disclosure

Last updated: 21 April 2026

We take the security of parent and practitioner accounts seriously and aim to be clear and transparent about how the platform is built and protected. This page describes the measures currently in place and how to report a security concern.

1. Our approach

Myopia Focus is built around a small set of principles: collect as little personal data as possible, protect what we do collect using widely accepted security practices, keep the system boundaries clear, and be honest about the limits of any one provider's security guarantees.

2. Connections in transit

All connections to the platform are encrypted using HTTPS (TLS). This applies to the website, the in-app API, and the Practitioner Dashboard in production.
The mobile and web apps communicate with the backend API over secure HTTPS connections.

3. Authentication & access control

Email + password sign-in for parents, practitioners and admins.
Passwords are hashed with bcrypt (work factor 12) before being written to the database. The plain password never leaves the request handler and is never stored.
JSON Web Tokens (JWTs) issued at sign-in are sent as Authorization: Bearer headers; sessions are handled using secure tokens and we do not use third-party login cookies.
Role separation: parent, practitioner and admin actions are controlled by access checks on each request — a parent token cannot access the practitioner endpoints, and vice versa.
Practitioner access to a child record requires either parent approval of a link request or that the practitioner created the record directly. Both sides can unlink at any time.
Password resets use a one-time token that expires after one hour and is sent by email through SendGrid. Reset links work only once.

4. Data protection

Minimal data: we only collect what is needed to operate the service (see the Privacy Policy).
Anonymised research dataset is kept in a separate table, keyed by an opaque per-child token rather than the real account or child ID, so it is not linked back to a person.
Database access is restricted to the application server using credentials held in managed environment secrets, not in source control.
The live Vision Simulator processes camera frames entirely on your device — frames are never uploaded.
No third-party analytics, advertising or tracking SDKs are loaded in the website or app.

5. Infrastructure

Hosting: Replit Deployments, in the United States.
Database: a managed PostgreSQL instance also located in the United States.
Email: transactional (password-reset) email is sent via SendGrid.
We do not run our own bare-metal servers; the underlying platform is patched and operated by Replit.
We rely on these providers to maintain the security of the underlying infrastructure.

6. Limitations & honest caveats

No system can be completely secure. We have built the platform to be a careful place to keep a child's growth chart and clinical history, and Myopia Focus is not intended to be used as a primary clinical record system and is not a replacement for your practitioner's record-keeping system. Always keep your own copy of important measurements. Users should ensure they retain their own copies of important clinical information where appropriate.

Where we depend on a third party (Replit, SendGrid), our security depends in part on theirs. We do not have low-level access to their infrastructure.

7. What you can do

Use a strong, unique password.
Don't share your account with other adults — practitioners should use the practitioner role.
Review approved practitioner links from time to time and unlink anyone who no longer needs access.
Sign out on shared devices.

8. Responsible disclosure

Found a security issue? Please tell us.

Email info@myopiafocus.org with as much detail as you can — the affected URL or screen, steps to reproduce, and the impact you observed. We will acknowledge your report, investigate, and keep you informed of any fix.

Please do not publicly disclose the issue or attempt to access data that does not belong to you while we investigate. We are grateful for reports made in good faith.