At SereneNow, we prioritize the security and privacy of your data. This Security Policy outlines the measures we implement to protect the information you entrust to us. This document is intended for users, partners, and third-party integrators seeking transparency about our security practices.

1. DATA ENCRYPTION

All sensitive user data is protected using industry-standard encryption:

• At Rest: Personal information (names, emails, phone numbers, addresses, financial data) is encrypted before storage using strong cryptographic algorithms. Our database provider also implements encryption at rest for additional protection.
• In Transit: All API communications use HTTPS with modern TLS encryption. Mobile apps enforce secure connections and prevent cleartext traffic.
• OAuth Tokens: Third-party OAuth tokens (Google, Zoom) are encrypted before storage and never exposed in logs or error messages.

2. AUTHENTICATION AND ACCESS CONTROL

2.1 User Authentication

• Password Security: Passwords are hashed using industry-standard algorithms. SereneNow does not store plaintext passwords.
• Session Management: Secure token-based authentication ensures sessions are validated server-side. Invalid or expired tokens are rejected.
• OAuth 2.0: Third-party authentication (Google Sign-In, Zoom) follows OAuth 2.0 standards.

2.2 Access Control and Administrative Access

• Role-Based Access: Users are assigned roles (Client, Expert, Organization Admin) with specific permissions enforced at the API level.
• Production Access: SereneNow is a solo-developer product. Production systems and data are accessible only to the founder. The principle of least privilege is followed at all times.
• Database Restrictions: The production database is accessible only from authorized application servers. No public internet access is permitted.

3. ZOOM INTEGRATION AND DATA USAGE

SereneNow integrates with Zoom to enable virtual therapy sessions. We are committed to transparent and secure use of Zoom's APIs:

3.1 How We Use Zoom

• OAuth Authorization: Experts explicitly authorize SereneNow to create and manage Zoom meetings on their behalf using OAuth 2.0.
• API Scope: We only request permissions to create, update, and delete scheduled meetings. We do not access Zoom call recordings, chat logs, participant data, or any in-meeting content.
• Meeting Creation: When a client books an appointment with a Zoom-enabled service, SereneNow automatically creates a Zoom meeting and shares the join link with both the expert and client.
• Meeting Deletion: When an appointment is cancelled, the associated Zoom meeting is deleted automatically.

3.2 Zoom Data Storage and Security

• OAuth Token Storage: Zoom OAuth access tokens and refresh tokens are encrypted at rest using strong encryption and stored securely in our database. Tokens are never logged or exposed to clients.
• Data Retention: Zoom meeting IDs and join links are stored only as long as the appointment is active. When an appointment is completed or deleted, associated Zoom data is removed from our systems.
• No Anonymous Access: All Zoom meetings created by SereneNow are for authenticated users only. Meeting links are shared exclusively with the therapist and client involved in the scheduled session. Anonymous joining is not enabled.
• Token Revocation: Experts can disconnect their Zoom account at any time through the SereneNow app, which immediately revokes access and deletes stored OAuth tokens.

3.3 What We Do NOT Access

SereneNow does not access, collect, or process:

• Zoom call audio or video content
• In-meeting chat messages or shared files
• Zoom participant lists or attendance data
• Zoom cloud recordings or transcripts
• Any personal data beyond what is required for scheduling

4. THIRD-PARTY INTEGRATIONS

In addition to Zoom, SereneNow integrates with other trusted services:

• Google Calendar & Google Meet: OAuth 2.0 with user consent for calendar access and meeting creation. OAuth tokens are encrypted and stored securely.
• Payment Processors (Razorpay, Cashfree): PCI-DSS compliant gateways. SereneNow does not store client payment card details. Expert payout details are encrypted before storage.
• Email & Notifications (AWS SES, Firebase Cloud Messaging): Used for transactional emails and push notifications. Communications are sent over encrypted connections.

5. SECURE DEVELOPMENT PRACTICES

SereneNow follows secure software development practices appropriate to a solo-developer product:

• Version Control: All code is maintained in version control with a complete audit history.
• Secret Management: API keys, database credentials, and encryption keys are stored as environment variables and never committed to source control.
• Dependency Management: Third-party libraries are sourced from trusted repositories and periodically updated to address known vulnerabilities.
• Input Validation: All user inputs are validated and sanitized to prevent injection attacks (SQL injection, XSS).
• CSRF Protection: Cross-Site Request Forgery protection is enabled on all state-changing API endpoints.

6. INFRASTRUCTURE AND APPLICATION SECURITY

• Cloud Hosting: Production infrastructure is hosted on AWS in India to ensure data residency compliance with Indian regulations.
• Network Security: Firewall rules restrict traffic to necessary services only. The database is not accessible from the public internet.
• Automated Backups: Daily automated backups with encryption ensure data availability and disaster recovery.
• Logging and Monitoring: Application logs capture errors and security events for debugging. Logs exclude sensitive information such as passwords, tokens, and personal identifiers.

7. DATA RETENTION AND DELETION

• Retention Policy: Personal data is retained only as long as necessary to provide services or as required by law (e.g., financial records for tax compliance).
• Meeting Data: Zoom and Google Meet links are retained only while appointments are active. Completed or cancelled appointments have associated meeting data deleted.
• Account Deletion: Users may request account deletion by contacting admin@serenenow.com. Personal data is permanently removed within 30 days, except where retention is legally required.
• Anonymized Data: After deletion, aggregated and anonymized data may be retained for analytics.

8. INCIDENT RESPONSE

In the event of a security incident:

• We will investigate promptly to understand scope and impact.
• Affected users will be notified as required by applicable law.
• Corrective actions will be taken to mitigate the incident and prevent recurrence.

Reporting Security Issues: If you discover a security vulnerability, please report it to admin@serenenow.com. We take all reports seriously and respond promptly.

9. SECURITY MATURITY

SereneNow is an early-stage, solo-developer product. We implement industry-standard security practices appropriate to our scale and resources, including encryption, secure authentication, input validation, and regular dependency updates.

We do not currently hold formal security certifications or conduct regular third-party security assessments. As SereneNow grows, we are committed to continuously improving our security posture and pursuing formal assessments when appropriate.

10. USER RESPONSIBILITIES

Users play a critical role in protecting their accounts:

• Use strong, unique passwords for your SereneNow account.
• Do not share your login credentials with others.
• Keep your devices and apps updated with the latest security patches.
• Report suspicious activity or unauthorized access immediately to admin@serenenow.com.

11. COMPLIANCE

SereneNow complies with applicable Indian data protection laws, including the Information Technology Act, 2000, Section 43A, and the SPI Rules. All user data is stored in cloud infrastructure located in India.

12. CHANGES TO THIS SECURITY POLICY

We may update this Security Policy from time to time to reflect improvements in our security practices or changes in technology. Significant changes will be communicated by updating the "Last Updated" date below.

13. CONTACT

For questions about this Security Policy or to report a security issue, please contact:

Name: Manasi Jagtap

Role: Co-Founder

Company: SereneNow

Location: Baner, Pune – 411045

Email: admin@serenenow.com

Last updated: January 27, 2026