Privacy & Security

Authentication & Privacy

Petra uses WebAuthn (Web Authentication) for secure, passwordless authentication. This technology provides several privacy benefits:

• No usernames required: Your identity is tied to your device's biometric authentication or security key, not a username or email address
• No passwords stored: We never store or have access to your passwords since authentication is handled directly by your device
• Phishing resistant: WebAuthn credentials are tied to our specific domain, making phishing attacks ineffective
• Private by design: Your biometric data never leaves your device - only cryptographic signatures are shared

Data We Store

Petra stores minimal data necessary for the fitness tracking functionality:

• Workout data: Your exercise sessions, sets, reps, and weights to track your progress
• Exercise preferences: Your customized exercise selections and difficulty preferences
• WebAuthn credentials: Cryptographic public keys and credential IDs for authentication (no biometric data)
• Session data: Temporary authentication tokens to keep you logged in

We do not store personal identifiers like names, email addresses, or any biometric data. All data is stored locally on our servers and is not shared with third parties.

Cookies & Security

Petra uses the following cookies to ensure security and functionality:

• session - Secure, HTTP-only session cookie that maintains your authenticated state. Expires when you close your browser or after a period of inactivity.

All cookies are set with secure flags (Secure, HttpOnly, SameSite) to prevent unauthorized access and ensure they're only transmitted over encrypted connections.

Data Security

Your data is protected through multiple security measures:

• HTTPS encryption: All data transmission is encrypted using TLS
• CSRF protection: Modern browser CSRF protection with SameSite="Lax" cookies and Sec-Fetch-Site header checking.
• Content Security Policy: Strict CSP headers prevent code injection attacks
• SQL injection prevention: All database queries use parameterized statements
• Secure session management: Sessions use cryptographically secure tokens with appropriate expiration

Data Retention

Your workout data is retained to provide historical tracking and progress analysis. You can request deletion of your data by clearing your browser's stored credentials, which will prevent future access to your account. WebAuthn credentials that are no longer used are automatically cleaned up over time.