Security and Privacy by Design

FleetFixer runs on Google Cloud and Firebase. These services operate from data centres that hold SOC 2 reports and other recognised industry certifications, which set a baseline for physical security, availability, and operational controls.

We aim to encrypt data both in transit and at rest:

• Traffic between your browser and our services is protected with TLS (HTTPS).
• Data stored in Firestore and other Google Cloud services is encrypted at rest by the platform.

Sign-in is handled by Firebase Authentication. You can sign in with an email address and password, and optionally with Google sign-in where that is available.

We do not email plaintext credentials. If you forget your password, we send a one-time, time-limited reset link to your verified email address, and you set a new password yourself. We never see your password in readable form.

Access to data is governed by role-based permissions. Your role (for example coach, athlete, club administrator, or operator) determines what you can see and do.

On top of roles, Firestore security rules are enforced on the server for every read and write. These rules are designed to keep each club's data separated from every other club's data, so that one organisation cannot reach another organisation's records.

Sensitive access is recorded so that it can be reviewed. For example, every time a coach views an athlete's biometric data, that access is logged and made visible to the athlete, so the athlete can see who has looked at their health information and when.

Audit records help us investigate questions about who accessed what, and they support the transparency we expect athletes and clubs to rely on.

Health and biometric readings from connected wearables are treated with particular care. We split this data into two areas:

• An athlete-only tree, which only the athlete can see by default.
• A coach-visible tree, which a coach can see only when the athlete has explicitly opted in to share it.

Nothing from a wearable is shared with a coach without that explicit opt-in, and an athlete can review what is shared through the audit records described above.

Some FleetFixer features use assistive AI. These run server-side, behind our Cloud Functions, so the API keys used to call the AI provider are never shipped to your browser or exposed in client code.

For more detail on how the assistive AI works and what it does with your data, see our AI transparency notice.

We take regular backups of platform data and maintain disaster recovery arrangements so that, in the event of a failure, we can restore service and data. We review these arrangements periodically as the platform grows.

If you believe you have found a security vulnerability in FleetFixer, please tell us before disclosing it publicly. Email security@fleetfixer.io with enough detail for us to reproduce the issue.

We aim to acknowledge reports within 2 business days and will keep you informed as we investigate. Please act in good faith, avoid accessing or changing data that is not yours, and give us a reasonable opportunity to fix the issue before going public.