Security

Ananda is built with security and privacy as foundational principles. All customer data is stored exclusively in EU data centres.

1. Data Encryption

• Data in transit: all communications between your browser and our servers are encrypted using TLS 1.2 or higher
• Passwords: all passwords are hashed using bcrypt — we never store passwords in plain text
• Payment data: we never store card numbers or bank details — payments are processed by Stripe and PayPal, both of which are PCI DSS compliant

2. Infrastructure & Hosting

• Hosting: Ananda is hosted on Hetzner Cloud in EU (Germany) data centres
• Data residency: your data never leaves the EU
• CDN & DDoS protection: Cloudflare provides content delivery and distributed denial-of-service protection

3. Access Controls

• Role-based access: each studio has granular roles (owner, teacher, front desk, student) with appropriate permissions
• Password security: passwords are hashed using bcrypt, never stored in plain text
• Session management: session tokens expire after 60 days of inactivity
• Bot protection: Cloudflare Turnstile protects authentication forms from automated attacks

4. Data Privacy

• GDPR compliance: Ananda acts as a GDPR-compliant data controller for all personal data
• Data deletion: account data is deleted within 90 days of account termination
• Payment record retention: payment records are retained for 7 years as required by EU tax law
• Data export: studio owners can request a full export of all their data at any time

5. Reporting a Vulnerability

If you discover a security vulnerability in Ananda, please report it responsibly by emailing support@ananda.app with the subject "Security Vulnerability". We take all reports seriously and will respond promptly.