All Collections
General FAQ (Count.It Classic)
Count.It System Security and Data Sharing
Count.It System Security and Data Sharing

Even more detail on how we protect user data and secure our system.

Oliver Ryan avatar
Written by Oliver Ryan
Updated over a week ago

The following provides more detailed information for admins and group organizers on what data Count.It collects from users, and how we secure our system — as well as what data we gather via our Slack app. (For more detail, please check our Privacy & Terms page.)


The Count.It platform deploys standard tools and processes to minimize the risk of security or data breaches. The platform works closely with hosting and infrastructure partners at Amazon AWS, MongoDB Atlas, and Stripe to ensure that all data is encrypted and protected across all transits, and human policy protocols are documented and followed by all staff.

We are a CyberGRX Exchange member, and pleased to receive top ratings from both BitSight and SecurityScorecard, two industry leaders in "outside-in" security testing and monitoring.

SecurityScorecard Report as of March 22, 2021

BitSight Report as of March 23, 2021

CyberGRX Cyber Risk Assessment

Available on demand.


  • Basic User Profile Data: Users create an account on Count.It to access the platform. The system uses password-less email verification to authenticate all users. When registering, a user provides the following to create their profile:

    • First name, last name

    • Email address

    • Avatar image (optional)

    Once a user joins, we infer their timezone, either from a connected fitness tracker, their smartphone OS, or via their web browser in the case of web access. Users can remove their account at any time by their Settings --> Profile page.

  • Activity Data: When a user connects a fitness tracking app, they grant permission to that app (Fitbit, Google Fit, Apple Health, etc.) to share specific fitness activity data with Count.It. Count.It collects only the activity data (or API "scopes") that can be used in the system. We currently receive and process activity data related to:

    • Steps

    • Exercise / Workouts

      • Swimming (meters)

      • Cycling (meters)

      • Yoga (minutes)

      • Meditation (minutes)

      • Strength training (minutes)

        (NB: Count.It collects only the activity data listed. We do NOT collect the following sensitive biometric information, i.e. height, weight, age, gender, heart rate data, or any other personal health data.)

  • Admin Access: Count.It converts all logged activity data into a daily points score. If given permission by a user, a group admin can access the user's activity points "logs" on Count.It to help with data input or score verification. The data shown is the points total for the day. The time of given logged activities is not shown, nor is the relative contribution of activities to the daily points total.

  • User Privacy Setting: A user can opt to be "public" or "private," the former means that they will appear on public leaderboards.

  • Group Privacy Setting: Groups can opt to be "public" or "private," which means the group will be findable on Count.It, and will appear on their regional leaderboard.

  • Admin Account Removal: Admins can delete users at any time, and also request that their group be removed entirely from the system.

  • Slack App: The Count.It Slack app is "pushes" messaging to a designated Slack #channel, and receives data only as a result of direct user actions. (The app does not "listen" to all Slack channel traffic.) When a user registers on Count.It via the Slack app, Slack sends the following data:

    • User's name

    • Email address

    • A secure ID "token."

    • Users can set "workbreak goals" via the Count.It Slack app, and they can log workbreak activity. When they do, this data is sent over from Slack to Count.It within via our app.


  • Our billing system is Stripe Billing, which hosts all client credit card and billing information. No billing information is stored or transmitted in the clear.

  • All data is encrypted during transmission via HTTPS.

  • All related service accounts including our Github repo are accessed using two factor authentication, and access is limited to active developers, and purged regularly.

Did this answer your question?