Platform Architecture · Thomas Buch-Andersen
A digital platform for breathwork, therapy courses, and community — built to be maintained by two people, designed to serve a thousand.
Overview
Thomas works with people through breathwork sessions, group therapy courses, couples work, and retreats. This platform is the digital home for all of it — a private, secure space where participants access their course materials, connect with their group, and stay close to the work between sessions.
Each user logs in and sees only what they're enrolled in. No cross-contamination between courses or groups. Privacy is enforced at the database level, not just the interface.
Documents (PDFs, guides), audio files (guided breathwork, meditations), and videos — all delivered securely to the right participants. Admins upload and organise from a simple panel.
Signal-style group chats per course, an "everyone" channel, and private direct messages. Near real-time with push notifications to iOS and Android.
Each course or workshop is a group. Participants are assigned by an admin. Content, conversations, and membership are all scoped to the group — nothing leaks out.
Thomas and co-admins manage everything from one web interface: create users, build groups, upload content, assign participants, moderate messages.
A native mobile app built on a single shared codebase. Same features, same data, optimised for a phone screen. Push notifications keep participants engaged between sessions.
System Diagram
Three layers: the apps users interact with, the services that power everything, and the data that ties it together.
Architecture
Each block is a distinct responsibility. They connect cleanly so that when something changes — a new feature, a new course type — only the relevant block needs touching.
Every person who uses the platform has a user account. Authentication is handled by Supabase — a mature, secure system that manages email/password login, session tokens, and password resets out of the box. Admins have an elevated role that unlocks the management panel.
A group represents a course, a workshop cohort, a couples programme — anything Thomas runs. Participants are assigned to groups by an admin. The critical detail: access is enforced at the database level using Row-Level Security (RLS). This means even if a bug existed in the app, a user could never retrieve data from a group they don't belong to. It is not a UI trick — it is a database rule.
Content comes in three forms: documents (PDFs, guides), audio (breathwork sessions, meditations), and video (recorded sessions, course material). Files are stored in Cloudflare's storage infrastructure — cheap, fast, globally distributed. Metadata (title, description, group assignments, ordering) lives in the Postgres database. When a user requests a file, a short-lived signed URL is generated by a Cloudflare Worker, so files are never publicly accessible.
Three communication contexts: group chats (one per course), a global "everyone" channel visible to all users, and direct messages between two participants. Messages are stored in Postgres with RLS — users can only read messages from conversations they are members of. Supabase Realtime pushes new messages over a websocket connection. When the app is in the background, Expo's push notification service delivers a notification to iOS or Android.
The admin panel is not a separate product — it is a set of protected routes within the same web application, visible only to users with an admin role. From here, Thomas and any co-admins manage the entire platform without needing to touch a database or write any code. The goal: a non-technical person can run this confidently after a one-hour walkthrough.
Technology
Every choice here was made with two criteria: can Thomas and Bo maintain this without a full-time developer, and will it still work well at 1000 users?
| What | Tool | Why this one |
|---|---|---|
| Frontend (web + admin) | React + Vite | Fast to build, huge community, same language as the mobile app |
| Mobile app (iOS + Android) | Expo / React Native | One codebase, native performance, easy App Store deployment |
| Hosting (web) | Cloudflare Pages | Free tier, global CDN, integrates cleanly with Workers and R2 |
| API logic | Cloudflare Workers | Serverless, runs at the edge, no server to manage |
| Database | Supabase (Postgres) | Row-Level Security, real-time, EU hosting, excellent admin UI |
| Authentication | Supabase Auth | Built in, GDPR-ready, handles sessions and password resets |
| Real-time messaging | Supabase Realtime | Websockets over the same database, no extra service needed |
| Video delivery | Cloudflare Stream | Cheap per minute stored, adaptive streaming, no egress fees |
| File / audio storage | Cloudflare R2 | No egress fees, S3-compatible, pairs with Workers for signed URLs |
| Push notifications | Expo Push | Works across iOS and Android from one API call |
| Language / i18n | i18next | Standard library, easy to add DA/EN strings, works on web and native |
Build Phases
Do not build everything at once. Phase 1 is the foundation that makes phases 2 and 3 easy. Each phase delivers something Thomas can actually use with real participants.
Phase 1 · Foundation
Phase 2 · Communication
Phase 3 · Polish