Database: Supabase (Postgres) in the EU region. All personal data stays inside EU borders.
Encryption: all traffic is TLS-encrypted. Passwords are hashed (bcrypt) — we never see them in plain text.
Row Level Security (RLS): every table in Supabase uses RLS rules. In practice: user A cannot read user B's data even if someone cracked a password or API key.
Anonymous users: when you use the app without signing in, saves and history go to your browser's localStorage. We have no identifier for you.
AI messages: when you chat with Claude, messages go to Anthropic's servers for processing. Anthropic does not store them for training (customer agreement).
Analytics: Vercel Analytics collects anonymized usage stats (page views, country-level data). No ads, no cross-site tracking, no third-party sharing.
Your GDPR rights: you can request a copy of your data or delete your account anytime (Profile → Account). Everything is deleted within 30 days.
Read more in the privacy policy.