Privacy Policy
Your corporate data never leaves your machine in raw form. This policy explains exactly what we process, what we store, and how our architecture is designed to keep sensitive file content out of our cloud entirely.
Zero-File Upload Architecture Commitment
Using the HTML5 File System Access API, every directory crawl, content inspection, and deletion or rename executes on your own device. The original bytes of your documents, spreadsheets, and archives are processed in-browser and are never persisted to, or relayed through, our infrastructure.
What We Collect (Metadata Only)
Our database logs are strictly restricted to the metadata attributes required for migration planning and reporting. Specifically, we may record:
- Anonymized folder pathways
- Filenames
- File extensions
- File sizes
- Last-modified timestamps
- AI-generated text classification tags
This metadata lets us build migration plans, surface ROT, and produce audit ledgers without ever holding your underlying file content.
Third-Party Data Transmission
When AI categorization is enabled, 2,000-character text snippets extracted locally in the browser's memory are securely routed via encrypted HTTPS endpoints to authenticated backend Large Language Model (LLM) APIs. These snippets are used exclusively for categorization and summary generation.
Security Infrastructure
Our multi-layered production security framework is designed to isolate every tenant and authenticate every request:
- Strict per-user Row-Level Security (RLS) database isolation, so users can only ever read their own records.
- Mandatory user JWT token validation on every authenticated backend operation.
- Domain-locked CORS boundaries (
*.lovable.app,*.lovable.dev).