How we handle your data
Procurement-friendly answers up front: where data lives, how long we keep it, who else touches it, and how to make it disappear.
Last updated: May 12, 2026
We never train AI models on your data
Your prompts and scan results are sent to model providers under their no-train API tier. We don't fine-tune anything on your inputs.
We don't sell or share data with advertisers
Zero third-party trackers in the app. No data brokers, no ad networks, ever.
Self-serve deletion within 30 seconds
Settings → Delete account wipes profile, projects, scans, and digests immediately. Backups roll off within 30 days.
EU-hosted by default
Primary database is in Frankfurt. Edge compute runs at the closest Cloudflare PoP. Model APIs may route to US — see below.
Data retention
Different data types live for different windows. Anything not listed here is deleted immediately after the request that needed it completes.
| Data type | Retention window |
|---|---|
Account info (email, name) | Until you delete your account |
Scan results & prompt receipts | Until you delete the project (or 24 months of inactivity) |
AI prompt request logs | 30 days then purged |
Billing records (legal requirement) | 7 years (tax compliance) |
Server logs / error traces | 14 days |
Demo scans (no signup) | 24 hours then purged |
Right to deletion
- 1.In-app: Settings → Delete account. Wipes your profile, all projects, scans, prompts, and digests immediately.
- 2.By email: Send a deletion request to privacy@ripstartup.com from the address on the account. We confirm within 72 hours and complete within 30 days (GDPR Art. 17).
- 3.Backups: Encrypted nightly backups roll off within 30 days. After that, no copy of your data exists in our systems.
- 4.Billing exception: Invoice records are retained for 7 years to satisfy tax law (still purged from operational systems — kept only in audit storage).
Which AI models we send your prompts to
All probes are routed through the Lovable AI Gateway under each provider's no-train commercial API. We do not use ChatGPT/Claude/Gemini consumer accounts (which can train on inputs).
No-train API · 30-day retention at OpenAI for abuse review only
No-train Vertex tier · zero logging available on request
No-train commercial API · 30-day abuse retention
No-train API · search-grounded responses
Sub-processors
The full list of third parties that touch your data and what they do with it.
| Vendor | Purpose | Region | Data sent |
|---|---|---|---|
| OpenAI | ChatGPT model probes for visibility scans | US | Buyer-intent prompts only · no PII |
| Google AI | Gemini model probes for visibility scans | US/EU | Buyer-intent prompts only · no PII |
| Anthropic | Claude model probes for visibility scans | US | Buyer-intent prompts only · no PII |
| Perplexity | Perplexity model probes for visibility scans | US | Buyer-intent prompts only · no PII |
| Lovable AI Gateway | Routes prompts to the providers above | EU | Same as above · no logs retained beyond 30d |
| Supabase | Encrypted database + auth (managed Postgres) | EU (Frankfurt) | Account + scan results |
| Firecrawl | Public website crawl for SEO audit (opt-in) | US | Public URLs only |
| Cloudflare | Edge runtime + CDN + DDoS protection | Global edge | Standard request metadata |
Security controls
TLS 1.3 everywhere. HSTS preloaded.
AES-256 on database, backups, and object storage.
Email/password (bcrypt) + Google OAuth. Optional MFA via TOTP.
Every database table is RLS-enforced — users can only read their own rows.
Every server function and API endpoint validates the session JWT before doing work.
API keys live in encrypted vault, never in client bundles or git.
Automated weekly audit of npm dependencies for CVEs.
Annual third-party penetration test. Latest report available under NDA.
Incident response
If we discover a security incident affecting your data, we'll notify you within 72 hours with the scope, the data involved, and the remediation underway — meeting GDPR Art. 33 obligations regardless of where you live.
Found something concerning? Email security@ripstartup.com. We respond within one business day and credit responsible disclosures publicly with permission.
Need a DPA, SOC report, or vendor questionnaire?
Email privacy@ripstartup.com — we'll send our standard DPA, sub-processor list, and answer most security questionnaires within 48h.