VaultFlowSign in
Trust & Privacy

How we handle your data

This page is maintained by the VaultFlow team to answer common security and privacy questions about the app. It describes the controls currently enabled in the product. It is editable project content and is not an independent certification or third-party audit.

Access & authentication

VaultFlow requires every user to sign in before reading or writing any vault data. Sign-in is handled by our managed auth provider with email/password and Google sign-in.

Each user can only access their own items, modules, courses, collections, and uploads. Row-level access rules in the database enforce this on every read and write.

Data we store

We store the content you choose to upload or paste into your vault (files, extracted text, AI-generated summaries, tags, prompts, courses), the metadata needed to organize it, and a basic account profile (display name, email used for sign-in).

Uploaded files are kept in a private storage bucket and served through short-lived signed URLs. They are not publicly listable or downloadable without your session.

Platform & hosting

VaultFlow is built on the Lovable platform and runs on Lovable Cloud (managed Supabase backend, edge-deployed frontend). Privileged operations execute server-side; secrets such as API keys are not shipped to the browser.

We rely on the underlying platform for transport encryption (HTTPS) and at-rest encryption of the managed database and storage. This statement describes platform capabilities we use; it is not a compliance certification.

AI processing & subprocessors

When you upload a file, generate a prompt, or build a course, the relevant content is sent to AI models through the Lovable AI Gateway (currently routing to Google Gemini models) to produce extractions, summaries, and lesson content.

We do not sell your data and do not use it to train models on your behalf. Review the gateway and model providers' own terms for their handling of inference requests.

Cookies & analytics

We use only the cookies and local storage required to keep you signed in and to remember UI preferences (e.g. theme). We do not run third-party advertising trackers.

Retention & deletion

Items, modules, courses, and uploads persist in your vault until you delete them. Deleting an item removes its content and associated file from storage. If you want your entire account and data removed, contact us using the address below and we will process the request.

Privacy requests & contact

For privacy questions, data access, correction, or deletion requests, reach out to the project owner through the contact channel listed on the landing page or your account profile. We aim to respond within a reasonable timeframe.

Reporting a vulnerability

If you believe you have found a security issue in VaultFlow, please report it privately to the project owner instead of disclosing it publicly. Include steps to reproduce and any relevant context so we can investigate and remediate quickly.

Shared responsibility

Security is a shared responsibility. The Lovable platform provides the underlying hosting, database, auth, and storage capabilities. The VaultFlow team configures and operates the app (access rules, integrations, AI usage). You are responsible for safeguarding your sign-in credentials and for the content you choose to upload to your vault.

This page is editable app-owned content and is not a Lovable-issued certification. Specific compliance attestations (SOC 2, ISO 27001, GDPR/HIPAA, etc.) are not claimed here; contact the project owner for any formal documentation requests.