How we protect your data

• In transit. All traffic between your browser and soralab runs over TLS 1.3. We do not accept non-HTTPS connections.
• At rest. Your account data, image files, and database records are encrypted at rest by our hosting providers (Supabase / Cloudflare R2 / Vercel) using AES-256.
• Provider keys. All third-party AI provider API keys live exclusively on our edge functions. They never reach the browser.

We collect the minimum needed to run the service — email, profile, jobs, billing status — and nothing else. Detailed coverage is in the Privacy Policy.

• Input images are deleted from temporary storage within approximately 1 hour after a job completes or fails.
• Output images stay until you delete them or your account is removed.
• We do not use your uploads to train AI models — neither ours nor our providers'.

• Database row-level security (RLS) ensures your jobs and profile are only accessible to your authenticated session.
• Sign-in supports email + password and Google OAuth. We hash passwords with industry-standard algorithms — they are never stored in plaintext.
• Internal admin access is restricted to authorized personnel and audited.
• Sessions are stored as cookies on your domain only, refreshed automatically, and revoked on sign-out.

• Hosting: Vercel (web app) and Supabase (auth, database, storage) — both SOC 2 Type II compliant.
• Payments: Lemon Squeezy is our merchant of record. We never store card numbers; Lemon Squeezy is PCI-DSS Level 1 compliant.
• AI providers: NanoBanana and Bria.ai for model inference. Each handles only the input image, only while a job is running.

If we detect a security incident affecting user data, we will:

• Investigate and contain the issue immediately.
• Notify affected users by email within 72 hours of confirming the breach.
• Publish a postmortem on the changelog and explain remediations.

If you've discovered a vulnerability, please email support@soralab.xyz with details. We respond within one business day and acknowledge responsible disclosures.

• GDPR (EU/UK): we honour data subject requests (export, correction, deletion) within 30 days. Email support@soralab.xyz from your registered email.
• CCPA (California): we don't sell personal data. Same data subject rights apply.
• SOC 2: we rely on SOC 2 Type II compliant infrastructure providers. soralab itself is not yet independently SOC 2 audited.