Privacy & Data
What we collect
Account data
- Email address — from Google OAuth, used as your identifier
- Display name and profile picture — from Google, shown in the app
- No passwords are stored (Google OAuth only)
Content
- Documents — title and Markdown content, stored in our database
- Document chunks — overlapping text segments created automatically for search
- Embeddings — numerical vectors (1536 dimensions) generated from your content for semantic search
Usage data
- Operation logs — what type of AI operation was performed, which model was used, token counts, timestamps
- Credit transactions — billing-related amounts and reasons
- No document content is logged — only metadata
Community publishing
- When you publish a library to the community, your creator name (from your Google profile) is displayed publicly alongside the library
- Your email address is stored as the publisher identifier but is not displayed to other users
- Community reports — if you report a community library, your report reason text is stored and visible to Lore DB administrators
Where your data lives
| Component | Location | Provider |
|---|---|---|
| Database | EU or US (configurable per Supabase project) | Supabase (PostgreSQL) |
| Application | Global edge network | Vercel |
| AI processing | US | OpenAI API |
| Payments | Stripe infrastructure | Stripe |
| Authentication | Google infrastructure |
What goes to OpenAI
When you use Search, Ask AI, or save a document, content is sent to OpenAI’s API:
- Document saves: Content is sent for embedding generation (text-embedding-3-small)
- Search queries: Your query is sent for embedding
- Ask AI: Retrieved document chunks + your question are sent for answer generation
What is NOT sent: Your email, name, profile picture, library names, team membership, or any account metadata.
Per OpenAI’s API policy: API data is not used to train models and is retained for 30 days for abuse monitoring only.
If you use Bring Your Own Key (BYOK), you have a direct contractual relationship with OpenAI and their enterprise data policies apply.
Data retention
| Data | Retained until |
|---|---|
| Documents | You delete them |
| Embeddings | Regenerated on edit, deleted with the document |
| Usage logs | Indefinitely (for billing/audit) |
| User accounts | You request deletion |
Your rights (GDPR)
- Access — View all your documents, libraries, and usage in the app at any time
- Portability — Export any library as a complete JSON file (titles, content, metadata)
- Rectification — Edit any document you own
- Deletion — Delete individual documents immediately. For full account deletion, contact us.
- Restriction — Toggle libraries inactive to exclude them from AI processing
Data Processing Agreement
If your organization requires a DPA for compliance purposes, contact us. We provide a standard DPA that covers:
- Data processing scope and purpose
- Sub-processor list (Supabase, Vercel, OpenAI, Stripe, Google)
- Data subject rights procedures
- Security measures and breach notification
Lore DB is designed for team documentation — guides, runbooks, API references, and internal knowledge. Avoid storing highly sensitive data such as production passwords, private keys, or PII in document content. Use the restricted flag on documents that contain sensitive operational information.