Privacy

Your data is yours.

Tenant-isolated at the database row, sandboxed at the app boundary, never used to train someone else's model.

database

Tenant isolation

Every account gets its own logical tenant, scoped by an immutable owner_id on every row. All queries are filtered server-side with parameterized predicates — no client can read another tenant's rows, even by guessing IDs.

shield

Per-app sandbox

Generated apps run in their own iframe origin with no access to your account session. They cannot read your other apps, your prompts, or your credit balance.

public

Data sovereignty

Your prompts, references, and generated apps stay in the region you sign up in. We don't replicate data across regions without consent. Export and delete on demand.

key

Secrets stay yours

API keys you attach to an app are encrypted at rest with per-tenant keys and never logged. We can't read them; only your running app can decrypt at request time.

lock

Encrypted everywhere

TLS everywhere. Postgres and object storage are encrypted at rest with AES-256. Backups are encrypted, access-logged, and retention-bound.

visibility_off

No training on you

Your prompts and uploads are used to build your app — nothing else. They are not shared with model providers for training, and they are not used to improve our defaults.

Common questions.

  • What does "tenant isolation at the database level" actually mean?add

    Each row in our Postgres database carries an immutable owner_id. Application-level access checks AND row-level security policies enforce that a query for tenant A can never return rows for tenant B. There is no shared table where a missing WHERE clause could leak across users.

  • Where is my data stored?add

    Production data lives in a single region (US-East by default). On request, Studio plan accounts can pin data to EU-West. We do not silently copy data between regions.

  • Can I export and delete everything?add

    Yes. From Account settings you can export your prompts and generated apps as a zip, and you can delete your account — which triggers a hard delete in 30 days, including from backups.

  • Who can see my apps?add

    By default, only you. You explicitly opt-in to publish to Discover, share by link, or invite collaborators (Studio).

Contact

Privacy question we haven't answered?

We'd rather answer it than guess.

privacy@tinyapp.ai
DEV