Data protection
Your documents, summaries, quizzes, decks and chat sessions are scoped to your account in our PostgreSQL database. Each row stores a userId and every read or write filters by it server-side — there is no client-trusted path that could read rows from another account.
File uploads are stored on UploadThing with signed URLs. Embeddings are computed and stored against your documents, never aggregated across tenants.
Authentication & sessions
We support two sign-in methods:
- Google OAuth — recommended, no password to manage.
- Email magic link — a single-use link sent via Resend, valid for 24 hours.
Sessions are stateless JWTs signed with a secret stored only in our deployment environment. Tokens are rotated on each refresh and expire after 30 days of inactivity.
AI safety
When you generate a summary, quiz or chat answer, the relevant text is sent over TLS to our model provider (currently OpenAI). Per OpenAI’s API policy, content submitted via the API is not retained for model training. We never fine-tune any model on user data.
The chat system uses retrieval-augmented generation grounded in your document. Every factual claim in an answer carries a citation that links back to the source passage, so you can verify what the model said.
Abuse & rate limiting
Every authenticated endpoint enforces plan-aware limits in two layers:
- Coarse hourly rate limits per user, per feature (in-memory abuse limiter).
- Database-backed daily quotas using a Postgres advisory lock + transactional insert so two parallel requests cannot both pass the check.
Plan downgrades take effect within seconds: if a paid subscription expires we automatically treat the account as Free at the next privileged request.
Operational practices
- Every PR runs typecheck, lint and build before it can merge.
- Production deploys go out of a clean CI environment, not a developer’s laptop.
- Secrets are stored in Vercel’s encrypted environment, never in the repo.
- We rotate any credential that has been exposed, even accidentally, before redeploying.
Reporting a vulnerability
If you believe you’ve found a security issue, please email security@veliqo.net with a clear description and reproduction steps. We’ll acknowledge within 48 hours and keep you informed as we work on a fix. We don’t pursue legal action against good-faith research that respects user privacy.