Last updated 2026-05-19

Privacy Policy

Who we are

Proofpane is a small early-stage product run by Louie Lunz (Auckland, New Zealand). This page describes what data the product collects, why, where it lives, and how to get it removed.

What we collect

  • Account data: your email address and display name. If you sign in via Google OAuth, we receive the same fields from Google's userinfo endpoint (email, name, sub); we do not store your Google password or any other Google profile data.
  • Content you submit: cases, prompts, workflow definitions, files you upload, and the outputs your actions produce.
  • Usage audit: every governance-relevant action (skill executions, policy decisions, HITL approvals, sign-ins) is recorded in a hash-chained audit log. This IS the product — the audit chain is what an auditor verifies offline against the signed Evidence Pack.
  • Operational logs: request paths, latencies, error traces. Used to diagnose problems; not used for advertising or profiling.

Why we collect it

  • To provide the service you signed up for.
  • To produce the audit trail and Evidence Pack the product is built to produce — this is the only feature, not a side-effect.
  • To diagnose bugs and improve reliability.

Where it lives

All data is stored on a single Fly.io machine in their Sydney (syd) region, on an encrypted-at-rest persistent volume. The application database is SQLite; larger files (uploaded documents, embeddings) sit on the same volume.

We do not replicate data to other regions. If you require data residency in a specific jurisdiction other than Australia, please contact us before signing up.

Third parties we send data to

We are not the LLM. When you run a Skill or an agent, the prompt (which may include content you submitted) is sent to the LLM provider you have configured for that call:

  • Anthropic — claude-* models
  • OpenAI — gpt-* and o* models
  • Google — gemini-* models (where configured)
  • Any custom OpenAI-compatible endpoint you configure yourself

Each vendor has its own privacy policy and data-handling terms. We do not control their behaviour or retention.

For sign-in via Google OAuth, Google receives standard OAuth flow signals (timestamp of sign-in, the OAuth client id, the IP your browser was on).

What we do NOT do

  • We do not sell, rent, or share your data with anyone for advertising, profiling, or training.
  • We do not use customer content to train any model — not ours, not vendors'. We have no model of our own to train.
  • We do not have third-party trackers, ad SDKs, or fingerprinting libraries in the product. The frontend loads no remote analytics.

Your rights

  • Export — at any time you can export an Ed25519-signed Evidence Pack containing every audit event in your org. The verifier is open-source and runs offline.
  • Delete — to delete your account and all associated org data, email us (see below). Deletion is irreversible and includes the audit chain rows for your org.
  • Access — to receive a copy of all data we hold about you, also email us.

Cookies

We use one short-lived (10 minute) HTTP-only cookie called google_oauth_state during the Google sign-in flow to defend against CSRF. It is cleared as soon as the sign-in completes. We do not set any tracking, analytics, or advertising cookies.

Contact

Questions, deletion requests, or anything else: louie.lunz@gmail.com

Changes to this policy

When this page changes, the date at the top is bumped. Material changes are also surfaced inside the product on your next sign-in.