Security and privacy.
Factual answers about where data goes, how it is protected, and what you as the bot owner control. No marketing language — just what is true right now and what is still work in progress.
Where your data lives.
Your content (sources)
When you add a URL source, saavos fetches the page content and stores the extracted text and vector embeddings in a Supabase Postgres database. PDF and text source files are stored in Supabase Storage. The Supabase project is hosted in the EU (Frankfurt region). Your content is scoped to your account by Row Level Security — other users cannot access it.
Visitor conversations
Chat messages are stored in the conversations and messages tables in the same Supabase database. You (the bot owner) can read them from your dashboard. Visitors have no account and no direct way to access or delete their messages. If a visitor requests erasure, you can delete the conversation from your dashboard.
Bot settings and metadata
Bot names, slugs, system prompts, and configuration are stored in the same database, scoped to your account.
How data is protected.
In transit
All traffic between the browser/widget and saavos is over HTTPS (TLS 1.2+). This includes both the dashboard and the chat API. Connections between saavos's servers and Supabase, Anthropic, and OpenAI are also encrypted.
At rest
Supabase encrypts data at rest on AWS infrastructure. This is handled at the cloud provider layer. saavos does not implement application-layer encryption on top of this.
Auth tokens and session cookies
Auth session cookies are httpOnly and Secure — they are not accessible to JavaScript in the browser. Chat session tokens (issued by /api/chat/session) are HMAC-SHA256 signed, not stored server-side, and expire after 24 hours.
What is sent to Anthropic and OpenAI.
OpenAI (embeddings only)
Chunks of your source content are sent to OpenAI's embedding API (text-embedding-3-small). Visitor messages are also embedded at query time. OpenAI's API data usage policy for API customers states that data submitted via the API is not used to train OpenAI's shared models. See OpenAI API usage policies.
Anthropic (generation)
At chat time, retrieved chunks from your sources plus the visitor's message and conversation history are sent to Anthropic Claude. Anthropic's privacy policy for API customers states that API data is not used to train Claude. See Anthropic privacy policy.
What is NOT sent to AI providers
Your account credentials, billing information, and bot configuration are never sent to Anthropic or OpenAI.
Who can access what.
Row Level Security
Every database table has Row Level Security (RLS) enabled. Queries from the dashboard use your authenticated session — they can only read and write rows that belong to your account. There is no code path where one owner can access another owner's data through the application.
Visitor access to conversations
Visitors chat via the embed widget. They have no account and cannot access their own conversation history from the dashboard. Conversation data is read by the owner only.
saavos staff access
The service-role database key (which bypasses RLS) is used only in the Dodo Payment webhook handler and internal admin scripts. It is never included in any code path accessible from the browser. Staff access to production data is limited to the founder and is not routine.
GDPR posture.
saavos is a pre-revenue product. GDPR compliance tooling is not yet complete. Here is the honest current state:
Data residency
Supabase is hosted in the EU (Frankfurt). Anthropic and OpenAI are US-based. API calls cross to US infrastructure. This means standard contractual clauses (SCCs) apply for EU-to-US transfers.
Right to erasure
If a visitor requests deletion of their conversation data, you (the bot owner) can delete it from your dashboard. Deleting a bot also hard-deletes all its conversations and messages via database cascade. There is no automated visitor-facing erasure flow yet.
Data Processing Agreement
A formal DPA is not yet available. If you need one for your GDPR compliance, email founder@5minbot.com. This is on the roadmap.
Visitor notification
You are responsible for notifying your site visitors that a chatbot is present and that their messages are stored. Include this in your site's privacy policy.
What you can delete.
Delete a source
Deleting a source removes its content and all vector embeddings from the database immediately. The bot will no longer answer questions from that content.
Delete a bot
Deleting a bot hard-deletes the bot, all its sources, all chunks, all conversations, and all messages. This is irreversible.
Delete your account
Account deletion is not yet self-serve. Email founder@5minbot.com to request full account and data deletion. We will process it within 30 days.
Last updated 2026-05-13 · Was this helpful?