Beta v0.18.5|Methodology v1.7.5

Your Data Privacy

How SeanPropApp handles your data. Last updated April 2026.

Related: Terms of Service

How Your Data Flows

Your Browser(all your data stays here)CORS Proxy(relay only: no storage, no logs)Anthropic / OpenAI(per provider's API policy)API key + promptAI responseStored in YOUR browser• API key (AES-GCM encrypted localStorage)• Analysis outputs (IndexedDB)• Module content and company data• Uploaded documentsYou control it. Clear your browser data to erase it.Stored on our server (Supabase)• Email address (authentication)• Session metadata (device type, timestamps)• Usage telemetry (click patterns, no content)• NPS scores and feedback text• Google Drive OAuth tokens (if connected)Zero user content. Zero module outputs. Zero company names.

Our Architecture: Thin CORS Proxy

SeanPropApp uses a Bring Your Own Key (BYOK) model: your API key is stored in your browser's localStorage, encrypted with AES-GCM via the Web Crypto API. Your key is never sent to our servers for storage.

When you run an analysis, your browser assembles the full prompt locally and sends it, along with your API key, through our thin CORS proxy to Anthropic or OpenAI. The proxy exists only to handle cross-origin restrictions. It relays the request and response without logging, storing, or reading any content.

All analysis data, including module outputs, company names, documents, and user content, is stored in your browser's IndexedDB. Nothing is stored on our servers.

What We Never Store (Zero Server-Side Storage)

  • Your API key: encrypted in your browser only. It transits the proxy per-request over HTTPS, is used for the AI call, and is immediately discarded. Never written to disk or logs.
  • Your documents and input files: parsed and processed entirely in your browser. Never sent to our server.
  • Module outputs and chat messages: streamed from the AI provider to your browser via the proxy. Never logged server-side.
  • Company names, initiatives, or industry: never recorded. We do not know what you are analyzing.
  • User content in server logs: our proxy does not log request or response bodies. No content appears in any server log.

What We Do Store (Supabase)

  • Your email address: for authentication and so we can reach you with product updates or feedback requests.
  • User profile: your display name, preferred currency, and preferred language. Used to personalize your experience.
  • Session metadata: device type, browser type, screen size, and session timestamps for product improvement. Sessions are created on first page visit, including for unauthenticated visitors.
  • Telemetry events: which modules you ran, re-runs, skips, chat messages sent, sidebar navigation, export format choices, file uploads, time spent per module, and token counts. This helps us improve the analysis methodology. It contains no user content, company names, or module outputs.
  • NPS scores and feedback text: scores and any free-text comments you choose to submit.
  • Google Drive credentials (if connected): when you connect Google Drive, we store your OAuth access and refresh tokens and your Google account email in our database. This allows the app to save analysis outputs to your Drive without requiring you to re-authorize each session. We do not store any Drive file names, folder paths, or file contents on our server; only opaque file IDs are tracked client-side in your browser.

Cloud Storage (Google Drive) - Optional

You can optionally connect your Google Drive to sync analysis outputs for backup and cross-device access. This is entirely opt-in.

Scope: We request the drive.file scope, which means we can only create, read, update, and delete files that this app itself created. We cannot see, list, search, or modify any of your other Google Drive files. We also request your Google account email to display which account is connected.

What we create in your Drive: A “SeanPropApp” folder containing subfolders for each analysis: inputs (documents you uploaded), analysis outputs (module results), exports (HTML, DOCX, ZIP), and archives (previous versions when you re-run modules).

What we store on our server: Your Google account email and OAuth tokens (access token, refresh token) so we can make Drive API calls on your behalf. These are stored securely in Supabase with row-level access control: only you can access your own tokens.

When you disconnect: Your OAuth tokens are revoked via Google's API and deleted from our server. Files already in your Drive remain yours and are not deleted. You can reconnect at any time.

We never copy your Drive content to our servers and never share your Google Drive data with third parties.

Analytics

We use Google Analytics 4 (GA4) for page view and event tracking. GA4 is activated only after you provide consent via our cookie banner. You can decline and the app will function normally without analytics.

Cookies

  • Authentication session: an httpOnly cookie managed by Supabase to keep you signed in. Essential for the app to function.
  • Google OAuth state: a short-lived httpOnly cookie (expires after 10 minutes) used for CSRF protection during the Google Drive connection flow. Set only when you initiate a Google Drive connection.
  • Google Analytics: GA4 cookies are set only after you provide consent via our cookie banner. You can decline and the app functions normally without them.

AI Provider Data Policies

Your prompts and inputs are sent to your chosen AI provider via their API. As of writing, the standard API policies of Anthropic and OpenAI both state that API data is not used to train their models by default. These policies are set by the AI provider, can change over time, and may also be affected by settings or agreements on your provider account.

You are responsible for reviewing your AI provider's current data policy and managing your own account-level settings (including any data-sharing or model-training preferences). SeanPropApp has no visibility into or control over these settings. See our Terms of Service for the full statement of your responsibilities.

Data Retention

Session metadata and telemetry events are retained indefinitely to support long-term product improvement. NPS scores and feedback are retained indefinitely. Google Drive OAuth tokens are retained until you disconnect your account or request deletion. We do not automatically purge any server-side data unless you request it.

Your Rights

You can request deletion of your account and all associated metadata at any time by emailing support@seanoneill.com. This permanently removes your email, profile, session logs, telemetry, feedback, NPS responses, and any stored Google Drive OAuth tokens from our database.

Since we never store your analysis content on our servers, there is nothing else to delete. To clear browser-side data (API key, analysis outputs, and uploaded files), clear your browser's site data for this domain.

Beta Feedback