Security & data handling.
We handle commercially sensitive contracts, forecasts, pricing inputs, and business assumptions. Here is how your data is protected, processed, and deleted.
1. Customer materials are used for your project deliverables.
We use customer-specific content only as needed to deliver the engagement: extraction, intake, scope brief, Excel model, dashboard, support, audit trail, and deletion workflows.
We may use aggregated, non-identifying metadata to improve and market Auriflow Studio, such as project type, approximate value bands, common commercial terms, scenario categories, and turnaround metrics. We do not share identifiable contract details, company-specific forecasts, pricing inputs, counterparty names, uploaded documents, or customer-specific outputs.
Questions about a specific data-use concern? Contact us.
2. Assisted processing is used only to support the engagement.
Auriflow Studio uses Anthropic's Claude API for document extraction and guided intake support. Under Anthropic's Commercial Terms of Service, API inputs and outputs are not used to train Anthropic's models unless a customer explicitly opts in. Anthropic may retain API data for a limited period for trust and safety purposes under its then-current commercial terms.
A senior Auriflow operator reviews the materials and builds the final model. Assisted processing helps reduce intake friction; it does not replace the human modeling work.
Anthropic's position on API training data:
"We do not use your data submitted through the API to train our models without your explicit permission."
Verify this at privacy.claude.com3. Private storage, encryption, and transport security.
Uploaded files are stored in a private Supabase Storage bucket. Supabase provides encryption at rest and transport encryption for hosted services. Database fields containing extracted terms and project data are protected by row-level security (RLS) policies that restrict customer access to their own account.
Communications between your browser and the application are served over HTTPS. We do not intentionally serve application pages or customer workspaces over unencrypted HTTP.
- ✓Private storage bucket for uploaded engagement files
- ✓Row-level security: customer records are scoped to the customer account
- ✓HTTPS for application traffic
- ✓Signed file URLs with short expirations for customer and operator access
4. Access is limited to the operator building your model.
Only the Auriflow Studio operator — the human modeling your engagement — has access to your uploaded project materials during the active modeling window. No subcontractors or offshore production teams are used for customer model delivery.
The operator accesses your files through an authenticated internal dashboard. All access is logged to your engagement's audit trail where supported by the application.
5. You control your data. Permanently.
You can delete your engagement and all associated files with a single click in your dashboard. This action:
- ✓Purges uploaded project files from Supabase Storage immediately
- ✓Removes extracted project data from the database
- ✓Anonymizes personally-identifying fields within 24 hours
- ✓Retains only anonymized audit log entries required for legal record-keeping
Deletion is permanent and cannot be undone.
6. Payments are handled by Stripe Checkout.
Auriflow Studio does not store full card numbers. Checkout, payment collection, and card data handling are processed by Stripe. Auriflow stores payment status and Stripe identifiers needed to reconcile the engagement.
7. Audit trail in your dashboard.
Key actions on your engagement — file upload, assisted processing, status changes, delivery, and deletion — are logged with timestamp, actor, and action type. The customer-readable subset of this audit log is visible in your dashboard.
Questions about our security practices? Contact us. We respond within one business day.