Privacy
The short version: your workbook is analyzed in isolation, deleted immediately, and never used to train anything. The long version below says exactly what happens, in the order it happens.
What happens to your file
Your upload is streamed to a private temporary directory under a random ID — your filename is never stored or logged anywhere. The file is parsed by an isolated sandbox process that runs with a minimal environment: it receives no API keys, no database access, no secrets of any kind. The file is deleted immediately after analysis, on every path — success, rejection, or failure — and a periodic sweep of the upload directory acts as a backstop for crashes. Your workbook is read, never executed: formulas are analyzed as text, macros and code are never run.
What we keep
After an audit we keep the metadata: the score, grade, and the counts of critical / warning / info findings, plus how long the analysis took. The detailed findings themselves expire 60 minutes after the audit and are purged by a sweeper that runs every 5 minutes — unless you're signed in and chose to save the report (below). Your results page is private to your browser or account — a leaked or shared results link shows nothing to anyone else. Nothing about your audit is public unless you explicitly publish a share card, and the share card shows only the score and the finding counts — never the findings themselves.
Saved reports
Saving is opt-in and off by default. If you're signed in, you can click "Save this report" on a results page: a saved report is retained until you delete it from your account — it is excluded from the automatic expiry above. Deleting is immediate and removes the findings and any AI summary; the score and grade metadata remain, exactly as with an expired report. Free accounts can keep 3 saved reports at a time; Pro can keep 500. Unsaving a report puts it back on the normal 60-minute expiry clock.
The AI summary
The plain-language summary is generated only when you request it on your results page. To produce it we send per-check aggregates and the top findings — locations and finding messages, not your workbook — to our AI provider (Anthropic). Your file itself is never sent to any third party. The generated summary is cached and deleted on the same schedule as the report it belongs to, and a global daily cap bounds how many summaries we generate in total.
Rate limiting and IP addresses
Free anonymous audits are limited per day, which requires telling one visitor from another. We never store raw IP addresses for this. We store a one-way HMAC hash keyed by a server secret and the current UTC date — the hash rotates daily, so it cannot re-identify your IP across days, and it cannot be reversed into an IP at all.
Accounts and payments
Accounts use email-only magic-link sign-in — there are no passwords, so there is no password of yours to lose. Payments are handled by Stripe: we store your Stripe customer and subscription IDs so we know your plan, and we never see or store card numbers.
Never used for training
Your files, findings, and reports are never used to train models — ours or anyone else's. The AI-summary processing runs under API terms that do not train on submitted data.
Logging
Application logs carry metadata only — sizes, durations, and error kinds. They never contain your file's contents or its filename.
Questions about any of this? The behaviors above are implemented in code, not policy prose — if you spot a gap between this page and what the product does, we want to know.