Security

We built AI-Guide with privacy and security as core design principles. This page describes how we protect your data and what you can expect from us as a user or customer.

Last updated: 25 November 2025

1. Security philosophy

• Privacy-first by design – We minimize the data we collect and avoid storing screenshots.
• Least privilege – Systems and people only have the access they need to perform their function.
• Separation of concerns – Desktop app, control API, AI proxy, and data store are separated into distinct components.
• Continuous improvement – We regularly review logs, dependencies, and architecture to improve security.

2. Data flows at a glance

1. The desktop app captures only the region of the screen you explicitly select.
2. The screenshot and related context are sent over an encrypted connection (HTTPS/TLS) to our backend.
3. The AI proxy securely forwards the content to Azure OpenAI for analysis.
4. The AI result is returned to your desktop app.
5. Screen images are kept only in memory for processing and are not stored persistently in our databases.

Usage logs contain only high-level metadata (feature usage, timestamps, token counts) and never the full image.

3. Infrastructure

• Cloud provider: Microsoft Azure (West Europe region)
• Architecture:
  • Separate Control API and AI Proxy services
  • Supabase Postgres for authentication and application data
  • Azure Cognitive Search for optional knowledge base integration
• Network security:
  • All public endpoints served over HTTPS
  • Firewalls and service-level access restrictions
  • Rate limiting and abuse detection on API endpoints

4. Application security

• All communication between the desktop app and backend uses TLS.
• Access tokens and API keys are stored in secure environment variables, not in source code.
• Authentication uses Supabase Auth, supporting secure OAuth providers (Google, etc.).
• JWTs are validated on the server for each request that requires authentication.
• We use role-based access control where appropriate (e.g. per account / per plan).

5. Data storage and retention

• Screenshots and visual data: Processed in memory only; not stored after analysis.
• Account data: Email address, hashed passwords (if applicable), OAuth identifiers.
• Subscription data: Stored via our billing provider(s); we do not store full payment card numbers on our servers.
• Logs: Retained for limited periods to monitor performance and security.

We regularly review retention policies to ensure we keep data no longer than necessary.

6. Vulnerability management

• We keep dependencies up to date and monitor for known vulnerabilities using automated tooling.
• We apply security patches to our infrastructure in a timely manner.
• We log and monitor unusual activity to detect potential abuse.

If you discover a vulnerability, please report it responsibly (see below).

7. Responsible disclosure

If you believe you have found a security or privacy issue in AI-Guide:

1. Email us at security@ai-guide-app.com with a detailed description.
2. Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and fix it.
3. Avoid accessing or modifying data that does not belong to you.

We will:

• Acknowledge receipt of your report,
• Keep you updated on progress,
• Notify affected users where appropriate.

At this time we do not operate a formal bug bounty program, but we may recognize significant contributions in a Hall of Fame in the future.

8. Business continuity

• Production data is backed up regularly.
• We use multiple availability zones and cloud redundancy where possible.
• In case of a major incident, we will work to restore service as quickly as possible and communicate via our status page (when available) and/or email.

9. Questions

If you have questions about our security practices, contact:

Security Contact
Email: security@ai-guide-app.com