Data handling and security

Contracts uploaded for analysis are processed in memory and discarded after the report is returned. We never persist the file contents to disk on our servers, and we never train any model on them.

The analysis itself (summary, clause verdicts, citations, estimated fines) is saved to your account so you can revisit past reports. You can delete any report from your account at any time. Deleting your account permanently wipes all reports.

Your questions and our answers are stored in your account so you can resume sessions and reference past responses. The backing database is Supabase (Postgres) hosted in the EU (Frankfurt region), with Row Level Security policies so each user can only read their own records.

We do not train models on your conversations. OpenAI processes your prompts to generate answers — Mizan's OpenAI agreement specifies that prompts and completions are not used for model training (default for API customers as of OpenAI's data policy).

All traffic between your browser and Mizan is served over HTTPS (TLS 1.2+). Data at rest in our database is encrypted using Supabase's default AES-256 disk encryption. Backups are encrypted in transit and at rest.

Authentication is handled by Supabase Auth. We support email + password and Google OAuth. Passwords are hashed using bcrypt with a unique salt per user — we never see or store plaintext passwords.

You can change your password, set a new one (if signed up via Google), or sign out of every device from Settings → Security. Rotating your password automatically invalidates every active session across all devices.

The Mizan API runs on a dedicated VPS in Frankfurt (Hetzner / Netcup). The marketing site and authenticated app are served from the same region. Supabase (Postgres + Auth) is also EU hosted. We do not currently process data outside the EU.

Stripe handles payment processing — we never see your card number. PCI compliance is delegated to Stripe (Level 1 PCI DSS certified).

Access: Everything we have on you is visible inside the app (chat history, contract reports, profile, billing).

Deletion: Settings → Account → Danger zone → Delete account. This wipes your profile, chat history, contract analyses, and cancels any active subscription. The deletion is permanent and irreversible.

Portability:We don't have a one-click export yet — email contact@sefarai.com and we'll send your data as a JSON archive within a business day.

If you find a security issue, please email contact@sefarai.com before disclosing publicly. We'll acknowledge within one business day and credit you in any fix.

For full legal terms, see our Privacy Policy and Terms of Service.