v2.0 Compression Model is live — 80% token savings.→ See benchmarks
Sign InGet Started
Get Started →

Legal

Security & Data Handling

Last updated: April 14, 2026

gotcontext.ai is designed to minimize the data it stores and to protect everything that passes through it. This page explains how compression works, what we retain, and how we keep it safe.

How compression works

When you send text to the compression API, our engine analyzes it using graph-based semantic extraction (PageRank over sentence relationships), token-level attention scoring, and multi-pass inlining. The compressed output is returned in the API response. The original input text is processed entirely in memory and discarded after the response is sent — it is never written to disk or persisted in a database.

What we store

For each compression request, we retain only:

  • Input and output token counts (for usage metering and billing)
  • A truncated 100-character preview of the input (for the dashboard history view)
  • Compression ratio, algorithm used, and request timestamp
  • Your user ID and API key identifier (not the key itself)

We do not store full documents, full compressed outputs, or any content beyond the 100-character preview.

Where data lives

  • Supabase Postgres (US East) — user records, usage metadata, team and webhook configuration
  • Upstash Redis (US East) — rate limiting, session caching, ephemeral compression state
  • Fly.io (US East) — API compute; no persistent storage on application servers
  • Vercel (US East) — frontend hosting; no user data stored at the edge

Encryption

All data in transit is protected by TLS 1.2+ (HTTPS). Data at rest in Supabase and Upstash is encrypted by the cloud provider using AES-256. Backups are also encrypted at rest.

Access control

User authentication is handled by Clerk with support for email/password, OAuth (Google, GitHub), and multi-factor authentication. API keys are hashed with HMAC-SHA256 before storage — plaintext keys are shown only once at creation time and are never retrievable afterward.

Internal access to production databases is restricted to the founding team via VPN and requires MFA. There is no shared root credential.

Data retention

Usage metadata is retained for the duration of your billing period plus 90 days to support dispute resolution and billing reconciliation. After that window, records are permanently deleted. You may request immediate deletion of your account and all associated data at any time via the contact form.

Compliance

GDPR: We support data export and deletion requests for all users. Contact us to receive a full export of your stored data or to request permanent deletion. We respond to verified requests within 30 days.

SOC 2: SOC 2 Type II certification is in progress. Enterprise customers can request our current security questionnaire and evidence package via the contact form.