Security
How we protect your data.
CloneGen is an EU-hosted platform with GDPR-first data handling. Your uploads, generations, and account data stay in the EU, are encrypted at rest, and are never used to train public AI models.
Infrastructure
EU hosting
Application hosted on Vercel (EU regions). User uploads and generation artifacts stored on Cloudflare R2 with EU-only distribution. Database is Supabase Postgres (EU-West). Payment processing handled by Stripe and PayPal (both GDPR-compliant, EU-registered processors).
Encryption at rest and in transit
All uploads, generations, and account data are encrypted at rest by the underlying storage providers (R2 and Supabase). All traffic to and from the application is TLS 1.3 with HSTS enforced (max-age 2 years, includeSubDomains, preload).
Access control
Every database table ships with row-level security (RLS) policies that prevent cross-user data access. Administrative operations require an authenticated session with theis_admin flag and are logged in anadmin_logs table. Impersonation is supported for support purposes and is logged separately.
Data handling
We never train public models on your uploads
Uploaded photos are used only to build YOUR private identity model and to run generations you explicitly request. They are never added to a public training dataset or shared with third parties beyond the pipeline model providers required to fulfill a generation.
Retention
Account data is retained for the lifetime of your account. Upon account deletion, we permanently remove your personal data within 30 days, with the exception of payment records which are retained for 10 years per German tax law (§ 147 AO).
GDPR rights
You can exercise all rights under GDPR Articles 15–21 (access, rectification, erasure, portability, restriction, objection) by emailing info@clonegen.app. Full details — including the name of the relevant German supervisory authority — in the Privacy Policy.
Responsible disclosure
If you believe you have found a security vulnerability in CloneGen, please report it privately so we can fix it before it is disclosed publicly. We welcome and appreciate reports from security researchers.
Where to report: info@clonegen.app with Security Report in the subject line.
What to include: a description of the issue, steps to reproduce, the impact you observed, and any suggested remediation.
What we commit to: an acknowledgment within 3 business days, a status update within 14 days, and credit in the changelog entry when the fix ships (unless you prefer to remain anonymous).
Please do not: run automated scanners against the production site, attempt to access accounts you do not own, or exfiltrate data beyond the minimum needed to demonstrate the vulnerability.
Supported browsers
CloneGen supports the latest two major versions of Chrome, Edge, Firefox, and Safari on desktop, plus Safari (iOS) and Chrome (Android) on mobile. Older browsers may work but are not actively tested. Upload and generation features require modern JavaScript APIs (File, Blob, fetch, ResizeObserver) — we do not support Internet Explorer.
Questions about security? Email info@clonegen.app.