How We Protect Your Data

Here's the explicit commitment, with no asterisks:

• Tagmatic does not use customer data — text inputs, annotation outputs, or metadata — to train, fine-tune, or benchmark any AI model, now or in the future.
• Google (Gemini API): Processed under Google Cloud's commercial API terms. Google does not use API inputs to train models without explicit customer opt-in. Tagmatic has not opted in.
• Anthropic (Claude API): Processed under Anthropic's commercial API terms. Anthropic explicitly does not train on API inputs from commercial customers.
• Both AI providers receive only the data necessary to process a single annotation request. No data is retained by either provider after the API response is returned.

The following third-party providers may process customer data as part of the annotation service. All are under contractual obligations consistent with applicable data protection law.

We maintain this list and will notify customers via email at least 14 days in advance before adding a new sub-processor. Email help@tagmatic.app to opt in to sub-processor change notifications.

• In transit: All client-server communication uses TLS 1.2 or higher. Plain HTTP is redirected to HTTPS. HSTS enforced.
• At rest: The Neon PostgreSQL database is encrypted at rest using AES-256 at the infrastructure level.
• API keys: Customer API keys are hashed before storage (one-way). Full keys are shown once at creation — they cannot be recovered, only rotated.
• Database connections: Application servers connect to the database over private networking with SSL enforced. No public database endpoint exists.

• Passwordless magic links: No passwords to phish, brute-force, or reuse. Magic links are single-use and expire after 15 minutes.
• JWT sessions: Sessions are short-lived JSON Web Tokens. Tokens can be revoked per-device from Settings → Security.
• API key scoping: Programmatic access uses scoped API keys. Any key can be rotated or revoked independently without affecting others.
• Data isolation: Every query is scoped to the authenticated user. Cross-account data access is not possible via the API.
• Least privilege: Runtime database credentials have only the permissions required for normal application operation. No admin credentials run in production.

We keep data only as long as necessary to run the service and meet legal obligations.

• Active accounts: Annotation records, project data, and usage logs are retained while the account is active.
• Account deletion: All personal data and annotation records are purged within 30 days of a deletion request. Backup purge completes within 90 days.
• Billing records: Transaction records may be retained up to 7 years as required by law.
• Data export: Full JSON export available anytime from Settings → Data & Privacy.

To request deletion: email help@tagmatic.app with subject "Delete my account."

• Application servers run on Render's managed infrastructure (US regions). Render holds SOC 2 Type II certification.
• Database (Neon) is accessed only via private networking — no public database endpoint is exposed.
• All secrets, API keys, and credentials are stored as encrypted environment variables in Render — never in source code or version control.
• Daily automated backups of the production database with 7-day retention.
• Security patches are applied promptly; critical vulnerabilities are addressed within 48 hours.

Honest status on where we are:

If you discover a security vulnerability, please report it to us before public disclosure. We take all reports seriously.