Security

On-device chat stays on your device. Hosted services run on our own models — never third-party LLM providers.

1. On-Device and Hosted

Sprapp handles security across two modes:

• On-device (public chat): Our models run in your browser via WebAssembly. Prompts and replies are processed locally and are not sent to our servers.
• Hosted (inference, training, marketplace): Requests are processed on our own engine (serve-native) running our own models. We do not route prompts to third-party LLM providers.

2. Data Storage

• On-device data (drafts, local chat) lives in your browser and never leaves it unless you export it.
• Hosted data — trained adapters and account records — is stored on Cloudflare infrastructure (R2 object storage, D1/KV) under our control.
• A short-lived country cookie (sprapp-country) is used for pricing only.

3. Encryption in Transit

• All connections to sprapp.com use HTTPS with TLS 1.2+ encryption.
• HSTS (HTTP Strict Transport Security) is enabled to prevent downgrade attacks.
• API requests to our hosted inference endpoint are TLS-encrypted.

4. Payment Security

We do not handle payment card data directly. Payments and marketplace payouts are processed by Stripe (PCI DSS Level 1). We receive only a payment confirmation and subscription status — never your card number, CVV, or banking details.

5. Authentication

• Sign-in uses Google OAuth 2.0 / OIDC, or email. We never receive or store passwords.
• Session tokens are signed and short-lived, expiring automatically.
• On-device chat is available without an account, with no account data.

6. What We Do Not Do

• No analytics services (no Google Analytics, Mixpanel, Amplitude).
• No tracking pixels or advertising beacons.
• No cross-site tracking cookies or fingerprinting.
• No data sales or sharing with advertisers.
• No third-party LLM provider in the inference path.

7. Vulnerability Reporting

We appreciate responsible disclosure. If you discover a security vulnerability in Sprapp, please report it to:

Email: security@sprapp.com

What to Include

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Any proof-of-concept code or screenshots

Our Commitment

• We will acknowledge receipt within 24 hours.
• We will provide an initial assessment within 72 hours.
• We will work with you to understand and resolve the issue.
• We will credit you in our security acknowledgments (unless you prefer to remain anonymous).
• We will not take legal action against researchers acting in good faith.

Scope

In scope for security reports:

• sprapp.com and its subdomains
• The hosted inference API and on-device engine
• The marketplace and training services

8. Security Updates

The web app is served from a CDN, so updates deploy instantly — every page load gets the latest version, with no patches to install.