← Back

Trust & Security

We're a small company. We don't have a compliance department or a SOC 2 badge to wave around. What we do have is a clear accounting of exactly how your data is handled, stored, and protected. Stated plainly, without the corporate fog.

LensCherry

LensCherry generates professional photos using cutting-edge AI models. Here's the chain of custody for your images:

  • Reference photos are uploaded over HTTPS and stored on our European server (Hetzner, Germany). They are used only to create your personal AI model. Never shared, never sold, never used to create any general-purpose model.
  • AI processing happens via Google Cloud infrastructure. Your images are processed to generate results, then discarded by the provider. Google does not use customer data to train its models when accessed through their API.
  • Generated photos are stored in your account until you choose to delete them or delete your account. They belong to you.
  • Deletion means deletion. When you delete photos or your account, the data is removed from our servers. No shadow copies, no “we keep it for 90 days just in case.”

Thicket

Thicket is a project management tool. Your project data (tasks, comments, files) lives on our infrastructure:

  • All traffic is encrypted via HTTPS. There is no unencrypted path to your data.
  • Data is stored on Hetzner servers in Germany, subject to European data protection standards.
  • Row-level data isolation: every organization's data is isolated at the database level using PostgreSQL Row Level Security. Even in the event of an application vulnerability, one organization cannot access another's data. This is enforced by the database engine itself, not application code.
  • Authentication: email/password, Google SSO, and Microsoft SSO. Two-factor authentication (2FA) is available for all accounts. Sessions are managed server-side with secure, HTTP-only cookies.
  • We don't read your projects. Your data is yours. We access it only if you explicitly ask us to for support purposes.

Infrastructure

Both products run on dedicated infrastructure we control, not a multi-tenant platform where a neighbor's misconfiguration becomes your problem. Here's what we run:

  • Cloudflare Tunnel: all web traffic routes through Cloudflare for DDoS protection and TLS termination. Application ports are never exposed directly to the public internet.
  • Daily automated backups: database and file system, stored separately from the production server so data is recoverable even in the event of hardware failure.
  • Key-only SSH access: password authentication is disabled. SSH is restricted to a private Tailscale network — not reachable from the public internet.
  • Fail2ban: automated intrusion detection that bans suspicious IPs after repeated failed attempts.
  • UFW firewall: default-deny incoming. Only Cloudflare IPs can reach web ports; SSH is limited to the private network range.
  • TLS everywhere: all public endpoints use HTTPS with modern cipher suites. Certificates are managed by Cloudflare.

Privacy

Three commitments, without qualification:

  • 1.We do not sell your data. Not to advertisers, not to data brokers, not to anyone. Our revenue comes from the products you pay for.
  • 2.You can delete everything. Your account, your data, your history. Contact us and it's done, or use the self-service options in each product.
  • 3.We tell you what changed. If our privacy practices change, we'll update our privacy policy and notify affected users. No silent edits.

What We Don't Claim

Honesty means saying what you haven't done, too:

  • We don't hold SOC 2, ISO 27001, or similar certifications. We're a small team and the cost/complexity isn't justified at our scale, yet.
  • We don't have a dedicated security team. Security is handled by the engineering team with the practices described above.
  • We haven't undergone a third-party penetration test. It's on the roadmap as we grow.

We believe honest specifics beat vague assurances. You deserve to know exactly where the line is.

Questions or Concerns

If you have a security concern, a data question, or just want to know more about how we handle something specific:

Open a support request →

For security-specific issues, email [email protected]

Trust is earned in specifics, not slogans.

Vesperion Gate Inc.