← Back

Trust & Security

We're a small company. We don't have a compliance department or a SOC 2 badge to wave around. What we do have is a clear accounting of exactly how your data is handled, stored, and protected. Stated plainly, without the corporate fog.

LensCherry

LensCherry generates professional photos using cutting-edge AI models. Here's the chain of custody for your images:

  • Reference photos are uploaded over HTTPS and stored on our European server (Hetzner, Germany). They are used only to create your personal AI model. Never shared, never sold, never used to create any general-purpose model.
  • AI processing happens via Google Cloud infrastructure. Your images are processed to generate results, then discarded by the provider. Google does not use customer data to train its models when accessed through their API.
  • Generated photos are stored in your account until you choose to delete them or delete your account. They belong to you.
  • Deletion means deletion. When you delete photos or your account, the data is removed from our servers. No shadow copies, no “we keep it for 90 days just in case.”

Thicket

Thicket is a project management tool. Your project data (tasks, comments, files) lives on our infrastructure:

  • All traffic is encrypted via HTTPS. There is no unencrypted path to your data.
  • Data is stored on Hetzner servers in Germany, subject to European data protection standards.
  • We don't read your projects. Your data is yours. We access it only if you explicitly ask us to for support purposes.

Infrastructure

Both products run on dedicated infrastructure we control, not a multi-tenant platform where a neighbor's misconfiguration becomes your problem. Here's what we run:

  • Daily automated backups: database and file system, retained and rotated.
  • Key-only SSH access: password authentication is disabled. No brute-force vector.
  • Fail2ban: automated intrusion detection that bans suspicious IPs after repeated failed attempts.
  • UFW firewall: only necessary ports are open. Everything else is denied by default.
  • TLS everywhere: all public endpoints use HTTPS with modern cipher suites via Let's Encrypt certificates, auto-renewed.

Privacy

Three commitments, without qualification:

  • 1.We do not sell your data. Not to advertisers, not to data brokers, not to anyone. Our revenue comes from the products you pay for.
  • 2.You can delete everything. Your account, your data, your history. Contact us and it's done, or use the self-service options in each product.
  • 3.We tell you what changed. If our privacy practices change, we'll update our privacy policy and notify affected users. No silent edits.

What We Don't Claim

Honesty means saying what you haven't done, too:

  • We don't hold SOC 2, ISO 27001, or similar certifications. We're a small team and the cost/complexity isn't justified at our scale, yet.
  • We don't have a dedicated security team. Security is handled by the engineering team with the practices described above.
  • We haven't undergone a third-party penetration test. It's on the roadmap as we grow.

We believe honest specifics beat vague assurances. You deserve to know exactly where the line is.

Questions or Concerns

If you have a security concern, a data question, or just want to know more about how we handle something specific:

Open a support request →

For security-specific issues, email [email protected]

Trust is earned in specifics, not slogans.

Vesperion Gate Inc.