Legal

Security & Sub-processors

Effective 5 June 2026 · Last updated 5 June 2026

This page describes how Liminate protects data across Receipts, Agreements, and Mood Ring, the third parties we rely on, and how to report a security issue.

No model in the verification loop. Submitted contracts, claims, and entries are evaluated by the Liminate interpreter on our own infrastructure. Your content is not transmitted to any external AI or language-model provider for verification. This reduces the surface where sensitive text could be exposed.

1Data handling

In transit: all traffic is served over HTTPS/TLS.
Credentials: API keys are stored as SHA-256 hashes; the raw key is shown once at creation and never stored. Authentication uses GitHub OAuth — we never receive your GitHub password. Session cookies are HttpOnly, SameSite=Lax, and secure over HTTPS.
No card data: payments run through PayPal; we never receive or store card numbers.
Access scoping: saved contracts, agreements, decisions, and Mood Ring entries are scoped to the owning account.
Webhooks: billing webhooks are signature-verified before they are acted on.

2Sub-processors

We use the following third parties to operate the Services. We keep this list current; it is the canonical reference also pointed to from the Privacy Policy.

Sub-processor	Function	Data processed	Location
Railway	Application hosting & managed database	All stored application data	United States
PayPal	Payment processing	Payment instruments (held by PayPal); transaction identifiers	United States
GitHub	Authentication (OAuth)	GitHub ID, username, and email at sign-in	United States

If we add or change a sub-processor, we will update this page.

3Retention & deletion

You can delete your saved contracts, agreements, agreement decisions, Mood Ring entries, and API keys from within the products, and you can export your saved contracts. To delete your account and associated data, email hello@liminate.dev. See the Privacy Policy for full detail.

4Reporting a vulnerability

If you believe you have found a security vulnerability, please report it to hello@liminate.dev with enough detail to reproduce it. Please give us a reasonable opportunity to investigate and remediate before any public disclosure, and do not access or modify data that is not yours. We appreciate good-faith research and will not pursue action against researchers who follow this guidance.

5Enterprise & data-processing agreements

For business customers who need a Data Processing Agreement (DPA), a security questionnaire completed, or details beyond what is on this page, contact hello@liminate.dev.

6Contact

Security and privacy contact: hello@liminate.dev.