Protecting your data is fundamental to our goal of building a sustainable business. As an independent, bootstrapped company funded entirely by our subscribers, our success depends on maintaining your trust.

Incorporated in the EU (Denmark), we adhere to high standards for data protection and our focused team works continuously to implement and improve robust security measures across our services.

General security practices

• Access to servers, source code, datastores, and third-party tools requires strong two-factor authentication using methods other than SMS.
• We use a password manager to generate and store strong, unique passwords that are never reused.
• As founders, we are the only individuals with access; we do not employ staff or hire contractors.
• We use automated tools, like GitHub Advanced Security, to detect and alert us about known vulnerabilities in our software dependencies.
• We minimize the number of third-party libraries (dependencies) we use, carefully selecting them from reputable sources.
• We are proactive about applying security patches and keeping dependencies up-to-date. Our fully automated deployment pipeline allows us to deploy updates frequently and rapidly.
• We choose third-party services that demonstrate strong privacy and security standards aligned with our own.
• We never copy production data to personal computers or other external devices.

Infrastructure

• Our primary servers are hosted by Hetzner within the EU (Germany).
• Distribution artifacts are securely hosted on GitHub.
• Our website, domains, and API are protected and accelerated by Cloudflare, a leading internet infrastructure provider with extensive, audited security measures.
• Our AI model provider is Mistral, with servers hosted within the EU (Sweden).
• Our database is backed up to Cloudflare S2 with point-in-time recovery.

Authentication

• When you sign up, your password is securely hashed using industry-standard cryptography tools.
• All secrets are encrypted both during transmission (in transit) and when stored (at rest). We never store passwords or secrets in plain text.
• We authenticate all API requests using your username and password; we do not use separate API tokens.

Encryption

• All communication between your device and our services is encrypted using TLS (HTTPS). We utilize automated certificate management via Let's Encrypt.
• We enforce the use of TLS (HTTPS) to protect all data in-transit to and from our Service.
• Sensitive data stored in our database, such as your email address and Stripe transaction details, is encrypted at rest.
• We store all of our data in SQLite, a highly reliable and the world's most widely deployed database.

Payments

• We partner with Stripe for payment processing. Your credit card and bank details are encrypted, stored, and processed directly by Stripe using AES-256 encryption. See Stripe's security page for full details.
• Cellm only stores a secure token provided by Stripe to manage your subscription via their API. We never store your full credit card number on our servers, nor does this sensitive information pass through our systems.
• All communication with Stripe occurs over an encrypted TLS connection.

Backups and recovery

• Our SQLite database is continuously backed up to Cloudflare R2 using Litestream.
• In case of failure, we can restore the database by retrieving these backups and applying them to a new server instance.

What user data do you collect?

We are committed to data minimization. We only collect the essential information needed to provide our service: your email address and password for account creation and login.

For users on the free plan, we may store anonymized prompts (your instructions for the AI model, *not* the data in your spreadsheet) solely to help us understand usage patterns and improve Cellm. These prompts are stored without any link to your account.

We also collect basic system monitoring data (like API request counts) to ensure service reliability and performance. You can find more information on the type of data we collect in our Privacy Policy.

How long is my information retained and can I remove it?

We store no Personal Identifiable Information (PII) except your email address. You can permanently delete your email address from our systems at any time by deleting your account.

How do I report a potential security vulnerability?

If you believe you've discovered a security vulnerability, please report it to us discreetly via email at security@getcellm.com. We are committed to responsible disclosure and will respond promptly to coordinate verification and remediation.

Any further questions?

Please reach out to us at security@getcellm.com, and we'll be happy to assist and update this document if necessary.