Trust, Security & Privacy

My Company HQ runs on the Lovable Cloud platform. The hosting platform provides the underlying infrastructure, managed authentication, database, storage, and edge runtime. My Company HQ configures these building blocks, writes the application logic, and operates the product. You, as the company owner, control who you invite, what data you upload, and how you use the workspace.

Sign-in uses managed email/password authentication with optional Google sign-in. Sessions are issued and refreshed by the managed auth provider; the application verifies the session on every authenticated request. Workspaces are scoped to a company, and team members only see the departments their owner has granted them access to.

Role and access checks are enforced server-side, both through database row-level security policies and through server functions that re-check the user's membership and role before performing any sensitive action.

Application data is stored in a managed Postgres database, and files (such as uploaded SOPs and meeting attachments) are stored in managed object storage. Data is encrypted in transit over HTTPS/TLS and encrypted at rest by the hosting platform. File downloads use short-lived signed URLs rather than public links.

We collect the information needed to operate the workspace: your account details (name, email), company profile, team members you invite, and the operational data you choose to enter — tasks, meetings, attendance, finance, inventory, production, and content you create. We do not sell personal data.

My Company HQ relies on the Lovable Cloud hosting platform for infrastructure, database, auth, and storage; on the Lovable AI Gateway for AI features; on Resend (or the configured transactional provider) for outbound email; and on Paddle and PayPal for subscription billing when you subscribe to a paid plan. Optional integrations (e.g. Google Calendar, social account connections) are activated only if you connect them.

Your workspace data is retained while your account is active. Owners can close their account from the Account page, which suspends access and schedules data for deletion in line with platform retention. You can also remove individual team members, customers, transactions, and uploads from within the app at any time.

Transactional and operational emails (invitations, receipts, weekly activity summaries, meeting reminders) are sent from authenticated domains. Operational digests include an unsubscribe link, and a suppression list is honored before any send.

If you believe you have found a security issue, please contact us through the in-app “Contact admin” panel or by emailing the address listed on the landing page. We aim to acknowledge reports promptly and will keep you informed as we investigate.

My Company HQ does not currently claim SOC 2, ISO 27001, HIPAA, PCI, or GDPR certification on its own behalf. We rely on the certifications and controls of the underlying hosting and payment providers and configure the application to follow industry-standard practices (least-privilege access, row-level security, signed URLs, server-side authorization). If you have a specific compliance question for your organization, please reach out before signing up.

You are responsible for choosing a strong password, keeping your sign-in credentials private, granting team access only to people who need it, and complying with the laws that apply to your business and the personal data you process inside the workspace.