• Google Gemini API: All AI interactions are proxied through Vercel Serverless Functions (/api/*). The GEMINI_API_KEY is stored securely as a server-side environment variable and is never exposed to the client browser.
• Supabase: The VITE_SUPABASE_PUBLISHABLE_KEY is safe to expose client-side as it is restricted by Row Level Security (RLS) policies on the database.

• This application analyzes user-provided text (transcripts, chat messages) using Google Gemini.
• No personal data is permanently stored on our servers outside of the user's own Supabase session.
• Google's data usage is subject to the Google Cloud AI Terms.

We take security seriously. If you discover a vulnerability, please report it privately.

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, please email natinew77@gmail.com with the subject "Security Vulnerability - Transfer Tracker".

Include:

1. Description of the vulnerability.
2. Steps to reproduce.
3. Potential impact.

We will acknowledge your report within 48 hours and work to remediate valid findings promptly.