Security

Security is foundational for a product that can see your screen. Here's how we approach it.

Screen data handling

• Screenshots are captured locally and held only in memory.
• They're transmitted over encrypted (TLS) connections to our AI provider for analysis.
• They are not stored on our servers, written to disk, or used for model training.
• You control when capture is active and can stop it instantly.

Data in transit & at rest

All network traffic uses TLS. The limited data we retain (subscription status, license metadata) is stored with reputable providers under encryption at rest.

Payments

Payment processing is handled by Stripe, a PCI-DSS Level 1 provider. We never see or store full card numbers.

Licensing

License keys are cryptographically signed and bound to your subscription. Validation checks your live subscription status; keys can be revoked by cancelling.

Access controls

Access to production systems is limited to authorized personnel on a least-privilege basis.

Subprocessors

• Anthropic — AI analysis
• Stripe — payments
• Vercel — hosting

Responsible disclosure

Found a vulnerability? We appreciate responsible disclosure — email security@vana.ai and we'll respond promptly. Please don't publicly disclose until we've had a chance to remediate.