What we do with your stuff.

Your photos, plans, and project data live in Microsoft Azure (East US region) — specifically Azure SQL for structured data and Azure Blob Storage for files. Both are encrypted at rest by Microsoft using AES-256.

We do not back up to your hard drive, a USB stick, or a third party we haven’t named. Your data has exactly one home and we can show you where it is.

All traffic to the app is HTTPS — Fly.io terminates TLS at the edge before requests ever reach our container. The cert is issued by Let’s Encrypt and auto-rotates.

Sign-in uses magic links — no password, so no password to leak. The cookie that keeps you signed in can’t be read by other websites or by JavaScript on third-party pages. It expires after 30 days of inactivity.

Only you (the user who created the workspace) and people you explicitly invite to it. Architect-marketplace requests share the project scope + address with the specific architect you engage — not the full project, not photos, until they accept.

People at PermitGranted have admin access to help with support and debugging. Every admin action is recorded. You can ask us for the record of who looked at your data and when, any time.

• No third-party model training. Your photos + plans are not sent to OpenAI, Anthropic, or anyone else for model training. We use Azure OpenAI in tenant-scoped deployments which are explicitly contracted to not train on customer data.
• No selling data. We do not sell, rent, or share your data with advertisers, data brokers, or partners.
• No surprise tracking. No third-party analytics pixels, no Facebook trackers, no session-replay tools recording your screens.
• No ICE / immigration data sharing. We will refuse any data request from immigration enforcement absent a valid judicial subpoena targeting a specific named individual.

• No SOC 2 audit yet. SOC 2 is a security audit that companies usually get once they have a real audit budget. We’ll add it as we grow. Until then, we describe what we actually do on this page rather than show off a logo we haven’t earned.
• One data center. Everything lives in one region right now (East US). If that region went down, you’d be offline until it came back. Multi-region backup is a future investment.
• No health-data or credit-card storage. We don’t handle medical records. When you pay, your card details go directly to Stripe — we never see or store them.

Email security@permitgranted.ai with a description and a way to reach you. We respond within 24 hours during business days. We will not pursue legal action against good-faith researchers — see our responsible disclosure policy for the full details (in flight).