Trust
Security and Data Protection
Last updated: 18 June 2026
This page summarises the security and data-protection approach used for MLR PreCheck. It is intended to support customer due diligence. It is maintained by MLR PreCheck and is not an independent certification or audit report.
1. Service and responsibility
MLR PreCheck is operated by Lee Freeman, a sole trader trading as MLR PreCheck. MLR PreCheck is responsible for the application configuration, access rules, supplier selection, incident handling and customer communications. Infrastructure providers are responsible for the platform controls described in their own contracts and assurance materials. Customers are responsible for authorised use, account hygiene, removing prohibited data and reviewing output.
2. Hosting and providers
The application uses Lovable platform services, Supabase database, authentication and storage services, Cloudflare network or edge services, and a contracted AI route. The current Customer Personal Data sub-processors are listed in the Data Processing Agreement.
The primary Supabase project region is configured for Ireland. Some providers operate global infrastructure or process data in the United States. International transfers are handled as described in the Privacy Notice and DPA.
3. Encryption and transport
Connections to the website and application use HTTPS. Data sent between the application and contracted providers is transmitted using encrypted transport supported by those providers. Database and file-storage providers apply provider-managed encryption at rest to their managed services.
Specific cipher suites, key sizes and protocol versions are not published here unless current provider evidence and the deployed configuration confirm them.
4. Authentication and access control
User authentication is provided through the configured Supabase authentication service. Customer access is restricted by workspace membership and role. Row-level database policies are used on tables containing customer workspace data to prevent users from reading or changing another workspace’s records.
Privileged credentials and service keys remain server-side and are not included in browser code.
Administrative access is limited to authorised accounts. Multi-factor authentication is enabled on the owner’s Supabase, Lovable, Cloudflare, domain, email and payment accounts wherever the provider offers it.
5. Application controls
The application uses server-side checks for privileged actions and validates inputs before processing. Software dependencies and security alerts are reviewed and material vulnerabilities addressed according to risk. Customer data is not copied into public repositories, prompts used to build the application, or uncontrolled test environments.
6. Logging and monitoring
Authentication, application and provider logs are used to operate the Service, investigate errors and detect security events. Access to logs is restricted. Logs are retained only for the periods stated in the Privacy Notice or the applicable provider configuration.
7. Incident response
MLR PreCheck maintains a basic incident process covering identification, containment, investigation, recovery and review. If MLR PreCheck becomes aware of a personal-data breach affecting Customer Personal Data, it will notify the affected customer controller without undue delay and provide available information to help the customer meet its own duties.
Suspected incidents should be reported to [email protected] with the subject Security incident.
8. Backups, deletion and continuity
Database and storage recovery capabilities depend on the active Supabase and platform plan. MLR PreCheck does not publish a guaranteed recovery time, recovery point or backup frequency unless those commitments have been technically verified and formally adopted.
Customer Content is deleted or returned under the Data Processing Agreement. Published deletion periods match the active database, storage, log and backup configuration.
9. AI processing
Submitted copy and uploaded Word documents may be sent through a server-side AI gateway to the active model provider solely to produce the requested analysis. MLR PreCheck does not use Customer Content to train its own general-purpose models.
Production AI requests use a paid or contractually protected API route under which submitted prompts, files and responses are not used to train or improve general-purpose models, where the provider terms support this. Limited safety, abuse-prevention and operational processing may occur under the provider terms.
The active provider and model route are recorded internally. Specific model names and retention periods are not stated on this page unless they are read from the deployed configuration and supported by current provider documentation.
10. Data-protection roles
MLR PreCheck is controller for account, billing, enquiry, demonstration, support, website and security data. MLR PreCheck is processor for third-party personal data contained in Customer Content. The Privacy Notice and Data Processing Agreement explain these roles.
11. Sub-processors and changes
The approved Customer Personal Data sub-processors are listed in the DPA. Customers will receive at least 30 days’ notice before a new sub-processor is appointed for Customer Personal Data, as stated in the DPA.
| Legal entity | Service | Likely processing location | Transfer safeguard |
|---|---|---|---|
| Supabase, Inc. | Managed database, authentication and object storage. | Primary project region configured for Ireland, with supplier support and sub-processors as stated in the current Supabase DPA. | Applicable supplier DPA, adequacy where valid, and supplier transfer clauses including the relevant UK mechanism where required. |
| Cloudflare, Inc. | DNS, content delivery, TLS termination, security and edge functions where used. | Global network. | Cloudflare DPA, applicable adequacy status and incorporated EU SCCs or UK Addendum where required. |
| Lovable Labs Incorporated | Application platform, deployment services and AI Gateway. | United States and global infrastructure as stated in the current Lovable DPA and sub-processor list. | Lovable DPA, applicable adequacy status, EU SCCs and UK Addendum where required. |
| Google LLC | Paid Gemini API model inference for submitted content. | Locations permitted by the configured paid API and Google terms. | Applicable Google data-processing terms, adequacy where valid, and contractual transfer clauses where required. |
12. Certifications and assurance
MLR PreCheck does not currently claim its own SOC 2, ISO 27001, Cyber Essentials, PCI DSS or other independent certification. Infrastructure providers may hold their own certifications, but those provider certifications do not certify MLR PreCheck itself.
13. Vulnerability reporting
Potential security vulnerabilities should be reported privately to [email protected] with the subject Vulnerability report. Reporters must avoid accessing, changing or deleting data that is not their own, denial-of-service activity, social engineering and public disclosure before a reasonable investigation period.
14. Contact
Security, privacy and procurement enquiries may be sent to [email protected] or posted to Lee Freeman, a sole trader trading as MLR PreCheck, 54 Chestnut Lane, Ashford, Kent, United Kingdom.