Security & Privacy
We take the security and privacy of your chat history extremely seriously.
It contains names, addresses, financial discussions, health information, and years of intimate conversations. Our systems are built from the ground up to keep your information secure.
Built by Security Experts
ChatToMap is built by the team behind DocSpring, a document automation platform that:
- Achieved SOC 2 Type II certification
- Is 100% GDPR compliant
- Handles millions of sensitive documents (tax forms, legal contracts, healthcare records)
Our Security Promises
We Never See Your Messages
Your chat export is encrypted the moment it reaches our servers. If you opt to save message context, this is encrypted on our servers using asymmetric encryption. Only your phone or computer has the private key that can decrypt it. (We send a backup of that key to you via email.)
We Delete Everything
- Original zip file: Deleted immediately after text extraction and encryption
- Extracted text: Deleted immediately after processing
We only keep your extracted suggestions (places, activities), and optional encrypted message context.
We Audit Everything
Every access to your encrypted data is logged in a tamper-proof, cryptographically-chained audit system. If anyone ever accessed data they shouldn't have, we would know exactly when, how, and who. Every RBAC denial sends an immediate notification to our security team.
Nothing in Backups
We take regular database backups, but your chat messages are never stored in our database (with the exception of minimal encrypted message context that we can never read). All chat data stays in an R2 bucket with no versioning enabled. Once it's deleted, it's gone forever with no possibility of recovery.
Bank-Grade Encryption
- AES-256-GCM - The same encryption used by banks and governments
- RSA-OAEP - Asymmetric encryption
- HKDF-SHA256 - Industry-standard key derivation
- Double encryption - App-level encryption + encryption at rest in storage and database servers
Hard Time Limit
Your chat is deleted immediately after processing. However, if we encounter errors or processing delays, your chat will always be deleted within 1 hour, no matter what. Your data can also only be decrypted within this 1-hour processing window. The decryption keys are mathematically derived and our system refuses to derive them after the window closes. Any attempts will be logged and reported.
What Happens When You Upload
Secure Upload
Your file is uploaded over TLS 1.3 encryption. It never touches disk unencrypted.
Immediate Encryption
The upload worker encrypts your file with a unique key. It only has the public key and cannot decrypt what it just encrypted (or any other files).
Isolated Processing
A separate, isolated worker requests the decryption key from a hardened Key Derivation Service.
AI Analysis
We extract text, find activity suggestions, and geocode locations. Only extracted suggestions are stored. Message context (if saved) is encrypted and can only be decrypted by your browser.
Automatic Deletion
Your original file and extracted text are deleted immediately after processing, and always within 1 hour.
Infrastructure
ChatToMap runs on Cloudflare Workers - a globally distributed, edge-computing platform with:
- • Automatic DDoS protection
- • Encryption at rest for all stored data
- • SOC 2 Type II certified infrastructure
- • GDPR-compliant data handling
- • No persistent disk access (data exists only in memory during processing)
Your Rights (GDPR)
Under GDPR and similar privacy laws, you have the right to:
- Access - Request a copy of all data we have about you
- Deletion - Request immediate deletion of all your data
- Portability - Export your data in a machine-readable format
- Correction - Update any incorrect information
To exercise any of these rights, email privacy@chattomap.com.
Questions about security?
We're happy to discuss our security practices in more detail.
Contact Security Team