Legal

Security Notes

Security boundaries for third-party keys, export files, and payment callbacks.

Default posture

No real third-party API key is uploaded to this server by default.
No secrets are intentionally written into logs.
Browser-local key values are used only for local export flows and are not saved server-side by default.

Debug and error messaging should avoid raw credential strings.
Do not paste real keys into project descriptions or support emails.
Payment callbacks are used for order and entitlement state, not for transmitting third-party developer keys.

Review third-party key lifecycle and rotation before launch.
Before using exported start packs in production, manually review env vars, key permissions, and third-party platform settings.
Re-run legal and compliance checks with your final commercial configuration.

Boundary reminder

These pages describe purchase, privacy, refund, and support boundaries for AI App Startup Assistant. Review them before purchase.

These notes are not an independent security certification; review the final production architecture before launch.