How Borgh handles your data.
Borgh is built for regulatory professionals working with confidential dossier data. This page explains exactly what happens to your data when you use Borgh, who processes it, and what Borgh does not do.
Data lifecycle
- 1You upload a file or paste your dossier text into the review tool.
- 2Your file is read in memory on the server. PDF and DOCX files are converted to plain text. The original file is then discarded — it is never written to disk or stored anywhere.
- 3The extracted text is sent to Anthropic’s Claude API for analysis over an encrypted HTTPS connection (TLS 1.2+).
- 4Results stream back to your browser and are saved to your account for future reference. Your original uploaded file is never stored — only the extracted text and the review output are persisted. You can delete your reviews at any time.
Sub-processors
Borgh relies on five external services. Each is listed below with what data they receive and their retention policy.
Anthropic
Claude API- Purpose
- Dossier analysis — your text is sent as input to generate the review findings.
- What they receive
- Your dossier text and the analysis prompt.
- Data retention
- Anthropic retains API inputs and outputs for 30 days for abuse detection and safety monitoring, then automatically deletes them. Your data is not used for model training. We are in the process of activating Zero Data Retention (ZDR), which removes retention entirely — data will be discarded immediately after the response is returned.
- Privacy policy
- anthropic.com/legal/privacy
Voyage AI
Embedding API- Purpose
- Knowledge base search — converts search queries into vectors to find relevant EFSA guidance and opinion fragments.
- What they receive
- In review mode: pre-built search queries derived from section keywords (e.g. “EFSA requirements for dossier section 3: compositional data”). Your dossier text is never sent to Voyage AI in review mode. In Q&A mode: your question text is sent as the search query.
- Data retention
- Borgh’s Voyage AI account is set to zero-day retention — queries are not stored after the embedding response.
- Privacy policy
- voyageai.com/privacy
Vercel
Hosting- Purpose
- Application hosting and serverless function execution.
- What they receive
- HTTP metadata: URL paths, status codes, response times, and memory usage. Vercel does not log request bodies or dossier content.
- Data retention
- Runtime logs are retained for 1–3 days depending on plan tier.
- Privacy policy
- vercel.com/legal/privacy-policy
Cloudflare
DNS + DDoS protection- Purpose
- DNS resolution and DDoS protection for borgh.ai.
- What they receive
- IP addresses and DNS queries. No application-layer data (dossier content, analysis results) passes through Cloudflare.
- Privacy policy
- cloudflare.com/privacypolicy
Supabase
Auth + Database- Purpose
- User authentication (email/password) and storage of account data, workspace metadata, and review findings.
- What they receive
- Your email address, hashed password, account metadata, and review outputs. Dossier input text is stored for review history. Original uploaded files are never stored.
- Region
- EU (Frankfurt, eu-west-1). Your account and review data stay in the European Union.
- Privacy policy
- supabase.com/privacy
A note on Q&A mode
When you use Borgh’s Q&A mode, your question text is sent to Voyage AI as an embedding query to retrieve relevant knowledge base fragments. Voyage AI’s account is set to zero-day retention, so your query is not stored after the embedding response. If you paste sensitive dossier content into a Q&A question, that text will reach Voyage AI but will not be retained. In review mode, this does not apply — only pre-built section keyword queries are sent to Voyage AI, never your dossier text.
Encryption in transit
All connections to Borgh are encrypted with HTTPS (TLS 1.2+), enforced by Vercel. Connections from Borgh to Anthropic, Voyage AI, and Supabase are also HTTPS-encrypted. Data at rest in Supabase is encrypted using AES-256.
What Borgh does not do
- Does not store uploaded files. Original files are processed in memory and discarded. Review input text is stored in your account for review history.
- User accounts are protected by Supabase Auth with email verification. All account data is stored in the EU (Frankfurt). You can delete your account and all associated data at any time.
- Does not share data with third parties beyond the sub-processors listed above.
- Does not use your data for training AI models.
- Does not log dossier content to application logs.
Contact
For security questions, contact security@borgh.ai.