Skip to content

Lovable

The host behind a shared Lovable app. Lovable holds two things: the prompts and generated code you build in its editor, and, once your app is live on Lovable Cloud, the running app's backend — its database rows, uploaded files, logins — on Supabase infrastructure. The one knob worth knowing about is AI training: on the default Free/Pro terms your (de-identified) content may be used to train models unless you opt out; a Business/Enterprise workspace gives you a self-serve off switch, and a signed data agreement bars it outright.

Last verified: 2026-06-07 · Confidence: high on the training-by-default-with-opt-out split, the retention windows, and the EU/US/Asia-Pacific region choice (all from Lovable's own terms, privacy policy, and docs); the "no-training only with the DPA / Business controls" framing is reasoned from the policy, not a single quoted plan-gate, and ISO 27001 is unconfirmed.

What it holds, and where your app lives

Lovable is a full builder-plus-host, so it keeps more than a file tree: [confirmed]

  • In the editor — your "natural-language prompts, code snippets, or deployment configurations," plus account details (name, business email, billing via Stripe, usage and telemetry logs). [confirmed]
  • In the running app — when you ship on Lovable Cloud, the app's backend (database, auth, storage, uploaded files) runs on Supabase infrastructure, which Lovable Cloud is built on. Your live app sits on a lovable.app subdomain unless you attach a custom domain. [confirmed]

You own all of it: "you own your Customer Data, including the applications, websites, or other projects you build," and you "own any AI Output generated for you." [confirmed] Move the front-end or back-end off Lovable Cloud and you take over running it — deploys, env vars, database, auth — yourself. [confirmed]

Does it train AI on what you put in?

This is the one to read twice, because the default and the contract pull in opposite directions: [confirmed]

  • Default (Free / Pro) — yes, unless you opt out. The Terms grant Lovable a license to "exploit your Customer Data for our business purposes, including... developing and training artificial intelligence and machine learning models." Only de-identified data is eligible — "We will not use raw or identifiable PII for model training" — but the switch is on until you flip it. [confirmed]
  • The opt-out, by plan. On Business / Enterprise, an admin enables Data collection opt out at Settings → Privacy & security (workspace-level, self-serve). On Free / Pro there's no toggle — you email privacy@lovable.dev (or Lovable Support) to request it. [confirmed]
  • With a signed data agreement (DPA) — barred outright. "Lovable shall not use any Customer Personal Data for the purpose of training, retraining, fine-tuning, or otherwise developing any AI or ML models." De-identified aggregates may still feed "statistical reporting, security analysis, or operational insights," but not training. [confirmed]

So "no training" is something you turn on (a workspace setting) or sign for (the DPA) — it isn't the free-tier default. [estimate] (the Privacy Policy frames the strong stance as "upgrade to a Business plan with enhanced controls"; the DPA text itself isn't explicitly plan-gated)

How long they keep it, and can you delete it

  • Delete your account → personal data gone within 30 days. "We will delete your Personal Data within 30 days," minus a few legally-required categories (fraud, legal compliance/defence). [confirmed]
  • Backups lag, logs lag. Backups "may retain data for up to 90 days"; log data is kept "up to ninety (90) days." So a residual copy can persist for ~3 months after you delete. [confirmed]
  • Two one-way-door caveats. Anything already used for de-identified training before you opted out can't be pulled back out of a model — opting out only stops future use. And a recipient who already copied or remixed your project keeps their copy; deleting your original never reaches it. [estimate] (standard for this kind of host; Lovable's docs don't state either in these words)

What a Business / Enterprise tier changes

For an individual shipping a demo or an internal tool, the Free/Pro tier is fine — just opt out of training up front if the content is sensitive. The commercial tiers add the self-serve training switch above plus the paperwork a compliance review wants: [confirmed]

  • A signed DPA, Lovable as your processor — "For EU Personal Data, the Customer acts as a controller and Lovable acts as a processor" (and "service provider/contractor" under US law), with the no-training warranty above. [confirmed]
  • EU / UK transfers covered on paper — the DPA incorporates the EU SCCs and the UK SCCs + UK Addendum by reference. [confirmed]
  • Security documentation for review — Lovable states SOC 2 and GDPR support and provides docs and DPAs "for enterprise review," with a subprocessor list and trust center on request. [confirmed] ISO 27001 appears only in marketing copy, not as a stated current certification — treat it as unconfirmed. [unclear]

Where your data lives (matters under GDPR)

  • You pick a region — EU, US, or Asia-Pacific (incl. Australia). "Customer data remains in the region you select and does not move across regions by default." So unlike some hosts here, an EU pin isn't enterprise-gated — you choose it when you enable Cloud. [confirmed]
  • But the choice locks. "Once Cloud is enabled for a project, the selected region is locked and cannot be changed" — pick Europe before you add real data if EU residency matters. [confirmed]
  • Transfers, when they happen, are papered. For EEA/UK/Swiss users Lovable may transfer data to the US under the EU SCCs, the UK International Data Transfer Addendum, and the Swiss Addendum. [confirmed]

The short version: fine for a demo, an internal tool, or an EU-facing app — just set the region first (it's irreversible) and opt out of training if the data is sensitive. If a funder or DPA demands a no-training contract, that's the DPA / Business conversation, not the Free-tier default.

Sources

  • Lovable Terms & Conditions — Customer Data license incl. AI/ML training, PII excluded, you own your apps + AI Output, Supabase as infrastructure provider, lovable.app subdomains
  • Lovable Privacy Policy — data collected, 30-day account-deletion window, 90-day logs/backups, Supabase hosting, opt-out via privacy@lovable.dev, SCCs / UK & Swiss addenda
  • Manage training data and privacy — training opt-out by plan, Settings → Privacy & security → Data collection opt out (Business/Enterprise), de-identified-only, PII excluded
  • Lovable Data Processing Agreement — no-training-on-Customer-Personal-Data clause, processor/controller roles, EU + UK SCCs by reference (signed PDF dated 2025-11-17)
  • Lovable Cloud — built on Supabase, three regions (Americas / Europe / Asia Pacific), region locked once Cloud is enabled
  • Security at Lovable — EU/US/Australia hosting, region selectable, SOC 2 + GDPR, subprocessor list / trust center on request
  • Deploying and hosting outside Lovable Cloud — Lovable Cloud as the default integrated host, Supabase-compatible backend, what self-hosting shifts to you