Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bowerlabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

Your research data is sensitive. Bower is built with security at every layer — from how data is stored and transmitted, to how access is controlled and audited.

Encryption

In transit

All data between your browser and Bower’s servers is encrypted using TLS. This includes:
  • Every API request and response
  • File uploads and downloads
  • Real-time WebSocket connections
  • Voice and video streams in live agent mode
There is no unencrypted path to Bower’s infrastructure.

At rest

All data at rest is encrypted using AES-256:
  • Database — all notes, collections, metadata, and user records are encrypted at the storage layer.
  • File storage — all uploaded files (images, audio, PDFs, documents) are encrypted at rest.
  • Backups — database backups are encrypted automatically.
Encryption keys are managed by the cloud infrastructure and are not accessible to application code.

Workspace isolation

Workspaces are fully isolated at the database level — not just in the UI.
  • Every database query is scoped to the current workspace. There is no API endpoint that can return data from a workspace you don’t belong to.
  • Workspace membership is verified on every request before any data is returned.
  • Files are stored in workspace-scoped paths and are only accessible via time-limited signed URLs (24-hour expiry).
  • Bird and search are scoped to your current workspace. They cannot access data from other workspaces.
This isolation is enforced in middleware, not application logic — it cannot be bypassed by a misconfigured route or a new feature.

Authentication and access control

  • Token verification — every API request includes a signed authentication token that is verified server-side before any data is returned.
  • Email verification — unverified email addresses are blocked from accessing workspace data.
  • Token expiry — expired or revoked tokens are rejected immediately.
  • Role-based access — five roles (Owner, Admin, Member, Viewer, Guest) with a strict hierarchy enforced at the API level.

Audit trail

Every create, update, and delete action in your workspace is logged with:
  • Who performed the action
  • What changed (field-level diffs with before and after values)
  • When it happened
  • The IP address and user agent of the request
Audit logs are accessible from the Audit log link in the sidebar (or directly at app.bowerlabs.ai/audit) and can be exported to CSV. See the audit logs guide for details.

AI processing

When Bower processes your data — voice transcription, photo text extraction, or Bird conversations — the content is sent to AI model providers for inference. Your data is processed to provide the service and is not used to train AI models. For a full list of services that process your data, see our sub-processor list.

Your data rights

You have full control over your personal data in Bower:
  • Export your data — download a complete copy of all your personal data (profile, workspaces, projects, artifacts, audit history) as a JSON file from Settings > Privacy > Export my data. This covers your data across all workspaces.
  • Delete your account — permanently remove your profile and all associated data. See the Deletion section below.
  • Cookie preferences — control which cookies Bower uses. See our cookie policy.
If you have questions about your data or want to exercise your rights, contact our Data Protection Officer at privacy@bowerlabs.ai.

Deletion

When you delete notes, attachments, or collections, they are moved to trash for 30 days. During this period you can restore them from Trash in the sidebar. After 30 days, trashed items are automatically and permanently deleted from the database and file storage.
  • Deleted notes and attachments are moved to trash. They are excluded from search, share links, and all normal views while in trash.
  • Deleting a collection moves all notes and sub-collections within it to trash.
  • Deleting your account permanently removes:
    • Your profile information (email, name)
    • Your workspace memberships and OAuth integrations
    • Your Firebase authentication record
    • Workspaces where you are the sole member (and all content and files within)
    In shared workspaces (where other members exist), your notes, files, and collections are kept for the team — ownership is transferred to the workspace admin. Only your membership is removed. Audit logs are anonymized (the record of what happened is preserved, but your identity is removed).
We recommend exporting your data before deleting your account.

Data protection officer

Our designated Data Protection Officer (DPO) is David Lyon. For any privacy-related questions, data subject requests, or concerns:
  • Email: privacy@bowerlabs.ai
  • Response time: We aim to respond to all requests within 30 days, as required by GDPR.

Further reading

Your responsibilities

  • Do not store credentials, passwords, or access tokens in notes.
  • Use workspace roles to control who can access your data.
  • Review the audit logs periodically if your workspace handles sensitive research data.
  • Use a strong, unique password for your Bower account.