Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Lovable

Lovable Labs

PartialEU: AvailableOpt-out AvailableCustomMulti-region

Status badges are conditional: validate the exact plan, DPA, subprocessors, retention, residency, and feature settings before using the tool with personal or confidential data.

Pricing / Contract Route

USD pricing varies by plan

Enterprise Features

EU/US/AU hosting regions, ISO 27001:2022, SOC 2 Type II, SAML/OIDC SSO, SCIM, DPO appointed

Last Updated

June 23, 2026

Lovable - GDPR & Data Privacy Overview for European Clients

Version: June 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This overview explains how Lovable (Free, Pro, Business, Enterprise) handles data in relation to GDPR, with a focus on European customers. Lovable is an AI-powered platform by Lovable Labs Incorporated (Delaware, USA / Stockholm, Sweden) that enables users to build full-stack web applications through natural language prompts.

2 Comparison of Lovable Tiers (EU focus)

Tier Training on your data? Data retention EU residency Compliance Price
Free ⚠️ May be used unless opted out via support 90 days logs, 30 days post-term ✅ EU selectable SOC 2 Type II, ISO 27001:2022 $0 (5 credits/day, projects private to your workspace)
Pro ⚠️ May be used unless opted out via support 90 days logs, 30 days post-term ✅ EU selectable SOC 2 Type II, ISO 27001:2022 $25/month (100 credits, private projects)
Business ⚠️ May be used unless workspace opt-out enabled 90 days logs, 30 days post-term ✅ EU selectable SOC 2 Type II, ISO 27001:2022 $50/month (SSO, shared workspaces)
Enterprise ⚠️ May be used unless workspace opt-out enabled / contractually disabled Custom ✅ EU selectable SOC 2 Type II, ISO 27001:2022, DPA with SCCs Custom pricing

Notes for Europe

  • Training policy: Lovable's Security and Privacy pages state it does not use customer prompts, code, workspace data, or raw/identifiable Personal Data to train its models. Its opt-out documentation adds that only anonymized/aggregated customer data (data that does not identify you) may be used for model training and other business purposes unless you opt out. Free and Pro customers opt out via Lovable Support; Business and Enterprise admins can enable workspace-level "Data collection opt out" under Privacy & security.
  • Third-party AI providers: OpenAI, Google Gemini, and OpenRouter operate under contractual restrictions on data training and retention. They do not train on customer data passed through Lovable.
  • EU hosting: Lovable Cloud data (your app's backend, hosted on Supabase) remains in the region you select (EU, US, or AU) and does not move across regions. Note that core platform/service Personal Data (account, prompts, telemetry) may still be transferred to the US under SCCs per Lovable's Privacy Policy, so selecting an EU Cloud region does not by itself remove all US transfers.
  • Security: SAML/OIDC (Okta, Azure AD, Google), SCIM provisioning, automated vulnerability scanning, WAF, multi-tenant architecture with logical isolation.
  • DPO: Data Protection Officer appointed at dpo@lovable.dev.
  • Security Checker 2.0 (Aug 2025): Lovable launched Security Checker 2.0 following the discovery of 170+ apps with exposed credentials. The tool automatically scans projects for database misconfigurations and exposed API keys.
  • Lovable 2.0 / Chat Mode: Lovable launched Lovable 2.0 with Chat Mode and AI agents, expanding the platform beyond code generation.
  • Data retention:
    • Log data: 90 days
    • Customer data: 30 days after account termination
    • Backups: up to 90 days
    • Service data: retained for legitimate business purposes
  • DPA availability: Data Processing Agreement with EU Standard Contractual Clauses (Modules 2 and 3) and UK Addendum available at lovable.dev/data-processing-agreement
  • Pricing: Global pricing in USD.

3 Is Lovable GDPR-Compliant?

Short answer: ⚠️ Partial / configuration-dependent. Lovable provides regional hosting, ISO 27001:2022 and SOC 2 Type II certifications, and offers a DPA with EU SCCs, but while its Security page states it does not train on customer prompts, code, or identifiable data, its opt-out docs note that anonymized/aggregated customer data may be used for model training and business purposes unless opted out. Opt-out must be requested or enabled before using Lovable for EU personal data or proprietary code.

What applies to all plans:

  • Training opt-out available - Customer data may be used for model training unless opted out; Free/Pro customers use support and Business/Enterprise admins can enable workspace-level opt-out
  • EU data residency - Choose EU, US, or AU hosting; data stays in the selected region
  • DPA with EU SCCs - Data Processing Agreement with Standard Contractual Clauses (Module 2: Controller-to-Processor, Module 3: Processor-to-Sub-Processor) and UK Addendum available
  • Strong certifications - ISO 27001:2022 and SOC 2 Type II confirmed
  • Transparent subprocessors - Full list at trust.lovable.dev including OpenAI, Anthropic, Google Gemini, OpenRouter, Supabase, GitHub
  • Breach notification - 72-hour notification commitment
  • DPO appointed - Contact dpo@lovable.dev

What's plan-dependent:

  • Custom retention - Enterprise can negotiate retention periods
  • Enhanced contractual protections - More robust SLA guarantees, subprocessor change notifications, and on-premise options on Enterprise tier
  • SSO/SCIM - SAML/OIDC and SCIM provisioning available; check tier applicability with Lovable

What that means in practice:

  • For non-sensitive development projects: Free or Pro may be suitable with EU hosting selected and training opt-out requested
  • For proprietary code or EU personal data: Business or Enterprise with EU hosting selected, DPA executed, and workspace-level training opt-out enabled
  • For regulated industries (finance, healthcare, government): Enterprise recommended for full contractual protections and custom controls

Buyer's note: Lovable is suitable only after setup checks: (1) EU region selected at workspace setup, (2) DPA with SCCs executed where needed, (3) training/data-collection opt-out confirmed, and (4) no stricter sector-specific restrictions apply.

4 Details by Offering

Free Plan ($0)

  • Training: May be used for training unless opted out via Lovable Support
  • Data collection: Prompts, generated code, project artifacts, usage telemetry, IP addresses
  • Retention: 90 days (logs), 30 days post-termination (customer data), 90 days (backups)
  • Pricing: Free (5 credits/day, projects private to your workspace)
  • When to use: Learning, open-source and personal projects, non-sensitive experimentation with EU hosting selected
  • When not to use: Proprietary code or EU personal data requiring contractual DPA (use Pro or higher)

Pro Plan ($25/month)

  • Training: May be used for training unless opted out via Lovable Support
  • Features: 100 credits/month, private projects, custom domains, priority support, EU hosting selectable
  • Pricing: $25/month
  • When to use: Individual developers with private or proprietary projects; EU personal data processing with DPA executed
  • When not to use: Large teams or organisations requiring shared workspaces (use Business) or advanced contractual protections (use Enterprise)

Business Plan ($50/month)

  • Training: May be used for training unless workspace-level data collection opt-out is enabled
  • Features: Shared workspaces, team collaboration, advanced permissions, SSO (SAML/OIDC), EU hosting selectable
  • Pricing: $50/month
  • When to use: Development teams requiring shared workspaces, SSO, and EU data compliance with DPA executed
  • When not to use: Organisations requiring bespoke SLAs, custom credits, or on-premise options (use Enterprise)

Enterprise Plan (Custom Pricing)

  • Training: May be used for training unless workspace-level data collection opt-out is enabled or the contract disables it; enhanced data governance controls negotiable
  • Additional features: Custom credits, DPA with EU SCCs and UK Addendum, subprocessor change notifications, on-premise deployment options, SLA guarantees, 24/7 support, SCIM provisioning
  • Compliance: Full DPA with Standard Contractual Clauses; ISO 27001:2022; SOC 2 Type II
  • Pricing: Custom (contact Lovable Sales)
  • When to use: Regulated industries, highly sensitive proprietary development, large organisations with strict procurement requirements
  • When not to use: Organisations with absolute data isolation policies requiring on-premise only (confirm deployment model with Lovable)

5 Data Processing Flow

[User describes app via natural language prompt]
  ↓
[Lovable Platform - region of your choice: EU / US / AU]
  ↓
[AI Processing Layer]
  ├─ OpenAI (contractual restrictions: no training on customer data)
  ├─ OpenRouter (contractual restrictions: no training on customer data)
  └─ Google Gemini (contractual restrictions: no training on customer data)
  ↓
[Code Generation & Compilation]
  ├─ Modal Sandboxes (code execution)
  ├─ GitHub integration (optional)
  └─ Supabase (database/auth for Lovable Cloud)
  ↓
[Data Residency]
  ├─ EU region: data stays in EU
  ├─ US region: data stays in US
  └─ AU region: data stays in AU
  ↓
[Deployment]
  ├─ Lovable Cloud (hosted on Supabase/AWS in selected region)
  ├─ GitHub export
  └─ Third-party hosting (Netlify, Vercel, etc.)

*EU hosting available; data does not move across regions*

6 Recommendations (GDPR-first)

  • Select EU region at workspace setup before uploading any personal or proprietary data.
  • Enable or request training opt-out before uploading proprietary code or personal data: Free/Pro via Lovable Support; Business/Enterprise in workspace Privacy & security settings.
  • Execute DPA with Standard Contractual Clauses (available at lovable.dev/data-processing-agreement).
  • For US or AU hosting, complete a Transfer Impact Assessment (TIA) documenting transfer risks and safeguards.
  • Do not use Lovable for special category data (Art. 9 GDPR) without confirming suitability with your DPO.
  • Contact the Lovable DPO at dpo@lovable.dev for data protection queries.

7 EU Rollout Checklist (Practical)

  1. Select EU hosting region - Configure EU data residency at workspace setup BEFORE uploading any data
  2. Confirm training opt-out - Free/Pro via Lovable Support; Business/Enterprise via workspace-level Data collection opt out under Privacy & security
  3. Execute DPA with SCCs - Download and sign DPA at lovable.dev/data-processing-agreement
  4. Review subprocessors - Check list at trust.lovable.dev; subscribe to change notifications
  5. Art. 30 records - Add Lovable to processing records; document EU hosting and SCCs as transfer safeguards
  6. Configure SSO/SCIM (Business/Enterprise) - Set up SAML/OIDC via Okta, Azure AD, or Google for access management

8 Procurement Quick Answers (EU)

Is Lovable GDPR-compliant?

Partially, depending on configuration. Lovable provides EU data residency options, ISO 27001:2022 and SOC 2 Type II, and a DPA with EU SCCs, but customers must confirm EU hosting and training/data-collection opt-out before sensitive EU use.

Can we use it for EU personal data?

✅ Yes, with proper setup: (1) EU region selected, (2) DPA with SCCs executed, (3) data classified appropriately. Enterprise recommended for regulated industries.

Is there EU data residency?

✅ Yes. EU, US, and AU regions are selectable. Data remains in the selected region and does not move across regions.

Do they train on our data?

No, not on identifiable data. Lovable states it does not use customer prompts, code, or identifiable Personal Data to train its models; its opt-out docs say only anonymized/aggregated customer data may be used for model training and other business purposes unless opted out. Free/Pro users request opt-out via Support; Business/Enterprise admins can enable workspace-level data collection opt-out.

Who is the DPO?

dpo@lovable.dev

What are the subprocessors?

AWS, GCP, Fly.io (infrastructure), OpenAI, Anthropic, Google Gemini, OpenRouter (AI), Supabase (database), GitHub, Cloudflare, ClickHouse, PostHog, Sentry. Full list: trust.lovable.dev

What happens to our data after termination?

Customer data deleted within 30 days; backups retained up to 90 days; logs retained 90 days.

9 Notes & Caveats

  • Training opt-out required - Lovable states it does not use identifiable Personal Data, customer prompts, or code to train its models; its opt-out docs say anonymized/aggregated customer data may be used for model training and other business purposes unless opted out. Confirm opt-out before using Lovable for EU personal data or proprietary code.
  • EU hosting is opt-in - EU data residency must be selected at workspace setup. It is not the default for all accounts; confirm your region setting.
  • Third-party AI providers - OpenAI, Google Gemini, and OpenRouter process AI requests under contractual restrictions that prohibit training on customer data.
  • Security Checker 2.0 - Launched August 2025 after 170+ Lovable-built apps were found with exposed credentials. Auto-scans for database misconfigurations and exposed API keys. Relevant for teams deploying Lovable-built apps in production.
  • Lovable 2.0 (Chat Mode) - AI agents and Chat Mode introduced; expands surface area for data processed by the platform.
  • Supabase integration - Lovable Cloud uses Supabase for database/auth; data governed by Supabase privacy policy (supabase.com/privacy).
  • AI Gateway pass-through - When using AI Gateway, prompts sent directly to third-party providers; Lovable does not store unless explicitly saved.
  • Service Data - Lovable processes usage analytics, telemetry, and operational metrics as independent controller for product improvement.

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Lovable in production environments - especially when processing EU personal data or proprietary code. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - June 2026.

References

  • Lovable - Privacy Policy - https://lovable.dev/privacy
  • Lovable - Data Processing Agreement - https://lovable.dev/data-processing-agreement
  • Lovable - Security & Compliance - https://lovable.dev/security
  • Lovable - Manage training data and privacy - https://docs.lovable.dev/features/business/data-opt-out
  • Lovable - Subprocessors - https://trust.lovable.dev

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy