Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Lovable

Lovable Labs

CompliantEU: AvailableNo TrainingCustomMulti-region

Business Plan Price

$25/mo (Pro), $50/mo (Business) - billed in USD

Enterprise Features

EU/US/AU hosting regions, ISO 27001:2022, SOC 2 Type II, SAML/OIDC SSO, SCIM, DPO appointed

Last Updated

March 23, 2026

Lovable - GDPR & Data Privacy Overview for European Clients

Version: March 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This overview explains how Lovable (Free, Pro, Teams, Enterprise) handles data in relation to GDPR, with a focus on European customers. Lovable is an AI-powered platform by Lovable Labs Incorporated (Delaware, USA / Stockholm, Sweden) that enables users to build full-stack web applications through natural language prompts.

2 Comparison of Lovable Tiers (EU focus)

Tier Training on your data? Data retention EU residency Compliance Price
Free ✅ Not used for training (all plans) 90 days logs, 30 days post-term ✅ EU selectable SOC 2 Type II, ISO 27001:2022 $0 (5 credits/day, public projects only)
Pro ✅ Not used for training (all plans) 90 days logs, 30 days post-term ✅ EU selectable SOC 2 Type II, ISO 27001:2022 $25/month (100 credits, private projects)
Business ✅ Not used for training (all plans) 90 days logs, 30 days post-term ✅ EU selectable SOC 2 Type II, ISO 27001:2022 $50/month (SSO, shared workspaces)
Enterprise ✅ Not used for training (all plans) Custom ✅ EU selectable SOC 2 Type II, ISO 27001:2022, DPA with SCCs Custom pricing

Notes for Europe

  • Training policy: Customer prompts, code, and workspace data are not used to train Lovable models. This applies to all plans without requiring an opt-out request.
  • Third-party AI providers: OpenAI, Anthropic, and Google Gemini operate under contractual restrictions on data training and retention. They do not train on customer data passed through Lovable.
  • EU hosting: Data remains in the region you select (EU, US, or AU) and does not move across regions. EU data stays in EU infrastructure.
  • Security: SAML/OIDC (Okta, Azure AD, Google), SCIM provisioning, automated vulnerability scanning, WAF, multi-tenant architecture with logical isolation.
  • DPO: Data Protection Officer appointed at dpo@lovable.dev.
  • Security Checker 2.0 (Aug 2025): Lovable launched Security Checker 2.0 following the discovery of 170+ apps with exposed credentials. The tool automatically scans projects for database misconfigurations and exposed API keys.
  • Lovable 2.0 / Chat Mode: Lovable launched Lovable 2.0 with Chat Mode and AI agents, expanding the platform beyond code generation.
  • Data retention:
    • Log data: 90 days
    • Customer data: 30 days after account termination
    • Backups: up to 365 days
    • Service data: retained for legitimate business purposes
  • DPA availability: Data Processing Agreement with EU Standard Contractual Clauses, UK Addendum, and Swiss Addendum available at lovable.dev/data-processing-agreement
  • Pricing: Global pricing in USD.

3 Is Lovable GDPR-Compliant?

Short answer: ✅ Compliant. Lovable now provides EU data residency, does not train on customer data across all plans, holds ISO 27001:2022 and SOC 2 Type II certifications, and offers a DPA with EU SCCs. This is a significant upgrade from its earlier posture.

What applies to all plans:

  • No training on customer data - Customer prompts, code, and workspace data are not used to train Lovable models on any plan
  • EU data residency - Choose EU, US, or AU hosting; data stays in the selected region
  • DPA with EU SCCs - Data Processing Agreement with Standard Contractual Clauses (Module 2: Controller-to-Processor), UK Addendum, and Swiss Addendum available
  • Strong certifications - ISO 27001:2022 and SOC 2 Type II confirmed
  • Transparent subprocessors - Full list at trust.lovable.dev including OpenAI, Anthropic, Google Gemini, AWS, Supabase
  • Breach notification - 72-hour notification commitment
  • DPO appointed - Contact dpo@lovable.dev

What's plan-dependent:

  • Custom retention - Enterprise can negotiate retention periods
  • Enhanced contractual protections - More robust SLA guarantees, subprocessor change notifications, and on-premise options on Enterprise tier
  • SSO/SCIM - SAML/OIDC and SCIM provisioning available; check tier applicability with Lovable

What that means in practice:

  • For non-sensitive development projects: Free or Pro is suitable with EU hosting selected
  • For proprietary code or EU personal data: Pro or Teams with EU hosting selected and DPA executed
  • For regulated industries (finance, healthcare, government): Enterprise recommended for full contractual protections and custom controls

Buyer's note: Lovable is now suitable for EU organisations across all plan tiers, provided (1) EU region is selected at workspace setup, (2) DPA with SCCs is executed, and (3) no stricter sector-specific restrictions apply.

4 Details by Offering

Free Plan ($0)

  • Training: Not used for training on any plan
  • Data collection: Prompts, generated code, project artifacts, usage telemetry, IP addresses
  • Retention: 90 days (logs), 30 days post-termination (customer data), 365 days (backups)
  • Pricing: Free (5 credits/day, public projects only)
  • When to use: Learning, public open-source projects, non-sensitive experimentation with EU hosting selected
  • When not to use: Proprietary code or EU personal data requiring contractual DPA (use Pro or higher)

Pro Plan ($25/month)

  • Training: Not used for training on any plan
  • Features: 100 credits/month, private projects, custom domains, priority support, EU hosting selectable
  • Pricing: $25/month
  • When to use: Individual developers with private or proprietary projects; EU personal data processing with DPA executed
  • When not to use: Large teams or organisations requiring shared workspaces (use Teams) or advanced contractual protections (use Enterprise)

Business Plan ($50/month)

  • Training: Not used for training on any plan
  • Features: Shared workspaces, team collaboration, advanced permissions, SSO (SAML/OIDC), EU hosting selectable
  • Pricing: $50/month
  • When to use: Development teams requiring shared workspaces, SSO, and EU data compliance with DPA executed
  • When not to use: Organisations requiring bespoke SLAs, custom credits, or on-premise options (use Enterprise)

Enterprise Plan (Custom Pricing)

  • Training: Not used for training on any plan; enhanced data governance controls negotiable
  • Additional features: Custom credits, DPA with EU SCCs/UK/Swiss Addendums, subprocessor change notifications, on-premise deployment options, SLA guarantees, 24/7 support, SCIM provisioning
  • Compliance: Full DPA with Standard Contractual Clauses; ISO 27001:2022; SOC 2 Type II
  • Pricing: Custom (contact Lovable Sales)
  • When to use: Regulated industries, highly sensitive proprietary development, large organisations with strict procurement requirements
  • When not to use: Organisations with absolute data isolation policies requiring on-premise only (confirm deployment model with Lovable)

5 Data Processing Flow

[User describes app via natural language prompt]
  ↓
[Lovable Platform — region of your choice: EU / US / AU]
  ↓
[AI Processing Layer]
  ├─ OpenAI (contractual restrictions: no training on customer data)
  ├─ Anthropic (contractual restrictions: no training on customer data)
  └─ Google Gemini (contractual restrictions: no training on customer data)
  ↓
[Code Generation & Compilation]
  ├─ Modal Sandboxes (code execution)
  ├─ GitHub integration (optional)
  └─ Supabase (database/auth for Lovable Cloud)
  ↓
[Data Residency]
  ├─ EU region: data stays in EU
  ├─ US region: data stays in US
  └─ AU region: data stays in AU
  ↓
[Deployment]
  ├─ Lovable Cloud (hosted on Supabase/AWS in selected region)
  ├─ GitHub export
  └─ Third-party hosting (Netlify, Vercel, etc.)

*EU hosting available; data does not move across regions*

6 Recommendations (GDPR-first)

  • Select EU region at workspace setup before uploading any personal or proprietary data.
  • Execute DPA with Standard Contractual Clauses (available at lovable.dev/data-processing-agreement).
  • For US or AU hosting, complete a Transfer Impact Assessment (TIA) documenting transfer risks and safeguards.
  • Do not use Lovable for special category data (Art. 9 GDPR) without confirming suitability with your DPO.
  • Contact the Lovable DPO at dpo@lovable.dev for data protection queries.

7 EU Rollout Checklist (Practical)

  1. Select EU hosting region - Configure EU data residency at workspace setup BEFORE uploading any data
  2. Execute DPA with SCCs - Download and sign DPA at lovable.dev/data-processing-agreement
  3. Review subprocessors - Check list at trust.lovable.dev; subscribe to change notifications
  4. Art. 30 records - Add Lovable to processing records; document EU hosting and SCCs as transfer safeguards
  5. Configure SSO/SCIM (Teams/Enterprise) - Set up SAML/OIDC via Okta, Azure AD, or Google for access management

8 Procurement Quick Answers (EU)

Is Lovable GDPR-compliant?

✅ Yes. Lovable provides EU data residency, does not train on customer data (all plans), holds ISO 27001:2022 and SOC 2 Type II, and offers DPA with EU SCCs.

Can we use it for EU personal data?

✅ Yes, with proper setup: (1) EU region selected, (2) DPA with SCCs executed, (3) data classified appropriately. Enterprise recommended for regulated industries.

Is there EU data residency?

✅ Yes. EU, US, and AU regions are selectable. Data remains in the selected region and does not move across regions.

Do they train on our data?

✅ No. Customer prompts, code, and workspace data are not used to train Lovable models. This applies to all plans. Third-party AI providers (OpenAI, Anthropic, Google Gemini) operate under contractual restrictions on data training and retention.

Who is the DPO?

dpo@lovable.dev

What are the subprocessors?

AWS, GCP, Fly.io (infrastructure), OpenAI, Anthropic, Google Gemini (AI), Supabase (database), GitHub, Cloudflare, ClickHouse, PostHog, Sentry. Full list: trust.lovable.dev

What happens to our data after termination?

Customer data deleted within 30 days; backups retained up to 365 days; logs retained 90 days.

9 Notes & Caveats

  • No training on customer data (all plans) - Unlike the previous policy, Lovable no longer uses customer data for model training by default on any plan. No opt-out is needed.
  • EU hosting is opt-in - EU data residency must be selected at workspace setup. It is not the default for all accounts; confirm your region setting.
  • Third-party AI providers - OpenAI, Anthropic, and Google Gemini process AI requests under contractual restrictions that prohibit training on customer data.
  • Security Checker 2.0 - Launched August 2025 after 170+ Lovable-built apps were found with exposed credentials. Auto-scans for database misconfigurations and exposed API keys. Relevant for teams deploying Lovable-built apps in production.
  • Lovable 2.0 (Chat Mode) - AI agents and Chat Mode introduced; expands surface area for data processed by the platform.
  • Supabase integration - Lovable Cloud uses Supabase for database/auth; data governed by Supabase privacy policy (supabase.com/privacy).
  • AI Gateway pass-through - When using AI Gateway, prompts sent directly to third-party providers; Lovable does not store unless explicitly saved.
  • Service Data - Lovable processes usage analytics, telemetry, and operational metrics as independent controller for product improvement.

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Lovable in production environments - especially when processing EU personal data or proprietary code. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

  • Lovable - Privacy Policy - https://lovable.dev/privacy
  • Lovable - Data Processing Agreement - https://lovable.dev/data-processing-agreement
  • Lovable - Security & Compliance - https://lovable.dev/security
  • Lovable - Subprocessors - https://trust.lovable.dev

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy