Security & Data Protection

Last updated: 11.12.2025

We know you’re trusting Banani with product ideas, designs, and sometimes real user data. Our job is simple: keep it secure, keep it private, and be transparent about how we use it.

This page explains how we handle data and security for the Banani AI UI design platform.


  1. Overview

Banani is an AI-powered UI design tool used by product teams, designers, engineers, and founders. Security and privacy are built into how we design, build, and operate the product.

We focus on:

  • Strong technical security (encryption, infrastructure, access controls)

  • Clear rules for how we collect and use data

  • Respecting your rights over your information


  1. Data Protection

Encryption

Strong technical security (encryption, infrastructure, access controls)

  • In transit: All communication between your browser and Banani is encrypted using TLS 1.3.

  • At rest: Stored data is encrypted using AES-256.

  • Database: We use PostgreSQL with enterprise-grade security controls.

  • Access control: Role-based permissions and monitoring limit access to production systems.

Infrastructure Security

In transit: All communication between your browser and Banani is encrypted using TLS 1.3.

  • Hosting: Banani runs on secure cloud infrastructure with hardened configurations.

  • Network security: Multi-layer firewall and intrusion detection help protect against attacks.

  • Backups: Encrypted backups with point-in-time recovery capabilities.


  1. What Data We Collect

Account & Billing Data

To create and manage your account, we collect:

  • Name, email address, and basic profile information

  • Authentication details (managed via NextAuth)

  • Subscription and billing data (handled by providers like Stripe, Apple Pay, and Google Pay)

Product & Usage Data

To run the product and improve it, we process:

  • Your design projects: flows, chats, frames, and generated designs

  • Text prompts, PRDs, screenshots, and reference images you upload

  • Figma URLs you provide as references

  • Usage patterns, feature adoption, and performance metrics (via tools like Amplitude)

  • Application performance and error logs (via Sentry)

Technical Data

Like most SaaS products, we collect:

  • Browser and device information

  • IP address (which may be anonymized or truncated)

  • System and security logs


4. AI Processing

Banani uses AI models to generate and refine UI designs.

We process:

  • Design prompts and other text inputs

  • Generated content (layouts, components, screens)

  • Interaction data, such as your feedback on AI suggestions

Model Providers

We work with leading AI providers, including:

  • OpenAI (GPT models)

  • Google AI (Gemini models)

Your inputs may be sent to these providers only to generate the results you request. According to our configuration and their enterprise terms:

  • We do not permit providers to use your data to train their models.

  • We do not sell or share your prompts or designs for advertising.


5. Third-Party Services

We rely on specialized third parties to operate Banani.

Core Services

  • Database & ORM: PostgreSQL with Drizzle ORM

  • Authentication: NextAuth for secure session management

Analytics & Monitoring

  • GA4, dub.co for web analytics

  • Amplitude for product analytics and usage insights

  • Sentry for error monitoring and performance tracking

  • Intercom for customer support and in-app communication

Payments

  • Stripe and mobile payment providers (e.g., Apple Pay, Google Pay) for secure, PCI-compliant payment processing.

We share only the minimum data needed for each provider to perform their service, under appropriate contractual safeguards.

6. Application & Operational Security

We treat your projects and design data as sensitive information. All data is encrypted in transit and at rest, access to production systems is tightly restricted, and we log and monitor access to critical infrastructure. We run regular security reviews and work with external experts to keep our controls aligned with industry best practices. We’re designing our security controls to align with SOC 2 best practices and plan to pursue a formal SOC 2 audit as we grow.

Application Security

  • Secure authentication and session management

  • CSRF and XSS protections (including CSP and input sanitization)

  • Protection against SQL injection via parameterized queries and ORM usage

  • Regular security-focused code reviews

Operational Security

  • Principle of least privilege for all system and data access

  • Regular security awareness training for staff


7. Privacy Controls & Data Minimization

We aim to collect only the data needed to provide and improve Banani.

  • Data minimization: No unnecessary fields or long-term tracking where it isn’t needed.

  • Purpose limitation: Data is used only for operating, improving, and securing the product, and for communicating with you.

  • Retention: Data is retained only as long as necessary for these purposes or as required by law, then deleted or anonymized.

You control what you upload (e.g., screenshots or references). If those include real user data, you are responsible for having the right to process that data — we are responsible for keeping it secure.


8. Your Rights and Choices

Depending on your location and applicable law (e.g., GDPR, CCPA), you may have rights such as:

  • Access: Request a copy of your personal data.

  • Correction: Update inaccurate or incomplete information.

  • Deletion: Request deletion of your data or close your account.

  • Portability: Request export of your data in a structured format.

  • Restriction / objection: Limit or object to certain types of processing.

We also provide:

  • Project deletion: Delete specific projects, designs, or content.

  • Account deletion: Request full account and data removal (subject to legal retention).

  • Communication controls: Unsubscribe from marketing emails; manage product and support notifications.

To exercise these rights, contact us at hi@banani.ai and we’ll respond within a reasonable time, consistent with applicable regulations.


9. Compliance

We design Banani with global privacy and security standards in mind, including:

  • GDPR and other data protection regulations

  • Industry best practices such as OWASP and NIST guidance

If you maintain specific compliance requirements (e.g., SOC 2, ISO 27001, or detailed DPA needs), please reach out so we can share our current security controls and data handling practices and discuss your requirements.

We only claim specific certifications (such as SOC 2 Type II or ISO 27001) once audits and certifications are formally completed.


10. Data Breaches & Incident Response

If we ever experience a security incident that affects your data, we will:

  1. Detect and contain the incident as quickly as possible.

  2. Investigate scope, impact, and root cause.

  3. Remediate vulnerabilities and strengthen controls.

  4. Notify affected customers and regulators where required, typically within 72 hours of confirming a notifiable breach.

You can report suspected security issues directly to hi@banani.ai.


11. International Data Transfers

We may process and store data in different regions, depending on our infrastructure and providers.

When we transfer personal data across borders, we use appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs)

  • Other legally recognized transfer mechanisms

  • Additional technical and organizational measures when needed

If you have specific data residency or localization requirements, contact us to discuss options.


12. Updates to This Policy

We may update this page as Banani and applicable laws evolve.

  • We’ll change the “last updated” date when we do.

  • For material changes, we may also notify you in-app or by email.

Last updated: December 11, 2025


13. Contact

For privacy, data protection, security questions / reports contact us at:

  • hi@banani.co