Account
Security
How Jeanette protects your account and data.
Sign-in methods
Jeanette supports multiple authentication methods, and you can use more than one on the same account.
Email and password
Sign in with your email address and a password. Passwords are hashed with bcrypt (12 rounds) and never stored in plain text.
Changing your password requires email confirmation — Jeanette sends a verification link to your address before the change takes effect.
OAuth (Google / Microsoft)
Sign in using your Google or Microsoft account via OAuth 2.0 with PKCE. Jeanette never sees your Google or Microsoft password.
You can link multiple sign-in methods to one account under Settings → Account → Sign-in methods.
Removing an OAuth method: You cannot remove your only sign-in method. If you only have Google OAuth, set a password first before removing it.
Email change verification
Changing your email address requires a two-step process:
- You request the change and enter your current password (if set)
- Jeanette sends a verification link to the new email address
- Your email only changes after you click the link
After a successful email change, a notification is sent to your old email with a 7-day revert link in case the change was unauthorised.
Credential encryption
Third-party API credentials (Gmail tokens, connector API keys) are encrypted at rest using AES-256-GCM. They are never logged or exposed in plain text.
Data privacy
- Your conversations, memories, and account data are private to your account
- Data is not shared with other users
- Data is not used to train AI models
- You can request full deletion of your account and data by contacting support
Session management
Sessions are stored in secure, httpOnly cookies with a 30-day expiry. Sessions are invalidated on logout.
Reporting security issues
If you discover a security vulnerability, please contact us at security@jeanette.ai. We treat all reports seriously and respond promptly.