Lovable Clarifies Public Project Chat Visibility
Summary
Lovable explains what "public" meant historically and why chat and code were visible for public projects. The announcement outlines timeline changes including free tier private projects in May 2025, private-by-default in December 2025, an accidental re-enable of public chats in February, HackerOne reporting outcomes, and immediate reversion and fixes to protect user privacy.
**Lovable statement regarding visibility of chat message and code on Lovable projects with public visibility settings. **
We’re sorry our initial statement didn't properly address our mistake. Here's what a public project on Lovable means, and how we got to where we are today:
In the early days, people didn't know what Lovable was capable of. So we wanted to make it easy to explore what others were building, as a way to spark ideas and lower the barrier to getting started. Like scrolling GitHub or Dribbble: you browse projects to see what's possible, then go build your own.
When you create a project on GitHub, you can make it private or public. Lovable worked the same. Users had a "Public" or "Private" option right in the chatbox. A public project meant the entire project was public, both chat and code. “Just like a public project on GitHub," we thought.
Over time, we realized this was confusing. Many users thought "public" just meant others could see their published app, not the chat of an unpublished project. That's reasonable.
On the free tier, users originally couldn't create private projects. They had to upgrade to a paid plan to do so. In May 2025, we changed this: users on the free tier could choose to make their projects private. For enterprise customers, the public visibility setting was disabled altogether. And in December 2025, we switched to private by default across all tiers.
We also retroactively patched our API so public project chats couldn't be accessed, no matter what. Unfortunately, in February, while unifying permissions in our backend, we accidentally re-enabled access to chats on public projects.
This was reported through our vulnerability disclosure program (via HackerOne). Unfortunately, the reports were closed without escalation because our HackerOne partners thought that seeing public projects’ chats was the intended behaviour.
Upon learning this, we immediately reverted the change to make all public projects’ chats private again. We appreciate the researchers who uncovered this.
We understand that pointing to documentation issues alone was not enough here. We’ll do better.
Previous statement:
We were made aware of concerns regarding the visibility of chat messages and code on Lovable projects with public visibility settings.
To be clear: We did not suffer a data breach.
Our documentation of what “public” implies was unclear, and that’s a failure on us.
Specifically for public projects, chat messages used to be visible — this is now no longer possible.
When it comes to code of public projects: That is intentional behavior. We have experimented with different UX for how the build history is surfaced on public projects, but the core behavior has been consistent and by design.
Importantly, for enterprise customers, being able to set visibility to public for new projects has been disabled since May 25, 2025.
