Safe to put on your site — proof, not a promise.
One script, pasted like Google Analytics. You should know exactly what it does before you install it — so here's the whole story, in plain language, with the parts you can verify yourself.
What the script does
Shows a chat bubble
A floating assistant that answers your visitors in seconds, grounded only in the facts you gave us.
Captures leads — with consent
When a visitor chooses to leave their details, it records the lead and the channel it came from. Nothing is captured without an explicit consent tick.
Reports only to your dashboard
Everything flows to your own Gainer dashboard and monthly report. That's the whole job.
What it will never do
These aren't policy promises — they're how the code is built. Each one is verifiable below.
Never run code from your visitors
Every chat message renders as plain text, never as HTML. Even if a malicious visitor types a <script>, it shows up as literal characters — it cannot execute on your page. This is the #1 thing that makes an embedded widget dangerous, and it's closed by design.
Never load third-party code
The script pulls nothing from ad networks, CDNs, or trackers. The only thing your browser downloads is our one file, from our one domain. No hidden supply chain.
Never read your page's secrets
It doesn't touch your visitors' passwords, cookies, or the contents of your other forms. It only knows about its own chat box.
Never sell or share your data
Data goes to our servers and nowhere else — no resale, no ad-tech, no third parties. You can even point it at your own endpoint.
Never fire without consent
Lead capture is blocked server-side unless the visitor explicitly consents (LGPD / GDPR ready out of the box).
Don't take our word for it — verify it yourself
Trust should be checkable. Four ways, in under five minutes:
Read every line
The script is small and unminified. Open it and read it — nothing is hidden.
Host it yourself
Prefer full control? Download the file and serve it from your own domain. Then it can never change without you.
Lock it down with a CSP
Add a Content-Security-Policy that only allows our domain — the widget runs fine inside it, and your site rejects anything else. We hand you the exact one line.
Scan it
Run the script URL through any public scanner (VirusTotal, securityheaders.com). Nothing to find.
Example CSP directive — replace with your Gainer domain:
Content-Security-Policy: script-src 'self' https://your-gainer-domain; connect-src 'self' https://your-gainer-domain;
Built defensively on our side too
No secrets in your browser
No API keys or credentials ship to the page — they live only on our server.
The AI can't be jailbroken into running code
Even a prompt-injected bot can only produce text, and text can't execute on your site (see above). The assistant is also gated in code to stay in role and never invent facts.
Server hardened against SSRF
When we scan a site you give us, the fetcher blocks internal, private, and cloud-metadata addresses — including DNS-rebinding — so it can't be turned against any infrastructure.
Abuse-capped & PII-masked
Public endpoints are rate-limited, and personal data is masked in our logs.
Still want to talk it through?
Send us the question. We'd rather answer it than have you install anything you're unsure about.