Skip to content
Security & trust

Safe to put on your site — proof, not a promise.

One script, pasted like Google Analytics. You should know exactly what it does before you install it — so here's the whole story, in plain language, with the parts you can verify yourself.

What the script does

💬

Shows a chat bubble

A floating assistant that answers your visitors in seconds, grounded only in the facts you gave us.

📈

Captures leads — with consent

When a visitor chooses to leave their details, it records the lead and the channel it came from. Nothing is captured without an explicit consent tick.

🔒

Reports only to your dashboard

Everything flows to your own Gainer dashboard and monthly report. That's the whole job.

What it will never do

These aren't policy promises — they're how the code is built. Each one is verifiable below.

Never run code from your visitors

Every chat message renders as plain text, never as HTML. Even if a malicious visitor types a <script>, it shows up as literal characters — it cannot execute on your page. This is the #1 thing that makes an embedded widget dangerous, and it's closed by design.

Never load third-party code

The script pulls nothing from ad networks, CDNs, or trackers. The only thing your browser downloads is our one file, from our one domain. No hidden supply chain.

Never read your page's secrets

It doesn't touch your visitors' passwords, cookies, or the contents of your other forms. It only knows about its own chat box.

Never sell or share your data

Data goes to our servers and nowhere else — no resale, no ad-tech, no third parties. You can even point it at your own endpoint.

Never fire without consent

Lead capture is blocked server-side unless the visitor explicitly consents (LGPD / GDPR ready out of the box).

Don't take our word for it — verify it yourself

Trust should be checkable. Four ways, in under five minutes:

1

Read every line

The script is small and unminified. Open it and read it — nothing is hidden.

2

Host it yourself

Prefer full control? Download the file and serve it from your own domain. Then it can never change without you.

3

Lock it down with a CSP

Add a Content-Security-Policy that only allows our domain — the widget runs fine inside it, and your site rejects anything else. We hand you the exact one line.

4

Scan it

Run the script URL through any public scanner (VirusTotal, securityheaders.com). Nothing to find.

Example CSP directive — replace with your Gainer domain:

Content-Security-Policy:
  script-src 'self' https://your-gainer-domain;
  connect-src 'self' https://your-gainer-domain;

Built defensively on our side too

No secrets in your browser

No API keys or credentials ship to the page — they live only on our server.

The AI can't be jailbroken into running code

Even a prompt-injected bot can only produce text, and text can't execute on your site (see above). The assistant is also gated in code to stay in role and never invent facts.

Server hardened against SSRF

When we scan a site you give us, the fetcher blocks internal, private, and cloud-metadata addresses — including DNS-rebinding — so it can't be turned against any infrastructure.

Abuse-capped & PII-masked

Public endpoints are rate-limited, and personal data is masked in our logs.

Still want to talk it through?

Send us the question. We'd rather answer it than have you install anything you're unsure about.