Free check for Lovable apps: are your Supabase tables open to the public?
A really common thing with Lovable apps is that Row Level Security never gets turned on, which means anyone with your public key (it's right there in the page) can read your whole database. Easy to miss, easy to fix.
I built a free scanner that checks this and a few other common leaks (exposed keys, reachable .env, source maps). Paste your app URL and it tells you in a few seconds. Read-only, never logs in.
task-bounty.com/scan. Run it on your own app and let me know what it finds, happy to walk you through fixing anything.