Privacy Policy

1. Introduction

This Privacy Policy describes how Lapu AI (“we”, “us”, “our”) collects, uses, discloses, and protects your personal information when you use our desktop application (macOS, Windows, Linux), website (lapu.ai), and related services (collectively, the “Services”).

We are committed to protecting your privacy. Lapu AI is built on a local-first architecture — your files and workspace data stay on your device by default. When you use AI features, prompts and context you choose to send are transiently routed through Lapu AI to the selected provider, but are not stored or retained by us.

2. Information we collect

2.1 Information you provide directly

• Account data: name and email address, collected during registration via our authentication provider (WorkOS).
• Payment information: billing details are processed by our payment processor (Stripe). We do not store full payment card numbers. See Stripe's Privacy Policy.
• Support and feedback: any information you provide when contacting us or submitting feedback through the Application.

2.2 Information collected automatically (website)

• Browser type, operating system, device identifiers, and IP address (anonymised where possible).
• Pages visited, referring URLs, and session duration, via PostHog (first-party analytics) and Vercel Analytics.
• Cookies and similar technologies — see Section 7 below.

2.3 Information collected automatically (desktop application)

• Anonymous usage analytics: feature usage patterns, crash reports, and performance metrics.
• Application version, operating system type and version.

2.4 Information processed locally or transiently

The following data stays on your device and is never stored on our servers:

• File contents and workspace data
• Desktop screenshots and clipboard data
• Local file system structure

When you use the AI assistant, prompts and selected context are transiently routed through Lapu AI to the AI provider for processing. This data is forwarded in real time and is not stored or retained by Lapu AI. AI model responses are delivered back to your device and are likewise not retained. See Section 5 for full details on AI data flows.

3. How we use your information

We use the information we collect for the following purposes:

• Provide and maintain the Service: account management, authentication, and subscription management.
• Process payments: billing, invoicing, and fraud prevention via Stripe.
• Service communications: transactional emails, security alerts, and updates about your account.
• Product improvement: we use anonymised, de-identified, and aggregated data to analyse usage patterns, diagnose issues, improve features, and develop new functionality. This data cannot be used to identify any individual user.
• Website analytics: with your consent, we collect event-level analytics (page views, referrer URLs, device type) via our analytics providers. This data may include device or session identifiers and is collected only when you opt in via cookie settings.
• Security and fraud prevention: detecting and preventing fraudulent or unauthorised activity.
• Legal compliance: meeting applicable legal obligations, responding to lawful requests.

Legal bases for processing (GDPR)

4. Anonymised and aggregated data

We may collect and use anonymised, de-identified, and aggregated data derived from your use of the Services for product improvement, research, analytics, benchmarking, and the development of new features. This data does not identify you personally and cannot be re-identified.

Examples include aggregated feature usage statistics, crash frequency rates, performance benchmarks, and general usage trends. We may publish or share such aggregated data with third parties (for example, in blog posts or industry reports), provided it does not identify any individual user.

5. AI model data transmission and third-party AI providers

5.1 How data flows to AI providers

When you use the AI assistant, prompts and context you provide are transmitted from your device to the AI provider used by Lapu AI (e.g. OpenAI, Anthropic, Google). Model selection is managed automatically by Lapu AI. Lapu AI does not store, log, or retain the content of prompts sent to AI providers or responses received.

5.2 What data is transmitted

Only the prompts, selected context, and file excerpts that you explicitly include in a request are transmitted to the AI provider. Your full file system, unrelated workspace data, and conversation history are not transmitted.

5.3 How we handle your data

We may use anonymised, de-identified, and aggregated data derived from your use of the Service — including interaction patterns, feature usage, and aggregated prompt metadata — to improve our products, develop new features, and train or fine-tune models that power Lapu AI. This data is processed in a way that does not identify you personally.

We do not share your raw, identifiable prompts or AI responses with third parties for their own training purposes.

Third-party AI providers have their own data use and retention policies. We encourage you to review them:

• OpenAI Privacy Policy
• Anthropic Privacy Policy
• Google Privacy Policy

6. Data sharing and disclosure

6.1 Service providers

We share personal information with the following categories of service providers, solely to operate and improve the Services:

• AI model providers — for processing AI requests on your behalf.
• Payment processors — for billing and payment processing.
• Authentication providers — for account management and login.
• Analytics providers — for anonymous usage analytics and performance monitoring.
• Cloud infrastructure providers — for hosting, storage, and content delivery.

6.2 We do not sell your personal information

We do not sell, rent, or trade your personal information to third parties. We do not sell or share personal information for cross-contextual behavioural advertising, as defined under the California Consumer Privacy Act (CCPA).

6.3 Legal disclosures

We may disclose personal information if required to do so by law, in response to valid legal process (e.g. a court order or subpoena), to protect our rights, safety, or property, or in connection with a merger, acquisition, or sale of assets.

7. Cookies and tracking technologies

Our website uses cookies and similar technologies. You can manage your cookie preferences at any time using the cookie settings link in the website footer.

7.1 Types of cookies

• Strictly necessary: authentication session, security tokens, and cookie consent preferences. These cannot be disabled.
• Analytics: PostHog (first-party, no third-party cookies) and Vercel Analytics (Web Vitals, page views). These require your consent.

7.2 Do Not Track signals

We honour Do Not Track (DNT) browser signals. When we detect a DNT signal, analytics cookies are not loaded unless you have explicitly opted in.

8. International data transfers

Your personal information may be processed in countries outside your country of residence, including the United States, where our service providers operate. AI providers may also process data in their own jurisdictions.

Where we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Data retention

Upon account deletion, personal data is removed within 90 days. Certain data may be retained longer if required by law.

10. Data security

We implement appropriate technical and organisational measures to protect your personal information, including:

• Encryption in transit (TLS/SSL) and at rest
• Access controls and secure authentication
• Regular security assessments and monitoring
• Incident response procedures

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. Your privacy rights

11.1 Rights under GDPR (EU/EEA residents)

If you reside in the EU or EEA, you have the following rights under the General Data Protection Regulation:

• Access — request a copy of your personal data (Art. 15).
• Rectification — correct inaccurate data (Art. 16).
• Erasure — request deletion of your data (“right to be forgotten”, Art. 17).
• Restriction — restrict processing in certain circumstances (Art. 18).
• Data portability — receive your data in a structured, machine-readable format (Art. 20).
• Object — object to processing based on legitimate interest (Art. 21).
• Withdraw consent — where processing is based on consent (Art. 7(3)).
• Complaint — lodge a complaint with your local Data Protection Authority.

We respond to GDPR requests within 30 days, extendable by 60 days for complex requests.

11.2 Rights under CCPA/CPRA (California residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to Know — request the categories and specific pieces of personal information we have collected.
• Right to Delete — request deletion of your personal information.
• Right to Correct — request correction of inaccurate information.
• Right to Opt-Out — we do not sell or share your personal information, but you may exercise this right at any time.
• Right to Non-Discrimination — we will not discriminate against you for exercising your rights.

We respond to CCPA requests within 45 days, extendable by 45 days for complex requests. You may also designate an authorised agent to make requests on your behalf.

11.3 Other jurisdictions

If you reside in a jurisdiction with applicable data protection laws (including the UK GDPR, Brazil's LGPD, or Canada's PIPEDA), you may have similar or additional rights. Contact us to exercise them.

11.4 How to exercise your rights

You can submit a privacy request by emailing [email protected]. You may also request account deletion or data export by contacting us at the same address. We may need to verify your identity before processing your request.

12. Children's privacy

Lapu AI is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected such data, we will promptly delete it. If you believe a child under 16 has provided us with personal information, please contact us at [email protected].

13. Automated decision-making

Lapu AI does not use automated decision-making or profiling that produces legal or similarly significant effects on you. AI features in the Application are tools that assist you — all final decisions remain with you.

14. Third-party links and services

The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or a notice within the Application at least 30 days before they take effect. The updated policy will be published on this page with a new effective date. Continued use of the Services after the changes take effect constitutes your acceptance of the updated policy.

16. Dispute resolution and complaints

If you have a concern about our privacy practices, please contact us at [email protected]. We will endeavour to resolve your concern promptly.

EU/EEA residents may also lodge a complaint with their local Data Protection Authority. A list of authorities is available on the European Data Protection Board website.

17. Contact

For any privacy-related questions or requests:

• Privacy inquiries: [email protected]
• Legal inquiries: [email protected]