Privacy Policy

This Privacy Policy applies to information processed by Lunen.ai (Lunen, we, our, or us) through our websites, hosted application, APIs, and related services (collectively, the Service).

If your employer or organization uses Lunen under a separate agreement, that organization may be the data controller for Customer Content submitted to the Service, and Lunen acts as a processor or service provider for that data.

• Account and identity data, such as name, email address, organization, and role.
• Authentication and profile data provided by identity providers (for example, SSO providers).
• Usage and device data, such as log records, IP address, browser type, session timestamps, and performance telemetry.
• Customer Content, including prompts, uploaded files, conversation context, model outputs, and tool execution metadata.
• Support and communications data when you contact us.
• Billing and transaction data required to administer subscriptions.

• Provide, operate, secure, and maintain the Service.
• Authenticate users, enforce authorization, and prevent fraud or abuse.
• Process prompts and requests, including routing data to configured model providers.
• Monitor reliability, debug incidents, and improve product performance and features.
• Communicate about account activity, service updates, billing, and support.
• Comply with legal obligations and enforce our agreements.

Where required by law, we rely on one or more legal bases to process personal information, including:

• Performance of a contract with you or your organization.
• Legitimate interests, such as security, abuse prevention, and product operations.
• Compliance with legal obligations.
• Consent, where required and where you have provided it.

To provide AI capabilities, Lunen may send portions of Customer Content to third-party AI providers acting as subprocessors or independent processors, depending on your configuration and contractual setup.

• Examples of providers may include OpenAI, Anthropic, Google, and other providers made available in the Service.
• Data sent may include prompts, uploaded context, instructions, message history, and related metadata needed to generate responses.
• Providers may process data for inference, safety, abuse monitoring, and service integrity.
• We seek enterprise-grade controls, including data-use restrictions where available, but provider retention and processing terms vary by provider and plan.
• You are responsible for configuring provider choices and settings that meet your compliance obligations.

We may share information with the following categories of recipients:

• Service providers and subprocessors that support hosting, infrastructure, analytics, monitoring, support, and billing.
• Identity providers and authentication services to enable secure access.
• AI and model providers selected or enabled for your workspace.
• Professional advisors, auditors, and legal counsel when required.
• Regulators, law enforcement, or other third parties when required by law or to protect rights, safety, and security.
• Potential acquirers in connection with a merger, acquisition, financing, or sale of assets.

We and our service providers may process information in countries other than your own. Where required, we use appropriate safeguards for cross-border transfers, such as contractual protections and comparable transfer mechanisms.

We retain personal information for as long as needed to provide the Service, meet legal obligations, resolve disputes, and enforce agreements. Retention periods vary based on data type, account settings, legal requirements, and operational needs.

We implement technical and organizational safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction. No system can be guaranteed secure, and you should use appropriate administrative and technical controls in your own environment.

Depending on your location, you may have rights to:

• Access, correct, delete, or restrict certain personal information.
• Receive a portable copy of certain data.
• Object to or limit certain processing activities.
• Withdraw consent where processing is based on consent.

You can request to exercise applicable rights by contacting privacy@lunen.ai. We may need to verify your identity before responding.

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information, contact us so we can investigate and take appropriate action.

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and update the Last Updated date above. Continued use of the Service after the effective date of an updated policy means the updated policy applies.

Questions or requests about this Privacy Policy can be sent to privacy@lunen.ai.