Lunen.ai
Legal

Privacy Policy

This Privacy Policy explains how Lunen collects, uses, discloses, retains, and protects personal information, when you use our websites, SaaS platform, connected services, remote MCP servers, APIs, workflows, and related services.

Effective Date: February 24, 2026 ยท Last Updated: April 22, 2026

1. Scope

This Privacy Policy applies to information processed by Lunen.ai (Lunen, we, our, or us) through our websites, hosted application, APIs, connected services, remote MCP servers enabled through the Service, and related services (collectively, the Service).

If your employer or organization uses Lunen under a separate agreement, that organization may be the data controller for Customer Content submitted to the Service, and Lunen acts as a processor or service provider for that data.

2. Information We Collect

  • Account and identity data, such as name, email address, organization, and role.
  • Authentication and profile data provided by identity providers, for example SSO providers.
  • Connected service data, including OAuth authorization information, access tokens, refresh tokens if issued, granted scopes, and connection metadata for third-party services a user enables.
  • Usage and device data, such as log records, IP address, browser type, session timestamps, and performance telemetry.
  • Customer Content, including prompts, uploaded files, conversation context, model outputs, and tool execution metadata, which is collected so users can interact with the Service and is not used for any other purpose.
  • Support and communications data when you contact us.

3. Google API Services Data We Access

If a user or an authorized organization administrator enables a Google integration through the Service, Lunen may request access to Google data needed for that integration. Through the Google Workspace integration, we use Google data to enable your agents, workflows, and related Service features to perform the actions you authorize. Lunen does not access Google data unless the relevant integration is enabled and the user authorizes the requested access.

  • BigQuery. For users who enable the BigQuery MCP server, Lunen may access BigQuery data and metadata so user-authorized agents and workflows can read information from and take actions in BigQuery through the Service.
  • Google Calendar. For users who enable Google Calendar integrations through the Lunen MCP integration, Lunen may access Google Calendar data so user-authorized agents and workflows can read information from and manage events in Google Calendar through the Service.
  • Gmail. For users who enable Gmail integrations through the Lunen MCP integration, Lunen may access Gmail data so user-authorized agents and workflows can read information from and take user-authorized actions in Gmail through the Service.
  • Google Drive. For users who enable Google Drive integrations through the Lunen MCP integration, Lunen may access Google Drive data so user-authorized agents and workflows can read information from and store data in Google Drive through the Service.

4. Why We Use Information

  • Account and identity data are used to create and administer accounts, organizations, and access permissions.
  • Authentication and connected service data are used to authenticate users, maintain authorized integrations, enforce authorization, and prevent fraud or abuse.
  • Google API Services data is used through the Google Workspace integration so user-authorized agents, workflows, and related Service features can perform the actions requested by the user.
  • Customer Content and imported third-party data are used to process prompts and requests, including routing user-selected context to configured model providers and other enabled service providers needed to generate the requested output.
  • Usage, device, and telemetry data are used to monitor reliability, debug incidents, secure the Service, and improve performance.
  • Support and communications data are used to respond to inquiries and comply with legal obligations and contractual requirements.

5. Legal Bases for Processing

Where required by law, we rely on one or more legal bases to process personal information, including:

  • Performance of a contract with you or your organization.
  • Legitimate interests, such as security, abuse prevention, and product operations.
  • Compliance with legal obligations.
  • Consent, where required and where you have provided it.

6. Third-Party AI and LLM Data Processing

To provide AI capabilities, Lunen may send portions of Customer Content to third-party AI providers acting as subprocessors or independent processors, depending on your configuration and contractual setup.

  • Examples of providers may include OpenAI, Anthropic, Google, and other providers made available in the Service.
  • Data sent may include prompts, uploaded context, instructions, message history, imported Google data that a user chooses to use in a session or workflow, and related metadata needed to generate responses.
  • Providers may process data for inference, safety, abuse monitoring, and service integrity.
  • We seek enterprise-grade controls, including data-use restrictions where available. For major LLM providers configured on a bring-your-own-key or similar customer-managed basis, processing of customer data is also subject to the applicable data protection terms in the customer's contract with the relevant provider.
  • You are responsible for configuring provider choices and settings that meet your compliance obligations.

7. How We Share Information

We may share information, including Google API Services data, with the following categories of recipients:

  • Service providers and subprocessors that support hosting, infrastructure, analytics, monitoring, and support.
  • Identity providers and authentication services to enable secure access.
  • AI and model providers selected or enabled for your workspace when a user directs the Service to use Google-derived or other third-party content as part of a prompt, workflow, agent run, or output.
  • Professional advisors, auditors, and legal counsel when required.
  • Regulators, law enforcement, or other third parties when required by law or to protect rights, safety, and security.
  • Potential acquirers in connection with a merger, acquisition, financing, or sale of assets.

Lunen does not sell user data and does not disclose Google user data for independent third-party use, unless the user requests such disclosure through their agent workflows.

8. International Data Transfers

We and our service providers may process information in countries other than your own. Where required, we use appropriate safeguards for cross-border transfers, such as contractual protections and comparable transfer mechanisms.

9. Data Retention and Deletion

We retain personal information for as long as needed to provide the Service, meet legal obligations, resolve disputes, and enforce agreements. Retention periods vary based on data type, account settings, legal requirements, and operational needs.

  • OAuth credentials for connected services are retained while the connection remains active and as needed to support the authorized integration, unless the connection is removed sooner or a longer period is required by law.
  • When a user disconnects a personal Google-connected service in Lunen, Lunen deletes the stored credential record from its secret-management system for active use of that connection.
  • Google-derived data that a user intentionally imports into prompts, sessions, workflows, outputs, or memory features may continue to be retained as part of that content until deleted by the user, deleted by the organization, or removed under applicable retention settings.

10. Security

We maintain administrative, technical, and organizational safeguards designed to protect personal information and connected service data against unauthorized access, use, disclosure, alteration, and destruction.

  • Encryption at rest.
  • Industry-standard transport security for data in transit.
  • Access controls designed to limit access to authorized personnel and systems.
  • Monitoring and logging intended to support security operations.

These safeguards are designed to be appropriate to the nature of the information we process and the risks involved. We ensure that we treat your data securely.

11. Google API Services User Data Policy / Limited Use

To the extent Lunen accesses, uses, or transfers Google API Services data, Lunen's use and transfer of that data will comply with the Google API Services User Data Policy, including the Limited Use requirements, where applicable.

12. AI / ML Training Statement

Lunen does not use Google API Services data or other user data to develop, improve, or train generalized or non-personalized artificial intelligence or machine learning models.

13. Your Privacy Rights and Choices

Depending on your location, you may have rights to:

  • Access, correct, delete, or restrict certain personal information.
  • Receive a portable copy of certain data.
  • Object to or limit certain processing activities.
  • Withdraw consent where processing is based on consent.

Users may disconnect any connected integration at any time, which will revoke Lunen's access to that integration.

You can request to exercise applicable rights by contacting privacy@lunen.ai. We may need to verify your identity before responding.

14. Children's Privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information, contact us so we can investigate and take appropriate action.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and update the Last Updated date above. Continued use of the Service after the effective date of an updated policy means the updated policy applies.

16. Contact

Questions or requests about this Privacy Policy can be sent to privacy@lunen.ai.