§ POLICY / PRIVACY
Privacy Policy
1. Who we are and how to contact us
Laneflow ("Laneflow", "we", "us") is the controller of the personal data processed in connection with the Laneflow service (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have.
For any privacy question or to exercise the rights described below, contact us at privacy@laneflow.ai. We aim to respond within 30 days (extendable by a further two months for complex requests, with notice).
2. Personal data we collect
- Account data — your name and email address when you register, hashed authentication credentials, and account preferences.
- Billing data — handled by Stripe. We never receive or store raw card numbers; we receive only a payment-method token, the last four digits, billing-country, tax ID where applicable, and billing status.
- Usage logs — actions you take in the Service, such as workspace creation, project runs started or stopped, seat lease activity, and feature usage. Logs do not include the contents of your source code.
- Audit events — security-relevant events including login attempts, session creation, device authorisations, and billing changes.
- Session data — short-lived session tokens stored server-side via Upstash to maintain your authenticated state across the web app and the desktop application.
- Technical data — IP address, user-agent string, and approximate location (derived from IP) collected by our edge providers for security, fraud prevention, and operational purposes.
- Communications — the contents of any email or support request you send us.
3. Personal data we do NOT collect
- The Laneflow desktop application runs locally on your machine. Your source code, repositories, files, environment variables, and AI model API keys are not transmitted to or stored by Laneflow.
- We do not use tracking cookies, advertising cookies, or third-party analytics that profile users across sites.
- We do not buy or rent personal data from data brokers.
- We do not knowingly collect personal data from children under 16.
4. Why we process your data and our legal basis
| PURPOSE | LEGAL BASIS (GDPR) | DATA |
|---|---|---|
| Account creation and authentication | Performance of a contract (Art. 6(1)(b) GDPR) | Account data, session data |
| Operation of the Service and seat enforcement | Performance of a contract (Art. 6(1)(b) GDPR) | Account data, usage logs, session data |
| Billing and invoicing | Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c) GDPR) | Billing data, account data |
| Service security and abuse prevention | Legitimate interests (Art. 6(1)(f) GDPR) — protecting our platform and users | Audit events, IP address, session data |
| Service emails (account, billing, security) | Performance of a contract (Art. 6(1)(b) GDPR) | Email address, name |
| Diagnosing reported issues and providing support | Legitimate interests (Art. 6(1)(f) GDPR) — supporting our users | Usage logs, audit events |
| Compliance with tax, accounting and legal obligations | Legal obligation (Art. 6(1)(c) GDPR) | Billing data, account data |
5. How long we keep your data
- Session data — active session tokens expire after a short idle period and are invalidated on sign-out or device deauthorisation.
- Audit logs — retained for a minimum of 90 days and a maximum of 24 months for operational security purposes.
- Account data — retained for the life of your account. On account deletion, personal data is removed within 30 days, except for data we are legally required to retain (for example billing records under tax law, typically retained for 6–10 years depending on jurisdiction).
- Billing records — retained for as long as required by applicable tax and accounting law (typically 6–10 years).
- Communications — retained for up to 24 months after the support matter is closed, then deleted.
6. Sub-processors
We rely on the following sub-processors to deliver the Service. Each is bound by a written processing agreement requiring appropriate technical and organisational measures and, where relevant, by Standard Contractual Clauses approved by the European Commission for international transfers.
| PROCESSOR | PURPOSE | DATA SHARED | LOCATION / TRANSFER |
|---|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing and billing management | Email, name, billing address, payment-method token (last four digits only), tax ID where applicable, billing status | Ireland (with onward transfer to USA under SCCs) |
| Resend, Inc. | Transactional email delivery | Email address, name, message metadata | United States (under Standard Contractual Clauses) |
| Cloudflare, Inc. | Edge hosting, CDN and DDoS protection | Request data, IP address, user-agent, request timing | Global (under Standard Contractual Clauses) |
| Vercel, Inc. | Web application hosting and CDN for the authenticated portal | Request data, IP address, user-agent | United States (under Standard Contractual Clauses) |
| Neon, Inc. | Hosted PostgreSQL database | All application data including account, workspace and audit data | EU region (Ireland) |
| Upstash, Inc. | Session caching (Redis) | Session tokens, user identifiers | EU region |
When you connect third-party services such as OpenAI, Anthropic, GitHub, or your own deployment platforms using your own credentials, those services are not Laneflow sub-processors — they are independent controllers acting on your direct instructions, governed by their own privacy policies. You are responsible for your relationship with them.
7. International data transfers
Some of our sub-processors are located outside the European Economic Area, in particular in the United States. Where personal data is transferred outside the EEA to a country that does not benefit from a European Commission adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards where appropriate. A copy of the SCCs is available on request.
8. Security
- Transport encryption (TLS) for all traffic between your client, the control plane, and our sub-processors.
- Encryption at rest for the primary database and for credentials.
- Short-lived session tokens with server-side leases and heartbeat renewal.
- Principle of least privilege for internal access; access logs reviewed regularly.
- Secrets such as your AI model API keys are never transmitted to or stored by Laneflow — they are kept locally on your machine by the desktop application.
9. Cookies and local storage
We use essential cookies and browser local storage strictly for authentication, session management, and theme preference. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No consent banner is required for strictly necessary cookies under the EU ePrivacy Directive, but we display a short notice for transparency.
10. Your rights under the GDPR
If you are in the European Union, the European Economic Area, or the United Kingdom, you have the following rights in respect of your personal data:
- Access — obtain a copy of the personal data we hold about you (Art. 15 GDPR).
- Rectification — correct inaccurate or incomplete personal data (Art. 16 GDPR).
- Erasure — request deletion of your personal data, subject to our legal retention obligations (Art. 17 GDPR).
- Restriction of processing — request that we restrict how we process your data in certain circumstances (Art. 18 GDPR).
- Data portability — receive your personal data in a structured, commonly used, machine-readable format (Art. 20 GDPR).
- Object — object to processing based on our legitimate interests (Art. 21 GDPR).
- Withdraw consent — where processing is based on consent, withdraw it at any time (Art. 7(3) GDPR), without affecting the lawfulness of processing before withdrawal.
- Lodge a complaint — with the Irish Data Protection Commission (dataprotection.ie) or your local supervisory authority if you believe we have not handled your personal data lawfully.
To exercise any of these rights, contact privacy@laneflow.ai. We may need to verify your identity before responding. There is no fee for these requests, except where they are manifestly unfounded or excessive.
11. Automated decision-making
We do not use your personal data to make decisions that produce legal or similarly significant effects on you based solely on automated processing. AI agents executed through the Service operate on your machine, on the content you provide, under your supervision and instructions.
12. Children
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@laneflow.ai and we will delete it.
13. Changes to this policy
We may update this Privacy Policy as the Service evolves or as required by law. Material changes will be communicated by email or via an in-app notice at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the most recent change was made.