Privacy Policy - Lolodex

Who We Are

This policy applies to the LoloDex service available at lolodex.com and related interfaces that receive data via email, file uploads, and text messages.
Service availability is global; however, data is hosted in the United States.

We do not offer the service to individuals located in the EU/EEA or the UK. We implement gating measures (e.g., country selection and contractual representations) and may geoblock traffic/signups where feasible. If we learn that we have collected personal data from an EU/EEA/UK resident, we will delete it.
We make no representation that the service complies with GDPR/UK GDPR/CCPA/CPRA or other regional privacy laws. Use at your own risk for compliance. For questions, contact [email protected].

Controller: We act as a controller for our site/app accounts and operational data (e.g., analytics, logs).
Processor: We act as a processor for customer content you upload or connect (e.g., emails, SMS, files) to deliver the service, including AI‑assisted extraction.

Account data: email (required), password/auth method (required), name (optional), company (optional), role (optional).
Content data: emails, SMS messages, file uploads/attachments, and extracted entities/metadata you enable.
Technical data: IP address, device/browser information, usage logs, crash/error reports, and analytics events.
Billing data: processed by Stripe; we do not store full payment card details on our systems.

Provide core service functionality, including ingestion, indexing/search, extraction, and presentation.
Operate, maintain, and improve features and performance.
Analytics and product usage measurement (non‑advertising).
Security, fraud prevention, abuse detection, and troubleshooting.
Customer support and service communications.
Marketing or product update emails (you can opt out).

We may send customer content to third‑party AI services to perform extraction or summarization.
Current vendor: OpenAI (API). No on‑prem or in‑house models at this time.
Vendor data‑use settings: We do not apply additional vendor‑side restrictions (e.g., toggling vendor training/retention flags) beyond the vendor's defaults. Consult the vendor's documentation for how they handle inputs/outputs. If you require stricter controls, contact us to discuss options.

Hosting/DB/Storage: Google Cloud Platform (GCP), Supabase
Email delivery: Postmark
SMS: Twilio
Analytics: PostHog (product analytics only; no advertising)
Error monitoring and logging: Sentry (and PostHog for event logging)
Payments: Stripe
AI processing: OpenAI (API)
We share data with these providers only to operate the service, under appropriate terms. The list may change as we add or replace vendors.

Encryption in transit (TLS) and at rest.
Cloud key management, role‑based access controls, and MFA for internal access.
Audit logging and environment isolation.
Vulnerability management and routine security updates.
No formal certifications (e.g., SOC 2, ISO 27001) and no formal penetration testing at this time.

Customer content and account data: retained until you delete it or close your account.
Backups: retained for up to 30 days for reliability and recovery.
After account closure, content and account data are scheduled for deletion; residual copies may remain in backups until the backup retention period lapses.

You can request access, correction, deletion, export (data portability), restriction, objection, and opt‑out of certain processing or sharing (where applicable). If we ever sell/share personal information for cross‑context behavioral advertising, you may opt out; currently we do not engage in such practices.
Submit requests to [email protected]. We aim to respond within 30 days.
Export formats available: JSON, CSV, ZIP.

Data is stored and processed in the United States. If you access the service from other regions, your data may be transferred to and processed in the U.S.
We do not target or onboard EU/EEA/UK residents and will delete such data upon discovery.

This service is not directed to children under 13 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn we have collected such information, we will delete it.

We will notify affected customers without undue delay and in any event within 72 hours of becoming aware of a personal data breach, where required.

We may update this policy from time to time. We will post updates on our website and indicate the effective date. Material changes may be highlighted in‑app or via email.