Privacy Policy

1. Introduction

Leopoldo, operated by [Owner TBD], respects your privacy and is committed to protecting the personal data you share with us. This Privacy Policy explains how we collect, use, store, and share your information in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable data protection laws.

2. Data We Collect

• Account data — Email address, full name, and profile information you provide during registration.
• Payment data — Processed securely through Stripe and LemonSqueezy. We never store card numbers or bank details on our servers.
• Conversation data — Messages and interactions with our AI agents, stored to provide context continuity and improve service quality.
• Usage data — Server-side analytics including pages visited, features used, session duration, and referral sources. No third-party tracking scripts are loaded.

3. How We Use Your Data

• Service delivery — To provide, maintain, and improve the Leopoldo platform. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
• Account management — To manage your subscription, authenticate sessions, and maintain your preferences.
• Transactional emails — To send invoices, payment confirmations, and service-related notifications.
• Marketing — To send product updates and offers, only with your explicit consent. You may withdraw consent at any time.

4. Data Retention

• Account data — Retained for the duration of the customer relationship plus 10 years to comply with legal and fiscal obligations.
• Conversation data — Active for 90 days, then permanently anonymized. Anonymized data may be retained for service improvement purposes.
• Analytics data — Stored in aggregated form only. No personally identifiable information is retained in analytics datasets.

5. Data Sharing

We share your data only with the following categories of service providers, each bound by data processing agreements:

• Stripe — Payment processing for subscriptions.
• LemonSqueezy — Merchant of record for one-time pack purchases.
• Vercel — Application hosting and edge delivery.
• Railway — Backend infrastructure hosting.
• Anthropic — AI model inference and processing.
• Neon — PostgreSQL database hosting (EU Frankfurt).
• Resend — Transactional email delivery.

Your data is never sold to third parties.

6. International Transfers

Some of our service providers operate outside the European Economic Area. Where data is transferred to the United States, we rely on the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs) approved by the European Commission. Our primary database (Neon) is hosted in EU Frankfurt. Railway services are deployed to EU regions.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete data.
• Erasure — Request deletion of your personal data. Programmatic erasure is available via DELETE /api/client/{id}.
• Portability — Receive your data in a structured, machine-readable format.
• Restriction — Request limitation of processing in certain circumstances.
• Objection — Object to processing based on legitimate interest.
• Withdraw consent — Withdraw previously given consent at any time without affecting the lawfulness of prior processing.

8. Contact

For any privacy-related inquiries or to exercise your rights, contact us at hello@leopoldo.ai.