Privacy Policy

Lemurian Labs, Inc.  |  Last Updated: March 31, 2026

Lemurian Labs, Inc. ("Lemurian Labs," "we," "us," or "our") is committed to protecting the privacy and security of information processed through our SaaS platform (the "Services"). This Privacy Policy describes how we collect, use, disclose, retain, and protect Personal Data in connection with the Services, and is designed to satisfy the requirements of applicable global privacy laws including the GDPR, CCPA/CPRA, and the data security requirements of SOC 2 Type II and ISO 27001.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. This Policy applies to business customers and their authorized users (collectively "Customers") who access the Services.

1. Scope and Applicability

This Privacy Policy applies to all Personal Data processed by Lemurian Labs in connection with the delivery of its SaaS platform to business customers globally. It covers data processed on behalf of Customers (as data processor/sub-processor) and data Lemurian Labs collects in its capacity as a data controller.

Lemurian Labs operates as:

  • Data Controller — for data collected directly through our website, marketing activities, and account management.
  • Data Processor — for Customer data submitted to and processed within the Services, in accordance with applicable Data Processing Agreements ("DPAs").

2. Personal Data We Collect

2.1 Account and Identity Data

  • Full name and email address
  • Username and hashed passwords
  • Company name, job title, and contact information
  • Billing address and payment card information (last 4 digits, card type; full payment data is processed by our PCI-compliant payment processor)

2.2 Technical and Usage Data

  • IP addresses and approximate geolocation (country/region level)
  • Device type, operating system, and browser information
  • Log data including access times, pages viewed, features used, and error reports
  • Session identifiers and authentication tokens
  • Performance and diagnostic data

2.3 Analytics Data

  • Aggregated usage metrics and feature interaction data
  • Workflow and product usage patterns (used to improve the Services)
  • Support ticket and feedback data

2.4 Data We Do Not Collect

Lemurian Labs does not use Customer data to train AI or machine learning models. We do not knowingly collect Personal Data from individuals under the age of 18. Our Services are intended solely for business use by adults.

3. How We Collect Personal Data

  • Directly from you — when you register for an account, complete forms, contact support, or otherwise interact with our Services.
  • Automatically — through cookies, log files, and similar tracking technologies when you use our platform.
  • From third parties — including identity verification services, payment processors, and SSO providers you authorize.
  • From your organization — when your employer or contracting entity provisions an account on your behalf.

4. Legal Basis for Processing (GDPR)

For customers and users in the European Economic Area (EEA), United Kingdom, and other jurisdictions requiring a lawful basis for data processing, we rely on the following:

Legal Basis Categories of Data Purpose
Contractual Necessity Account, Identity, Payment Providing and administering the Services
Legitimate Interests Usage, Technical, Analytics Improving Services, security, fraud prevention
Legal Obligation All categories as required Compliance with applicable laws and regulations
Consent Marketing communications Sending promotional content (opt-in)

5. How We Use Personal Data

5.1 Service Delivery and Operations

  • Provisioning, maintaining, and supporting your account and access to the Services
  • Processing transactions and sending billing notices
  • Authenticating users and managing access controls
  • Providing customer support and responding to inquiries

5.2 Security and Compliance

  • Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity
  • Conducting security monitoring, vulnerability assessments, and incident response
  • Maintaining audit logs to support SOC 2 Type II and ISO 27001 compliance obligations
  • Enforcing our Terms of Service and other legal agreements

5.3 Service Improvement

  • Analyzing aggregated and anonymized usage data to develop new features and improve existing functionality
  • Conducting internal analytics and product research

5.4 Communications

  • Sending transactional messages required to provide the Services (e.g., billing notices, security alerts)
  • Sending marketing and product communications to users who have opted in; users may opt out at any time by emailing optout@lemurianlabs.com

6. How We Share Personal Data

Lemurian Labs does not sell Personal Data. We may share Personal Data only in the following limited circumstances:

6.1 Authorized Sub-Processors

We engage trusted third-party service providers ("Sub-Processors") to support our operations, including cloud hosting providers, payment processors, analytics platforms, and security vendors. All Sub-Processors are bound by contractual obligations to process data only as instructed and in accordance with applicable data protection laws. A current list of Sub-Processors is available upon request at privacy@lemurianlabs.com.

6.2 Legal Requirements

We may disclose Personal Data if required to do so by law, court order, or governmental authority, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Lemurian Labs, our Customers, or others.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, Personal Data may be transferred to the successor entity. We will provide notice before Personal Data becomes subject to a materially different privacy policy.

6.4 With Your Consent

We may share Personal Data with third parties when you have given explicit consent to do so.

7. International Data Transfers

Lemurian Labs stores and processes Customer data across multiple geographic regions. When transferring Personal Data from the EEA, UK, or other jurisdictions with data transfer restrictions, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreements (IDTAs) where applicable
  • Adequacy decisions issued by relevant supervisory authorities
  • Binding Corporate Rules or other approved transfer mechanisms as applicable

8. Data Retention

  • Account and Identity Data — retained for the duration of the active account and deleted within 90 days following account closure, unless a longer period is required by law.
  • Usage and Technical Data — retained for up to 12 months after collection, after which it is aggregated and anonymized or deleted.
  • Payment Data — retained as required by applicable tax and financial regulations (typically 7 years).
  • Security and Audit Logs — retained for a minimum of 12 months to support SOC 2 Type II and ISO 27001 audit obligations.

Upon account closure, Customers may request export of their data prior to deletion. Lemurian Labs will make commercially reasonable efforts to accommodate such requests within 30 days of account closure.

9. Data Security

Lemurian Labs implements a comprehensive information security program aligned with SOC 2 Type II and ISO 27001 standards.

9.1 Technical Controls

  • Encryption of all Personal Data in transit using TLS 1.2 or higher
  • Encryption of all Personal Data at rest using AES-256 or equivalent
  • Role-based access controls (RBAC) and the principle of least privilege
  • Multi-factor authentication (MFA) for all internal systems and administrator access
  • Continuous security monitoring, intrusion detection, and alerting

9.2 Organizational Controls

  • Regular third-party penetration testing and vulnerability assessments
  • Formal incident response plan with defined escalation procedures and notification timelines
  • Annual SOC 2 Type II audits conducted by an independent AICPA-accredited auditor
  • ISO 27001 certification maintained through ongoing internal audits and external surveillance reviews
  • Security awareness training for all employees upon hire and annually thereafter
  • Vendor risk management program governing all Sub-Processors

9.3 Incident Notification

In the event of a data breach involving Personal Data, Lemurian Labs will notify affected Customers without undue delay, and no later than 72 hours after becoming aware of the breach where required by applicable law (including GDPR Article 33).

10. Your Privacy Rights

10.1 Rights for All Users

  • Right to Access — request a copy of the Personal Data we hold about you
  • Right to Rectification — request correction of inaccurate or incomplete data
  • Right to Erasure — request deletion of your Personal Data, subject to legal retention obligations
  • Right to Restriction — request that we limit processing of your data in certain circumstances
  • Right to Portability — receive your data in a structured, machine-readable format
  • Right to Object — object to processing based on legitimate interests, including for direct marketing
  • Right to Withdraw Consent — where processing is based on consent, withdraw it at any time

10.2 California Residents (CCPA/CPRA)

California residents have additional rights under the CCPA/CPRA, including the right to know what Personal Data is sold or shared. Lemurian Labs does not sell Personal Data. To exercise your California rights, contact us at privacy@lemurianlabs.com.

10.3 EEA and UK Residents (GDPR/UK GDPR)

EEA and UK residents have the right to lodge a complaint with their local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

10.4 Exercising Your Rights

To exercise any of the rights described above, please submit a request to privacy@lemurianlabs.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

11. Cookies and Tracking Technologies

  • Essential Cookies — required for platform functionality, including session management and authentication. These cannot be disabled.
  • Functional Cookies — remember your settings and preferences across sessions.
  • Analytics Cookies — collect aggregated usage data to help us understand how the Services are used and to improve them.

You may control non-essential cookies through your browser settings. We do not use cookies for cross-site advertising or behavioral retargeting.

12. Children's Privacy

The Services are intended exclusively for business customers and their adult employees and contractors. Lemurian Labs does not knowingly collect Personal Data from individuals under the age of 18. If you believe a minor has provided us with Personal Data, please contact us at privacy@lemurianlabs.com.

13. Changes to This Privacy Policy

Lemurian Labs may update this Privacy Policy from time to time. We will notify Customers of material changes by posting an updated Policy on our website at lemurianlabs.com/privacy and by sending an email notification to account owners at least 10 days before the changes take effect. Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Lemurian Labs, Inc.
Attn: Adam Robertson, Data Protection Officer
2953 Bunker Hill Ln Ste 403
Santa Clara, CA 95054
Email: privacy@lemurianlabs.com
Phone: +1 (650) 996-9176
Website: lemurianlabs.com

This Privacy Policy is effective as of March 31, 2026. This document is provided for informational purposes and should be reviewed by qualified legal counsel before use.