Privacy Policy

1. Introduction

Lobstack ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at lobstack.ai and use our AI assistant deployment platform (collectively, the "Service").

Our Role: With respect to personal data contained in Customer Data (as defined in our Terms of Use), Lobstack acts as a data processor on behalf of the Customer (the "data controller"). For account registration, billing, and website analytics data, Lobstack acts as the data controller. Enterprise customers may enter into a separate Data Processing Addendum (DPA) that supplements this Privacy Policy.

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws. By using the Service, you consent to the data practices described herein. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account through our authentication system (Supabase Auth), we may collect:

• Email address
• Name and display name
• Avatar / profile picture URL
• Authentication identifier
• Wallet address (if you sign in with a cryptocurrency wallet)

2.2 Billing & Payment Information

When you subscribe to the Service, we collect and process billing information via Stripe:

• Stripe customer ID and subscription ID
• Subscription status, plan tier, and billing period dates
• Payment method details (stored and processed exclusively by Stripe — we do not store your full card number)

2.3 AI Agent Data

When you use your deployed AI agent, the following data is collected and stored:

• Chat Messages: Conversations between you and your AI agent, including the role (user/assistant), message content, channel, session ID, and associated metadata
• Agent Memory: Key-value pairs stored by your AI agent to maintain persistent memory across sessions, organized by category
• Skills & Configuration: Your agent's enabled skills and their configuration settings
• Token Usage: Prompt tokens, completion tokens, total tokens consumed, and the AI model used per interaction
• Agent Logs: Operational logs generated by your agent, including log level, message content, and metadata
• File Attachments: Images or files you upload during chat interactions with your agent

2.4 Infrastructure & Health Data

To ensure your AI agent runs reliably, we collect:

• Server ID, IP address, region, and tier
• Agent status and health check results
• CPU usage, memory usage, disk usage, and response times
• Messenger type and integration configuration (e.g., Telegram token)

2.5 API Keys

You may provide a third-party AI API key (from Anthropic, OpenAI, or Google) during onboarding. This key is transmitted to your dedicated server for the purpose of enabling AI model access. We handle API keys in accordance with our security practices and only use them to operate your AI agent.

2.6 Automatically Collected Information

When you visit our Site, we may automatically collect:

• IP address and approximate geolocation
• Browser type and version
• Operating system
• Referring URL and pages visited
• Date, time, and duration of your visit
• Device identifiers

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide & Operate the Service: Provision, deploy, and manage your AI agent and dedicated server infrastructure
• Process Payments: Handle subscription billing, invoices, and payment-related communications through Stripe
• Enable AI Functionality: Transmit your messages to AI model providers, store conversation history and agent memory, and track token usage
• Monitor & Maintain: Perform health checks, monitor server performance, and ensure uptime and reliability
• Improve the Service: Analyze aggregated, anonymized usage patterns, diagnose technical issues, and develop new features
• Communicate: Send service-related notifications, billing alerts, and respond to support requests
• Ensure Security: Detect and prevent fraud, unauthorized access, and other malicious activity
• Comply with Legal Obligations: Respond to legal requests and prevent harm as required by law

What We Do Not Do: We do not use Customer Data for profiling, automated decision-making, cross-customer analytics, or marketing targeting. Customer Data is processed solely for the purpose of providing the Service.

4. Legal Bases for Processing

Under the GDPR and similar data protection laws, we process personal data based on the following legal bases:

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override data subject rights. Assessments are available upon request for enterprise customers.

For enterprise customers where Lobstack acts as a data processor, the legal basis for processing Customer Data is the Data Processing Addendum and the Customer's documented instructions.

5. How We Share Your Information

We do not sell your personal information. We may share your information with the following categories of third parties (acting as subprocessors), solely for the purposes described in this Privacy Policy. All subprocessors are bound by written data processing agreements with obligations at least as protective as those in our DPA.

Lobstack conducts due diligence on all subprocessors prior to engagement, including review of their security practices, data protection measures, and compliance certifications. We may also disclose your information if required by law, in response to valid legal process, to protect rights, or in connection with a merger, acquisition, or sale of assets.

6. Subprocessors

A complete, current list of all subprocessors engaged by Lobstack to process Customer Data is maintained at lobstack.ai/legal/subprocessors.

• Change Notification: Lobstack will provide at least thirty (30) days prior written notice before engaging a new subprocessor or replacing an existing one. Notification will be sent via email to the Account Administrator.
• Objection Right: Customers may object in writing to a new subprocessor within fifteen (15) days of notification. Lobstack will work in good faith to address the objection. If the parties cannot reach a resolution, the Customer may terminate the affected services without penalty.
• Subprocessor Obligations: All subprocessors are bound by written agreements that impose data protection obligations materially consistent with those in our DPA, including confidentiality, security, and data handling requirements.

7. AI-Specific Data Disclosures

Because the Service involves artificial intelligence, the following additional disclosures apply:

• Conversation Processing: When you interact with your AI agent, your messages are sent to third-party AI model providers (Anthropic, OpenAI, or Google, depending on your selected model) for processing. These providers may have their own data retention and privacy policies that govern how they handle this data.
• Agent Memory: Your AI agent stores persistent memory to provide continuity across conversations. This memory data is stored in our database and associated with your account.
• Token Usage Tracking: We track the number of tokens consumed per interaction for billing transparency and usage monitoring purposes.
• Autonomous Actions: Your AI agent may perform actions on your behalf (such as sending emails, managing files, or browsing websites). Data involved in these actions may be processed by your agent's server and the relevant third-party services.
• No Training on Your Data: Lobstack does not use your conversations, agent memory, or other user content to train AI models. Your data is used solely to provide the Service to you.

8. Data Retention & Deletion

We retain your data according to the following schedule:

Deletion Procedures

• Account Deletion: Request via hello@lobstack.ai. Processed within 30 days, except where retention is required by law.
• Data Export: Customers may request export of their data in standard formats (JSON/CSV) prior to deletion.
• Secure Deletion: Production data is deleted using cryptographic erasure or overwrite methods. Backups containing deleted Customer Data are purged within ninety (90) days.

9. Data Processing Agreement (DPA) Framework

Where Lobstack processes personal data on behalf of the Customer as a data processor (under GDPR Article 28), the following framework applies. A standalone DPA is available upon request at lobstack.ai/legal/dpa.

• Documented Instructions: Lobstack processes Customer Data only on the documented instructions of the Customer, unless required by applicable law.
• Confidentiality: All personnel with access to Customer Data are bound by confidentiality obligations.
• Security Measures: Lobstack implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 16).
• Subprocessor Management: Lobstack engages subprocessors only with prior notice and imposes equivalent data protection obligations (see Section 6).
• Data Subject Rights: Lobstack assists the Customer in responding to data subject access requests, rectification, erasure, and portability requests.
• Data Protection Impact Assessments: Lobstack assists the Customer with DPIAs and prior consultations with supervisory authorities where required.
• Return or Deletion: Upon termination, Lobstack will delete or return all Customer Data within thirty (30) days, at the Customer's election.
• Audit & Compliance: Lobstack makes available information necessary to demonstrate compliance with data processing obligations and allows for audits as described in Section 16 of our Terms of Use.

10. Data Breach Notification

In the event of a confirmed personal data breach affecting Customer Data, Lobstack will:

• Notify Without Undue Delay: Provide notification to affected Customers as soon as reasonably practicable, and within seventy-two (72) hours of becoming aware of the breach, in compliance with GDPR Article 33.
• Notification Content: Include the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address and mitigate the breach.
• Designated Contact: Provide a dedicated point of contact for further information and coordination.
• Cooperation: Cooperate with the Customer's own breach notification obligations to supervisory authorities and affected data subjects.
• Ongoing Updates: Provide supplementary information as it becomes available during the investigation.
• Breach Record: Lobstack maintains a record of all personal data breaches, including the facts, effects, and remedial actions taken, as required by GDPR Article 33(5).

11. Your Rights Under GDPR (European Economic Area)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Request restriction of processing of your personal data
• Right to Data Portability: Receive your personal data in a structured, machine-readable format
• Right to Object: Object to processing of your personal data for certain purposes
• Right to Withdraw Consent: Withdraw your consent at any time where we rely on consent for processing

Exercising Your Rights

Contact our Data Protection team at privacy@lobstack.ai. We will respond within thirty (30) days. Complex or numerous requests may be extended by an additional sixty (60) days in accordance with GDPR Article 12. You also have the right to lodge a complaint with your local data protection authority.

Data Protection Assessments

Lobstack conducts Legitimate Interest Assessments (LIAs) for all processing based on legitimate interests. We also conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities as required by GDPR Article 35. Assessment documentation is available to enterprise customers upon request under NDA.

12. Your Rights Under CCPA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of personal information we have collected from you
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising. Therefore, no opt-out mechanism is required
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights

To submit a verifiable consumer request, contact us at hello@lobstack.ai. We will verify your identity and respond within 45 days.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, Germany (Hetzner server locations), and other jurisdictions where our third-party providers operate. These countries may have different data protection laws than your jurisdiction.

Transfer Mechanisms

For transfers of personal data from the EEA, UK, or Switzerland, we rely on the following safeguards:

• EU-U.S. Data Privacy Framework (DPF): Where applicable, transfers to U.S.-based subprocessors certified under the DPF.
• Standard Contractual Clauses (SCCs): The European Commission approved SCCs (June 2021 modular clauses) are incorporated into our subprocessor agreements.
• UK International Data Transfer Addendum: The UK Addendum to the EU SCCs is used for transfers originating from the United Kingdom.
• Swiss-U.S. DPF: For transfers originating from Switzerland, where applicable.

Supplementary Measures

In addition to legal transfer mechanisms, Lobstack implements supplementary technical measures including encryption in transit and at rest, pseudonymization, and access controls. Transfer Impact Assessments (TIAs) are conducted for each transfer destination and are available to enterprise customers upon request.

14. Data Residency & Sovereignty

Lobstack offers infrastructure in multiple regions to support data residency requirements:

• Default Regions: AI agent servers are provisioned in the region selected during setup. Available regions include EU (Germany via Hetzner) and US.
• Database Hosting: The central database is hosted on Supabase (US-based, AWS infrastructure). Metadata and account data are stored in this location.
• Enterprise Data Residency: Enterprise customers with specific data residency or sovereignty requirements may request custom configurations, subject to availability and a separately executed Order Form.
• Transparency: Lobstack will not transfer Customer Data outside the designated region except as necessary for service operation and as disclosed in the subprocessor list (Section 6).

15. Data Anonymization & Pseudonymization

Lobstack applies the following data minimization and protection techniques:

• Anonymization: Aggregated usage statistics and platform analytics are anonymized so they cannot be attributed to individual users or organizations. Anonymized data is not considered personal data and may be used for service improvement.
• Pseudonymization: Where possible, Lobstack applies pseudonymization techniques during processing, using internal identifiers rather than directly identifiable information.
• Minimal Data Transmission: Only the minimum necessary data is transmitted to subprocessors. For example, messages sent to AI model providers contain conversation content but are not linked to individual user PII at the provider level.
• No Re-identification: Lobstack does not attempt to re-identify data that has been anonymized.

16. Data Security

Lobstack implements comprehensive technical and organizational security measures, structured by control category:

Encryption

• AES-256 encryption at rest for Kubernetes secrets, Vault storage, and disk volumes
• TLS 1.3 encryption for all data in transit
• Istio mTLS for internal service-to-service communication
• Encrypted database connections

Network & Infrastructure

• Isolated, dedicated server infrastructure per customer
• Kubernetes NetworkPolicies for workload isolation
• gVisor container sandboxing for defense in depth
• Zero-trust service mesh architecture

Access Control

• HashiCorp Vault RBAC for secrets management
• Kubernetes RBAC for infrastructure access
• Row-level security policies enforced at the database level
• Principle of least privilege for all internal access

Monitoring & Audit

• Falco runtime security monitoring
• Prometheus-based metrics and alerting
• Comprehensive audit logging for all administrative actions
• Regular health monitoring and automated security checks

For full technical details, see our Security Documentation. While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure.

17. Security Certifications & Compliance

Lobstack maintains the following security certifications and compliance posture:

• SOC 2 Readiness: Security controls implemented and documented across all five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Formal SOC 2 Type II audit on roadmap. See our Compliance Readiness page.
• GDPR Compliance: Fully implemented — DPA available, DPIAs conducted for high-risk processing, GDPR Article 28 processor obligations met.
• CCPA/CPRA Compliance: Fully implemented — no sale of personal information, consumer rights honored, privacy notices provided.
• HIPAA: Business Associate Agreements (BAAs) available upon request for qualifying healthcare customers with enterprise plans.
• PCI DSS: Not applicable — Lobstack does not store or process payment card data. All payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified service provider.
• Penetration Testing: Annual third-party penetration tests conducted. Summary results available to enterprise customers under NDA.
• ISO 27001: Certification planned. Lobstack's security controls are aligned with ISO 27001 Annex A requirements.

18. Cookies & Tracking Technologies

We use the following types of cookies and similar technologies:

• Essential Cookies: Required for authentication, security, and basic site functionality. These cannot be disabled.
• Authentication Tokens: Used by Supabase Auth to maintain your login session across visits.
• Analytics: We may use privacy-respecting analytics to understand how users interact with the Service. No data is sold to advertisers.

You can control cookies through your browser settings. Disabling essential cookies may impair your ability to use the Service.

19. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly. If you believe a child under 18 has provided us with personal information, please contact us at hello@lobstack.ai.

20. Third-Party Links & Services

The Service may contain links to or integrations with third-party websites and services that are not operated by us (including AI model providers, messaging platforms, and other tools your agent may interact with). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Service.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we may also provide notice through the Service dashboard or via email. Your continued use of the Service after changes are posted constitutes your acceptance of the revised Privacy Policy.

22. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your information, please contact us:

For GDPR-related inquiries, you may also contact your local data protection authority. For CCPA-related inquiries, California residents may contact the California Attorney General's office.