Privacy Policy

1.1 Information You Provide

• —Account Data: When creating an account, you may provide information such as name, email, billing address, and payment details.
• —Content & Data Submissions: Any data (including personal data) you choose to process through our AI Agents or platform.

1.2 Information Collected Automatically

• —Usage Data: We collect details about how you interact with the Services (e.g., pages visited, session duration).
• —Device & Log Data: We may collect IP addresses, browser type, device identifiers, and system logs to troubleshoot or improve the Services.
• —Cookies & Tracking: We may use cookies or similar technologies to store user preferences, gather analytics, or facilitate sign-ins.

1.3 Information from Third Parties

We may receive data about you from third-party integrations (e.g., single sign-on providers, CRMs). This data is handled according to this Policy.

1.4 Chat Widget Data Collection

When our customers embed our chat widget on their websites, website visitors ("End Users") interact with AI-powered chat agents. Before an End User accepts the widget's consent gate, we create only a pseudonymous visitor identifier server-side and do not collect IP address, browser information, referrer URL, or message content.

After an End User clicks "Continue" on the consent gate and begins chatting, we collect:

• —Visitor Identifier: A unique, pseudonymous token stored server-side as a SHA-256 hash. Used only to maintain session continuity across page loads.
• —IP Address & User-Agent: Recorded on the first message so we can operate, secure, and rate-limit the widget.
• —Referrer URL: The webpage on which the widget was loaded.
• —Chat Messages: Messages exchanged between the End User and the AI assistant.
• —Session Analytics: Aggregate counts of sessions, messages, and referrer frequency.

The widget does not set cookies. The visitor identifier is generated server-side and not stored on the End User's device. AI-assistant disclosure is shown in the consent gate before any chat begins.

2.1 Service Provision

• —To create and manage your account
• —To process your transactions (billing, payment)
• —To operate and maintain our AI platform

2.2 Service Improvements

• —To analyze usage trends or identify performance bottlenecks
• —To research and develop new features or expansions to our agentic framework

We do not use customer content, agent conversations, or widget chat data to train or fine-tune our underlying AI models. Your data is processed only to provide the Services you requested.

2.3 Communication

• —To send you service updates, product announcements, or important security alerts
• —To address your inquiries and provide support

2.4 Compliance & Legal Obligations

• —To comply with applicable laws, regulations, legal processes, or enforceable governmental requests
• —To detect, investigate, or prevent fraudulent or illegal activities

3.1 Service Providers

We share personal information with third-party vendors that help us operate the Services, subject to contractual confidentiality and data-protection obligations. Our current key sub-processors include:

• —Stripe, Inc. — payment processing. Card and billing data is submitted directly to Stripe and never stored on our servers.
• —Clerk, Inc. — authentication and identity management.
• —Anthropic, PBC and OpenAI, L.L.C. — AI model providers that process chat content to generate responses. Each provider processes data under its own enterprise terms and does not train on data submitted through our platform.
• —Google LLC (Google Cloud) — cloud hosting and storage for application data, files, and checkpoints.

3.2 Business Transfers

If LLABS undergoes a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

3.3 Legal Requirements

We may disclose personal information to comply with legal obligations, respond to law enforcement requests, or protect our rights or users.

3.4 With Your Consent

We may share information with third parties if you explicitly consent (e.g., an integration you enable in your account settings).

3.5 Our Role as Data Processor

When a business customer embeds our chat widget on their website or uses our platform to deploy agents that handle third-party personal data, that customer is the data controller under GDPR and equivalent laws. Levangie Laboratories, Inc. acts as the data processor, processing End User or customer-subject personal data on the customer's behalf and according to their documented instructions.

A Data Processing Addendum (DPA) is available on request to any customer whose use case requires one. The DPA covers scope of processing, data categories, retention periods, security measures, sub-processor obligations, breach notification, and data return or deletion on termination. To request a DPA, email brayden@levangielaboratories.com.

4.1 Retention Periods

We retain personal data only as long as necessary for the purposes described in this Policy or as required by law. Our current default retention periods are:

• —Widget visitor identifiers: 90 days from last activity.
• —Widget IP addresses, user-agent strings, referrer URLs: 90 days.
• —Widget chat messages: 365 days by default; widget customers may configure a shorter period.
• —Aggregate analytics counters: approximately 8 days in cache; durable analytics tied to session records up to 30 days.
• —Account data: retained for the life of the account. On account deletion request, conversations, folders, and user records are anonymized or deleted after a 30-day grace period; API keys, linked accounts, and active sessions are deleted immediately.
• —Audit logs: up to 7 years, as required for security and compliance review.

Retention periods may be adjusted where required by law or contract (for example, under a customer DPA).

4.2 Security Measures

We employ industry-standard security measures (encryption in transit, restricted access controls, etc.) to protect your data. However, no method of transmission or storage is 100% secure.

4.3 Organization Members & Departure

Our platform supports multi-user organizations. When data is created within the context of an organization (for example, conversations, folders, and sessions tagged with that organization's identifier), the organization — not the individual user — controls that data. On leaving an organization:

• —The departing user's active sessions within that organization are terminated immediately.
• —Conversations, folders, and other artifacts created in the organization's context remain with the organization and continue to be governed by the organization administrator's retention settings and any applicable Data Processing Addendum.
• —The departing user's personal account data outside of organization context is retained under this Policy as described in Section 4.1 above.
• —A 30-day grace period applies to org-scoped conversations and folders scheduled for deletion during administrative cleanup, consistent with Section 4.1.
• —We log all membership changes in an internal audit record for security and compliance review.

If you are an organization administrator and wish to export, delete, or reassign a departed member's org-scoped data, contact us at brayden@levangielaboratories.com.

6.1 Rights Under Applicable Law

Depending on your jurisdiction, you may have the right to:

• —Access — request a copy of the personal information we hold about you.
• —Rectification — correct inaccurate or incomplete personal information.
• —Erasure — request deletion of your personal information (GDPR Article 17 / CCPA right to delete), subject to legal exceptions.
• —Portability — receive a copy of your data in a portable, machine-readable format.
• —Objection & Restriction — object to or restrict certain processing, including for direct marketing.
• —Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.

To exercise these rights, use the in-product controls (Settings → Delete My Account, for example) or email brayden@levangielaboratories.com. We aim to respond to GDPR requests within 30 days and to CCPA requests within 45 days, as those laws require.

6.2 Marketing Opt-Out

You can opt out of marketing emails at any time by clicking the "unsubscribe" link in any such email. Transactional and service messages (security alerts, billing notices) will continue as long as you hold an account.

6.3 "Do Not Sell or Share" / CCPA & GDPR

We do not sell personal information and do not share it for cross-context behavioral advertising. Where applicable law grants additional opt-out or disclosure rights (e.g., CCPA, CPRA, GDPR, UK GDPR), we will honor valid requests as required under those statutes.

8.1 Agent Data Processing

Our AI agents process user-provided data (including any personal data you submit) to generate output. We do not review or moderate every output. Users remain responsible for the legality and appropriateness of data submitted to an agent.

8.2 Model Providers & No Training on Customer Data

Chat content submitted through our platform or chat widget is sent to third-party large-language-model providers — currently Anthropic and OpenAI — solely to generate a response. We do not use your content, agent conversations, or widget chat data to train or fine-tune our AI models, and our model providers do not train on data submitted through our platform under their enterprise terms.

8.3 Consent & AI Disclosure in the Widget

Our chat widget obtains affirmative consent before any personal data is collected. End Users must click "Continue" on the consent gate to begin chatting, and an AI-assistant disclosure (by default, "You are chatting with an AI assistant") is shown at the start of every session.

8.4 TRiSM & Hallucination Mitigation

We implement trust, risk, and security management measures to reduce the risk of harmful or inaccurate outputs but cannot guarantee 100% correctness or factual integrity. AI responses may contain errors, hallucinations, or outdated information and should not be relied on as professional advice.