Privacy Policy

1. Introduction

This Privacy Policy explains how Constevol ("we", "us", "our") collects, uses, and protects your personal information when you use Lutin ("Service"). If you fall within the scope of the GDPR, this policy outlines our lawful bases for processing personal data.

Lutin is committed to protecting your privacy through:

• Local-first approach: All your content and conversation history are stored locally on your device
• Minimal data collection: We only collect what's essential for account management and service improvement
• Transparent practices: Clear disclosure of what data we handle and who processes it
• Privacy-focused analytics: Anonymized usage statistics to understand how to better serve you

2. Data Controller

Data Controller: Constevol AB
Email: [email protected]
Country: Sweden

3. Cookies and Analytics

We use cookies and similar tracking technologies to improve your experience and understand how our service is used.

3.1 Types of Cookies We Use

3.2 Google Analytics

We use Google Analytics to understand how visitors use our website and application. This helps us improve the user experience and identify areas for enhancement.

• Data collected: Page views, session duration, browser type, device information, geographic location (country/city level)
• IP anonymization: IP addresses are anonymized
• Opt-out: You can opt-out using Google's opt-out browser add-on
• Privacy Policy: Google Privacy Policy

3.3 Microsoft Clarity

We use Microsoft Clarity to understand user behavior and improve website usability through session recordings and heatmaps.

• Data collected: Mouse movements, clicks, scrolling behavior, form interactions (no sensitive data)
• Data protection: Sensitive information is automatically masked
• Opt-out: You can opt-out by disabling analytics cookies
• Privacy Policy: Microsoft Privacy Policy

3.4 Cookie Consent

When you first visit our website, we'll ask for your consent to use analytics cookies. You can:

• Accept all cookies
• Decline cookies
• Change your preferences at any time through our cookie settings

4. What Data We Collect

4.1 Account Information We Collect

4.2 Automatically Collected Data

We collect minimal technical information necessary for service operation:

• Login timestamps: For security and account management
• IP address: Temporarily logged for security purposes only
• Device type and OS: To ensure software compatibility
• Application version: For update management and support

4.3 Analytics Data

Through our analytics tools (with your consent), we collect:

• Usage patterns: Which features are used most, navigation paths on our website
• Performance data: Page load times, error rates, crash reports
• Technical information: Browser type, screen resolution, operating system
• Geographic data: Country and city-level location (not precise location)
• User interactions: Clicks, scrolls, form submissions on our website (anonymized)

4.4 Application Usage Data

To improve the Lutin desktop application experience, we collect aggregated, anonymized usage statistics including:

Feature usage metrics:

• How many times push-to-talk is activated
• How many times global transcription is used
• Frequency of web browsing and app launching commands
• Usage of screen capture functionality
• Background task and reminder feature usage
• Workflow automation and integration usage

Tool and integration statistics:

• Which types of tools/integrations are used (e.g., "web search," "app launcher," "scheduler")
• Frequency of tool usage
• Success/failure rates of tool executions

Application performance data:

• Error rates and crash reports
• Response times and latency
• Feature responsiveness and load times
• Voice recognition accuracy metrics

Session information:

• Session duration
• Number of interactions per session
• Feature switching patterns

5. AI Service Providers and Data Processing

5.1 How AI Processing Works

Lutin acts as an interface to AI service providers. When you interact with Lutin:

1. Your input (text or voice) is sent to AI service providers' APIs for processing
2. The AI provider processes your request and sends back a response
3. We do not store, log, or access the content of these conversations
4. Your conversation history is stored only on your local device

5.2 Third-Party AI Providers

Your conversations may be processed by the following AI service providers, depending on your configuration and the features you use:

• OpenAI: For chat and reasoning capabilities. See OpenAI's Privacy Policy and API Data Usage Policy
• Anthropic: For chat capabilities. See Anthropic's Privacy Policy
• Google: For AI models and web search. See Google's Privacy Policy
• Other AI providers: Depending on your model selection

Important: Each AI provider has their own data retention and usage policies. We recommend reviewing their privacy policies. Most providers do not use API data to train their models, but policies may vary.

5.3 What Gets Sent to AI Providers

When you use Lutin's features, the following may be sent to AI providers:

• Your text queries and voice transcriptions
• Screenshots or images you choose to share for analysis
• Web search queries (for real-time information features)
• Context you provide for tasks
• Application context data (if enabled in the settings)

What is NOT sent:

• Your email, account information, or payment details
• Usage statistics or analytics data
• Conversations or data from other users

6. Legal Basis for Processing

Under the GDPR, we need to have a legal basis for all data processing we carry out. Our legal bases are:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide Lutin services, including account management and AI service delivery
• Legitimate Interest (Article 6(1)(f)): Security monitoring, fraud prevention, essential analytics, and application performance improvement
• Consent (Article 6(1)(a)): OAuth authentication, marketing communications (opt-in only), non-essential analytics cookies, and optional usage data collection

7. How We Use Your Data

We use your personal data for:

• Creating and managing your Lutin account
• Processing subscription payments via Stripe
• Providing customer support
• Sending important service notifications
• Ensuring account security and preventing fraud
• Analyzing website and application usage to improve our service (with consent)
• Identifying technical issues and performance problems
• Understanding feature usage patterns to prioritize development
• Optimizing the desktop application performance and reliability
• Facilitating AI service delivery by routing your requests to AI providers

We do NOT:

• Store or access the content of your conversations with AI
• Sell your data to third parties
• Use your data for targeted advertising
• Share your personal data for marketing purposes
• Create detailed user profiles for commercial purposes
• Track you across other websites beyond our analytics scope
• Use your conversation content to train AI models

8. Data Sharing and Third Parties

We share your data only with essential service providers:

8.1 Payment Processing

• Stripe: Processes payments securely. View Stripe's Privacy Policy
• We never store your full credit card information

8.2 AI Service Providers

• Various AI Providers: Process your conversations to provide AI responses. We do not store or access this data ourselves. Each provider has their own privacy policy and data handling practices.
• Your choice of AI model determines which provider processes your data
• Data is transmitted securely using encryption

8.3 Analytics Services

• Google Analytics: Website and app usage analytics. Data is anonymized and aggregated. View Google's Privacy Policy
• Microsoft Clarity: User behavior analysis for UX improvement. Sensitive data is automatically masked. View Microsoft's Privacy Policy

8.4 Infrastructure Providers

• Cloud hosting: For secure account data storage (email, subscription info, hashed passwords)
• All providers are GDPR-compliant with appropriate data processing agreements

8.5 Legal Requirements

We may disclose your data if required by law or to:

• Comply with legal obligations
• Protect our rights or property
• Prevent fraud or security threats

9. Data Storage and Security

9.1 Where Your Data is Stored

• Account data: Stored in secure, GDPR-compliant data centers
• Conversation history: Stored locally on your device only - never on our servers
• AI conversations: Processed by third-party AI providers according to their retention policies
• Analytics data: Stored with Google and Microsoft in their respective secure environments
• Usage statistics: Stored in anonymized form in secure data centers
• Backups: Account data is encrypted and backed up securely

9.2 Security Measures

• Encryption in transit (TLS/HTTPS) and at rest (AES-256)
• Hashed and salted passwords (never stored in plain text)
• Regular security audits and updates
• Access controls and monitoring
• Cookie security measures (secure, HttpOnly, SameSite attributes)
• Secure API communication with AI providers

10. Data Retention

You have a right to keep personal data, but according to the GDPR, this time period is "for no longer than is necessary for the purposes for which the personal data are processed."

11. Your Rights Under GDPR

As a data subject, you have the following rights:

11.1 Right of Access (Article 15)

Request a copy of all personal data we hold about you (does not include locally stored conversation history).

11.2 Right to Rectification (Article 16)

Correct any inaccurate or incomplete personal data.

11.3 Right to Erasure (Article 17)

Request deletion of your personal data ("right to be forgotten"). Note: For conversation history stored locally, you can delete this yourself through the application.

11.4 Right to Restrict Processing (Article 18)

Limit how we use your personal data.

11.5 Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format.

11.6 Right to Object (Article 21)

Object to processing based on legitimate interests.

11.7 Right to Withdraw Consent

Withdraw consent for processing at any time, including:

• Analytics cookies
• Application usage data collection
• Marketing communications

11.8 Data Management

You can manage your data through:

• Cookie preferences: Via our cookie consent banner or browser settings
• Usage data collection: Through application settings (opt-in/opt-out)
• Conversation history: Locally managed through the Lutin application
• Account deletion: Request full account deletion through [email protected]

To exercise your rights:
Email: [email protected]
Subject: "Privacy Rights Request"
We will respond within 30 days.

12. Children's Privacy

Where information society services are offered directly to a child under the age of 13, and the lawful basis of processing their personal data is consent, such consent must be obtained from or authorized by the individual with parental responsibility over the child.

Lutin is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover we have collected such information, we will delete it immediately.

13. International Data Transfers

If you transfer data you've collected internationally, appropriate safeguards must be in place.

Your personal data is primarily stored within the EU. When we transfer data outside the EU:

• We use Standard Contractual Clauses (SCCs) approved by the European Commission
• We ensure adequate safeguards are in place
• Transfers are limited to essential service operations only
• AI providers (OpenAI, Anthropic, Google, etc.) may process data in the US or other regions under appropriate safeguards
• Google Analytics and Microsoft Clarity may process data in the US under appropriate safeguards

14. Privacy Policy Changes

You should review and revise your privacy policy document at least once a year to reflect changes in business operations, laws, and technology.

We may update this Privacy Policy to reflect:

• Changes in our data practices
• Legal or regulatory requirements
• New features or services
• Changes to our AI providers or analytics tools
• Updates to third-party service policies

We will notify you of material changes via:

• Email notification (30 days advance notice)
• Website banner
• In-application notifications for desktop app changes
• Updated consent requests if needed

15. Complaints and Contact

If you have concerns about how we handle your personal data:

Contact Us First:

Constevol Privacy Team
Email: [email protected]

Regulatory Authority:

You have the right to lodge a complaint with:

Swedish Authority for Privacy Protection (IMY)
Website: imy.se
Email: [email protected]

16. Business Transfers

Because SaaS businesses are bought and sold regularly, users have a right to know what happens to their personal data if a new company buys them out.

If Constevol is involved in a merger, acquisition, or sale of assets:

• We will provide notice before your personal data is transferred
• The new entity will be bound by this Privacy Policy
• You will have the right to delete your account before transfer
• Locally stored conversation history remains on your device regardless of business transfers