Privacy Policy

We collect the following types of information:

- Account information: email address, display name, and password hash.

- Usage data: API call logs, token counts, models used, and timestamps.

- Payment information: processed by Stripe. We do not store credit card numbers on our servers.

- Technical data: IP addresses, user agent strings, and request metadata for security and analytics purposes.

We use the information we collect to: provide and maintain the Service; process billing and payments; monitor usage and enforce rate limits; improve the Service and develop new features; ensure security and prevent fraud; and communicate with you about your account and service updates.

We share data with the following categories of third parties:

- Payment processor (Stripe): to process payments and manage subscriptions.

- Upstream LLM providers: API request content is passed through to the relevant model provider for processing. We recommend not including personal data in API prompts.

- We do not sell your personal data to any third party.

Account data is retained for the duration of your active account. Usage logs are retained for 90 days, after which they are aggregated and anonymized. Payment records are retained as required by applicable tax and financial regulations.

You may request deletion of your account and associated personal data at any time by contacting [email protected].

Under the Act on the Protection of Personal Information (APPI), you have the following rights:

- Right to request disclosure of your personal data.

- Right to request correction of inaccurate data.

- Right to request deletion of your data.

- Right to request cessation of use or provision to third parties.

- Right to withdraw consent for data processing.

- Right to file a complaint with the Personal Information Protection Commission (PPC).

To exercise these rights, contact [email protected].

Your data may be processed in the following jurisdictions: Japan (primary service infrastructure), Singapore and other regions (upstream AI model providers for API processing, via their overseas entities), and the United States (Stripe payment processing).

In accordance with APPI requirements for cross-border transfers, we take appropriate measures to ensure the protection of your personal information when it is transferred to countries outside Japan.

We use session cookies strictly for authentication and maintaining your login state. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

We implement appropriate technical and organizational measures to protect your data, including: encryption of data in transit (TLS) and at rest; API keys are stored using SHA-256 hashing; access controls and regular security reviews.

While we strive to protect your data, no method of transmission over the internet is 100% secure.

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes via the email address associated with your account. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

For privacy-related inquiries, please contact us at [email protected].

Personal Information Protection Manager: [DPO_NAME], [DPO_EMAIL]

When you sign in with your GitHub or Google account, we collect the following data:

Required data:

- Email address (used for account identification)

Optional data:

- Display name (for dashboard display, optional)

- Profile picture URL (for avatar display, optional)

This data is used solely for account authentication and service delivery. We do not access your code repositories, contact lists, or other account information.

GitHub OAuth scopes: read:user, user:email

Google OAuth scopes: openid, email, profile

When using social login, data is exchanged with the following third parties:

1. GitHub, Inc. (United States): Authentication tokens and email addresses are exchanged via the OAuth protocol.

2. Google LLC (United States): Authentication tokens and email addresses are exchanged via the OpenID Connect protocol.

These third parties provide data solely for authentication purposes. Luxeno does not share your data with these third parties beyond the authentication flow. Please refer to the GitHub Privacy Statement and Google Privacy Policy for their respective data handling practices.

During the social login authentication process, your personal data (email address and authentication tokens) is transmitted to entities in the following countries:

- United States: GitHub, Inc. and Google LLC (for authentication processing)

Authentication tokens are protected by AES-256-GCM encryption before being stored on servers in the Tokyo region. All communication during the authentication flow is encrypted using TLS 1.2 or higher.

These US-based companies maintain data protection measures compliant with GDPR and APPI under their respective privacy policies.

Authentication tokens (access tokens and refresh tokens) obtained through social login are encrypted using AES-256-GCM at the application layer before being stored in our database.

Retention period: Tokens are retained for the lifetime of your account.

Deletion: Upon account deletion, all associated OAuth tokens and provider linking information are permanently deleted.

You may revoke Luxeno's access at any time through your GitHub or Google account settings. Your Luxeno account will remain active after revoking provider access.

Our service uses the following cookies:

1. Session Cookie (Essential)

- Name: session

- Purpose: Maintaining login state

- Type: HTTPOnly, Secure, SameSite=Lax

- Expiry: 7 days

2. Language Preference Cookie (Essential)

- Name: NEXT_LOCALE

- Purpose: Preserving display language

- Expiry: 7 days

These cookies are necessary for basic service functionality and are not used for tracking or advertising purposes. OAuth state information is stored server-side (Redis) and is not stored in cookies.