Lofy AIGDPR Compliance
Data Protection & Your Rights
Last updated: February 3, 2025
Lofy AI complies with the General Data Protection Regulation (GDPR) (EU Regulation 2016/679). This page explains how we operationalize GDPR compliance in plain language and how you can exercise your rights.
This page is a compliance summary and does not replace our formal Privacy Policy. The scope of GDPR applies to users located in the European Union (EU) and European Economic Area (EEA).
1Who We Are Under GDPR
As the Data Controller, we are responsible for determining how your personal data is processed and for what purposes.
2Personal Data We Process
We process the following categories of personal data:
| Category | Examples |
|---|---|
| Account data | Name, email address, user ID |
| Billing data | Invoices, payment metadata, transaction records |
| Usage data | Feature usage, interaction logs, preferences |
| Technical data | IP address, browser type, device information |
| Support data | Support tickets, chat logs, communication history |
| Integration data | Google Calendar data (with your permission) |
3Legal Basis for Processing
Under GDPR, we must have a legal basis for processing your personal data. Here is our explicit mapping:
| Purpose | Legal Basis |
|---|---|
| Account creation & service provision | Contract (Article 6(1)(b)) |
| Billing & invoices | Legal obligation (Article 6(1)(c)) |
| Security & fraud prevention | Legitimate interest (Article 6(1)(f)) |
| Marketing emails | Consent (Article 6(1)(a)) |
| Analytics cookies | Consent (Article 6(1)(a)) |
| Customer support | Contract (Article 6(1)(b)) |
This explicit mapping is a GDPR requirement and demonstrates our commitment to transparency.
4How Your Data Is Used
We use your personal data for the following purposes:
- Provide and maintain our personal assistant services
- Process payments and manage billing
- Maintain security and prevent fraud
- Improve our product and services (with your consent where required)
- Provide customer support and respond to inquiries
- Comply with legal obligations
5Data Retention Policy
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this notice, unless a longer retention period is required by law.
- Account data: Retained while your account is active. After account deletion, data is permanently removed within 30 days, except where legally required to retain it.
- Billing data: Retained for 7 years as required by tax and accounting laws.
- Support data: Retained for 2 years after ticket resolution for quality assurance purposes.
Backup data may be retained for up to 90 days before permanent deletion. You can request deletion at any time, subject to legal requirements.
6Your Rights Under GDPR
As an EU/EEA resident, you have the following rights regarding your personal data:
Right to Access
Request a copy of all personal data we hold about you.
Action: Contact us or use in-app settings.
Right to Rectification
Request correction of inaccurate or incomplete data.
Action: Edit profile or contact us.
Right to Erasure
Request deletion of your data ("right to be forgotten").
Action: Delete account in settings.
Right to Data Portability
Receive your data in a structured format (JSON/CSV).
Action: Request export in settings.
Right to Restrict Processing
Request we limit how we use your data.
Action: Contact support.
Right to Withdraw Consent
Withdraw consent for processing based on consent.
Action: Update cookie preferences.
Right to Lodge a Complaint
You have the right to file a complaint with your local data protection authority. For EU users, find your authority at edpb.europa.eu.
7Data Sharing & Processors
We share your data only with trusted service providers (data processors) necessary to operate our services:
- Vercel: Cloud hosting and frontend infrastructure
- Google Cloud Platform: Backend infrastructure and hosting (Google Cloud Run)
- MongoDB: Database storage
- Google APIs: Calendar integration (with your explicit permission)
- Payment Processors: Stripe or other payment providers for billing
- Email Providers: For transactional and support communications
Important: All data processors operate under Data Processing Agreements (DPAs) that comply with GDPR requirements. We do not sell your personal data to third parties.
8International Data Transfers
Some to our service providers are located outside the EU/EEA. When we transfer your data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with all non-EU processors to ensure GDPR-level protection.
- Adequacy Decisions: Where applicable, we rely on EU adequacy decisions for certain jurisdictions.
9Security Measures
We implement industry-standard security measures to protect your personal data:
- Encryption in transit (TLS/SSL) and at rest
- Access controls and authentication mechanisms
- Regular security monitoring and logging
- Regular software updates and security patches
10Cookies & Consent
We use cookies and similar technologies to enhance your experience. Under GDPR:
- Essential cookies are necessary for the service to function and do not require consent
- Non-essential cookies (analytics, marketing) require your opt-in consent
- You can change your cookie preferences at any time in your account settings
11How to Make a GDPR Request
To exercise your GDPR rights, you can:
Use your account settings to download data, delete account, or update your profile.
Response Time: We will respond to your GDPR request within 30 days, as required by GDPR Article 12(3).