Data Controller: Lumendra Labs S.L., Madrid, Spain. Contact: privacy@strategoscope.com
1. Scope
This policy describes how we collect, use and protect personal data when you use Strategoscope ("the Platform"). It complies with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA) where applicable.
2. Data we collect
- Account data: email, name, organization, password hash, locale.
- Scenario data: simulation inputs, prompts, generated outputs and metadata.
- Billing data: plan, invoices and last-4 of payment method. Payments are processed by Paddle, which acts as Merchant of Record. We do not store full card numbers — Paddle handles all card data directly.
- Usage telemetry: anonymous events, feature usage and aggregated performance metrics.
- Technical data: IP address, user-agent, device type, server logs (retained 30 days for security).
3. Lawful basis (GDPR Art. 6)
- Contract: to provide the Platform and process payments.
- Legitimate interest: to secure the service, prevent abuse and improve product quality.
- Consent: for optional analytics cookies and marketing communications.
- Legal obligation: tax, accounting and law-enforcement requests.
4. AI processing & sub-processors
Scenario inputs are sent to AI inference providers strictly to generate the response you requested, under data-processing agreements that prohibit using your inputs to train third-party foundation models. Current sub-processors:
- Lovable Cloud / Supabase (EU) — database, authentication, storage.
- OpenAI & Google AI — LLM inference (zero-retention enterprise endpoints where available).
- Paddle.com Market Ltd. (UK/EU) — Merchant of Record: payment processing, billing, sales-tax/VAT compliance, invoicing and refund handling. Paddle acts as an independent data controller for transaction data — see Paddle's Privacy Notice.
- Cloudflare — edge delivery, DDoS protection.
- Resend — transactional email.
International transfers rely on the EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.
5. How we use your data
To run simulations, authenticate users, secure the platform, prevent abuse, bill correctly, communicate service updates, and improve product quality through aggregated analytics. We do not sell personal data and we do not run advertising profiles.
6. Storage & security
Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Row-level security isolates each operator's data. Production access is restricted on a need-to-know basis with audit logging. We perform regular security reviews and dependency scans.
7. Retention
Active account data is retained while the account is open. On account deletion, personal data is purged within 30 days (except where retention is required by law — e.g. invoices, kept 6 years for tax purposes). Server logs are retained for 30 days.
8. Your rights
Under GDPR/CCPA you may, free of charge: access, rectify, erase, restrict, port or object to the processing of your personal data, and withdraw consent at any time. Exercise these rights from Settings → Privacy or by emailing privacy@strategoscope.com. We respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (in Spain: Agencia Española de Protección de Datos — aepd.es).
9. Children
Strategoscope is not intended for children under 16. We do not knowingly collect data from minors. If you believe we have, contact us and we will delete it.
10. Automated decision-making
The Platform produces probabilistic forecasts but does not make legal or significant decisions about you automatically. Outputs are decision-support only.
11. Changes
We will notify material changes via email or in-app banner at least 15 days before they take effect.
12. Contact
Lumendra Labs S.L. — privacy@strategoscope.com
Strategoscope is a product by Lumendra Labs S.L. — Madrid, Spain.