This Privacy Policy (“Policy”) describes how Lore (“Lore,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal data in connection with our website at lore.surf (the “Site”) and our enterprise knowledge management platform, including any related APIs, integrations, and services (collectively, the “Service”). This Policy applies to all users of the Service, including individual end users, administrators, and organizational customers (“Customers”).

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, you must not access or use the Service. If you are using the Service on behalf of an organization, you represent and warrant that you are authorized to accept this Policy on behalf of such organization.

1. Definitions

“Customer Data” means any data, content, or information that a Customer or its authorized users submit, upload, or otherwise make available through the Service, including data ingested from connected third-party platforms (e.g., GitHub, Slack, Jira, Linear, Confluence, Notion).

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable privacy legislation.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction.

“Sub-processor” means any third-party entity engaged by Lore to process Customer Data on behalf of a Customer.

2. Data Controller and Data Processor Roles

When Lore acts as Data Controller: Lore is the data controller for Personal Data collected directly through the Site (e.g., contact form submissions, account registration data, usage analytics, and cookie data). For such data, Lore determines the purposes and means of processing.

When Lore acts as Data Processor: With respect to Customer Data processed through the Service, Lore acts as a data processor (or “service provider” under the CCPA/CPRA) on behalf of the Customer. The Customer is the data controller and is responsible for establishing the legal basis for processing. Lore processes Customer Data solely in accordance with the Customer’s instructions and the terms of the applicable Data Processing Agreement (“DPA”).

Enterprise Customers may request a DPA by contacting hello@lore.surf.

3. Categories of Personal Data We Collect

We collect and process the following categories of Personal Data:

3.1 Account and Registration Data. When you create an account, we collect your full name, email address, organization name, and authentication credentials. If you authenticate via a third-party identity provider (e.g., GitHub, Google), we receive your name, email, and profile identifier from that provider.

3.2 Customer Data from Connected Integrations. When a Customer connects third-party developer tools to the Service, we ingest data from those platforms to provide knowledge extraction capabilities. This may include:

Source code repository metadata, pull request discussions, code review comments, and commit messages (from GitHub, GitLab)
Channel messages, thread discussions, and direct messages where the Lore integration is authorized (from Slack, Microsoft Teams)
Issue descriptions, comments, status updates, and workflow data (from Jira, Linear)
Document content, page history, and comments (from Confluence, Notion, Google Drive)
Meeting transcripts and recordings where authorized (from Zoom, Google Meet)

3.3 Usage Data. We automatically collect information about how you interact with the Service, including pages viewed, features used, search queries submitted, timestamps, frequency of access, and session duration.

3.4 Device and Technical Data. We collect your IP address, browser type and version, operating system, device identifiers, referring URLs, and other standard server log information.

3.5 Payment Data. If you purchase a paid plan, our payment processor (Razorpay) collects and processes your payment information, including billing address and payment card details. Lore does not store full payment card numbers on its servers.

3.6 Communication Data. When you contact us for support, sales, or other inquiries, we collect the content of your communications, including emails, form submissions, and any attachments.

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (“EEA”) or the United Kingdom (“UK”), we process your Personal Data on the following legal bases under Article 6 of the GDPR:

Performance of Contract (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, and fulfill our contractual obligations under the Terms of Service.
Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including improving the Service, preventing fraud, ensuring network security, and conducting analytics. We balance these interests against your rights and freedoms.
Consent (Art. 6(1)(a)): Where you have provided explicit consent, such as opting in to marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

5. How We Use Personal Data

We use Personal Data for the following purposes:

Service Delivery. To provide, maintain, and operate the Service, including knowledge extraction, search and question-answering functionality, analytics, and reporting.
Account Management. To create and manage your account, authenticate your identity, and manage organization membership and permissions.
AI Processing. To process Customer Data through our AI pipeline for the purpose of extracting, classifying, and structuring organizational knowledge. This processing involves the use of third-party AI services as described in Section 7.
Service Improvement. To analyze usage patterns, diagnose technical issues, and develop new features. We do not use Customer Data to train general-purpose AI models.
Security. To detect, investigate, and prevent security incidents, fraud, abuse, and violations of our Terms of Service.
Communications. To send service-related notices (e.g., account verification, billing, security alerts) and, where you have opted in, marketing communications.
Legal Compliance. To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your Personal Data. We may share Personal Data in the following limited circumstances:

6.1 Sub-processors. We engage Sub-processors to assist in providing the Service. Each Sub-processor is bound by contractual obligations to process Personal Data only as instructed by Lore and to implement appropriate technical and organizational security measures. Our current Sub-processors include:

Supabase, Inc. — Authentication, database hosting, and infrastructure (United States)
Anthropic, PBC — AI-powered text classification and knowledge extraction (United States)
OpenAI, Inc. — Text embedding generation for semantic search (United States)
Vercel, Inc. — Application hosting and content delivery (Global edge network)
Razorpay Software Pvt. Ltd. — Payment processing (India)
Resend, Inc. — Transactional email delivery (United States)

Enterprise Customers may subscribe to Sub-processor change notifications by contacting hello@lore.surf.

6.2 Within Customer Organizations. Customer Data and associated Personal Data may be visible to other authorized users within the same Customer organization, subject to the Customer’s configured access controls (including team-scoped access, role-based permissions, and privacy settings).

6.3 Legal Requirements. We may disclose Personal Data if required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

6.4 Business Transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, Personal Data may be transferred as part of the transaction. We will provide notice before Personal Data becomes subject to a different privacy policy.

7. AI Data Processing

The Service uses artificial intelligence to extract, classify, and structure knowledge from Customer Data. The following principles govern our AI data processing:

Purpose Limitation. Customer Data processed through our AI pipeline is used solely to provide the Service to the applicable Customer. We do not use Customer Data to train, improve, or fine-tune general-purpose AI models.
Third-Party AI Providers. We use Anthropic Claude for text classification and knowledge extraction, and OpenAI for generating text embeddings. Data transmitted to these providers is processed under our data processing agreements with each provider, which prohibit the use of customer inputs for model training.
Data Minimization. We transmit only the minimum data necessary for AI processing. Source content is processed in isolated requests and is not retained by our AI providers beyond the duration of the processing request, except as stated in their respective data processing terms.
Human Review. AI-extracted knowledge may be reviewed by authorized users within the Customer’s organization for accuracy. Lore personnel do not access Customer Data except as necessary for technical support and only with the Customer’s authorization.

8. International Data Transfers

Lore processes data primarily in the United States and Japan (Tokyo region). If you are located outside of these jurisdictions, your Personal Data may be transferred to and processed in countries that may not provide the same level of data protection as your home jurisdiction.

For transfers of Personal Data from the EEA, UK, or Switzerland, we rely on the following transfer mechanisms:

Standard Contractual Clauses (“SCCs”) approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
The UK International Data Transfer Addendum to the EU SCCs, where applicable
Any successor framework to the EU-U.S. Data Privacy Framework, where applicable

Customers may request copies of the applicable SCCs by contacting hello@lore.surf.

9. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting obligations.

Account Data: Retained for the duration of the Customer’s active subscription and for thirty (30) days following account termination, after which it is deleted or anonymized.
Customer Data (Knowledge Nuggets): Retained in accordance with the Customer’s configured retention policy. Default retention is aligned with the Customer’s subscription plan. Enterprise Customers may configure custom retention periods.
Raw Ingested Events: Retained for seven (7) days from ingestion, then automatically purged.
Usage and Analytics Data: Retained in aggregated, anonymized form for up to twenty-four (24) months for service improvement purposes.
Audit Logs: Retained for a minimum of twelve (12) months and up to seven (7) years for Enterprise plans, as required for compliance purposes.
Payment Records: Retained for the period required by applicable tax and financial reporting laws (typically seven (7) years).

Upon expiration of the applicable retention period, Personal Data is securely deleted or irreversibly anonymized using industry-standard methods.

10. Data Security

We implement appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, without limitation:

Encryption of Personal Data at rest using AES-256-GCM and in transit using TLS 1.2 or higher
Role-based access controls with principle of least privilege
Four-gate scope-aware access control for Customer Data (organization, team, private, and administrative scopes)
Audit logging of all access to Customer Data
Automated vulnerability scanning and dependency monitoring
Incident response procedures with defined escalation paths
Regular access reviews and credential rotation

No method of transmission over the Internet or method of electronic storage is completely secure. While we strive to protect your Personal Data, we cannot guarantee its absolute security.

11. Your Privacy Rights

11.1 Rights Under the GDPR (EEA and UK Residents). If you are located in the EEA or UK, you have the following rights with respect to your Personal Data:

Right of Access (Art. 15): The right to obtain confirmation of whether we process your Personal Data and to access such data.
Right to Rectification (Art. 16): The right to request correction of inaccurate or incomplete Personal Data.
Right to Erasure (Art. 17): The right to request deletion of your Personal Data, subject to applicable legal retention obligations.
Right to Restriction of Processing (Art. 18): The right to request restriction of processing in certain circumstances.
Right to Data Portability (Art. 20): The right to receive your Personal Data in a structured, commonly used, and machine-readable format.
Right to Object (Art. 21): The right to object to processing based on legitimate interests or for direct marketing purposes.
Right Not to Be Subject to Automated Decision-Making (Art. 22): The right not to be subject to decisions based solely on automated processing, including profiling, which produces legal or similarly significant effects.

Where Lore acts as a data processor, data subject requests should be directed to the applicable Customer (data controller). We will assist the Customer in fulfilling such requests as required under our DPA.

11.2 Rights Under the CCPA/CPRA (California Residents). If you are a California resident, you have the following rights under the CCPA/CPRA:

Right to Know: The right to request disclosure of the categories and specific pieces of Personal Data we have collected about you, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share your data.
Right to Delete: The right to request deletion of your Personal Data, subject to certain exceptions.
Right to Correct: The right to request correction of inaccurate Personal Data.
Right to Opt Out of Sale/Sharing: We do not sell or share Personal Data for cross-context behavioral advertising. Therefore, there is no need to opt out.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

11.3 Exercising Your Rights. To exercise any of the above rights, please contact us at hello@lore.surf. We will verify your identity before processing your request and respond within the timeframes required by applicable law (generally thirty (30) days for GDPR requests and forty-five (45) days for CCPA/CPRA requests, with extensions as permitted by law).

12. Cookies and Tracking Technologies

The Service uses strictly necessary cookies to maintain session state, authentication tokens, and user preferences. We do not use third-party advertising cookies or cross-site tracking technologies.

Strictly necessary cookies cannot be disabled as they are essential for the operation of the Service. No consent is required for strictly necessary cookies under applicable law, including the ePrivacy Directive (Directive 2002/58/EC).

13. Children’s Privacy

The Service is not directed to individuals under the age of sixteen (16). We do not knowingly collect Personal Data from children under 16. If we become aware that a child under 16 has provided us with Personal Data, we will take steps to delete such information. If you believe a child under 16 has provided us with Personal Data, please contact us at hello@lore.surf.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

Notify the relevant supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, as required under GDPR Article 33
Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required under GDPR Article 34
Notify affected Customers in accordance with the timeline and procedures specified in the applicable DPA or, in the absence of a DPA, within seventy-two (72) hours of becoming aware of the breach

Breach notifications will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will provide notice through the Service or by email at least thirty (30) days before the effective date of the revised Policy. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

We encourage you to periodically review this page for the latest information on our privacy practices.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Lore

Email: hello@lore.surf

Subject Line: “Privacy Inquiry”

If you are located in the EEA or UK and believe that our processing of your Personal Data violates applicable data protection law, you have the right to lodge a complaint with your local supervisory authority.