Privacy Policy

Effective Date: March 7, 2026 Last Updated: March 22, 2026 Version: 1.1

This Privacy Policy describes how Loreva ("Company," "we," "us," or "our") collects, uses, stores, and protects your information when you use the Loreva platform, including the website, applications, APIs, and related services (the "Service").

By using the Service, you agree to the collection and use of information as described in this Privacy Policy.

1. Information We Collect

1.1. Information You Provide

• Account Information: Name and email address when you create an account, along with authentication credentials. If password-based authentication is used, only a cryptographic hash is stored — we never store passwords in plain text.
• Profile Information: Role, industry, preferences, chief of staff name, and tone settings you configure during onboarding and in settings.
• Chat Content: Messages you send to your Chief of Staff, including text and any information you share in conversation.
• Memories: Information your Chief of Staff stores on your behalf in the Memory system, derived from your conversations and settings.
• Payment Information: Billing details provided when you subscribe to a paid plan. Payment processing is handled by third-party payment processors; we do not directly store your full credit card number.

1.2. Information Collected Automatically

• Usage Data: Features used, actions taken, session duration, and interaction patterns.
• Device Information: Browser type, operating system, device type, and screen resolution.
• Log Data: IP address, access times, pages viewed, and referring URLs.
• Performance Data: Error logs, response times, and system health metrics used to maintain service reliability.

1.3. Information from Third Parties

• AI Providers: We send your chat messages to third-party AI model providers (such as Anthropic and Google) for processing. These providers may return generated responses that we deliver to you. See Section 4 for details.
• Integrations: If you connect third-party services (e.g., email, calendar), we receive data from those services as authorized by you.

2. How We Use Your Information

We use your information to:

• Provide the Service: Process your requests, generate AI responses, store memories, and deliver notifications.
• Personalize your experience: Remember your preferences, customize your Chief of Staff's behavior, and provide relevant suggestions.
• Maintain and improve the Service: Monitor performance, fix bugs, and enhance features.
• Communicate with you: Send service-related notices, security alerts, and support responses.
• Process payments: Manage subscriptions, billing, and usage tracking (ACU).
• Ensure security: Detect and prevent fraud, abuse, and unauthorized access.
• Comply with legal obligations: Respond to legal requests and enforce our Terms of Service.

3. How We Store and Protect Your Information

3.1. Data Isolation

Each account has a dedicated, isolated database. Your data is not pooled with other users' data. Database access is restricted to your account through IAM-based authentication.

3.2. Encryption

• In transit: All data transmitted between your device and our servers is encrypted using TLS (HTTPS).
• At rest: Your database is encrypted at rest using AWS-managed encryption keys (AES-256).

3.3. Infrastructure

All data is stored on Amazon Web Services (AWS) infrastructure in the United States.

3.4. Access Controls

Access to your data is restricted to automated systems that process your requests. We do not routinely access individual user data. Manual access occurs only when necessary for:

• Technical support you request;
• Investigating security incidents or Terms of Service violations;
• Complying with legal obligations.

3.5. Security Measures

We implement technical and organizational security measures including isolated databases, encrypted connections, IAM authentication, and regular security reviews. However, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

4. AI Processing and Third-Party Providers

4.1. How AI Processing Works

When you send a message, your input is transmitted to third-party AI model providers for processing. These providers generate a response that is returned to you through the Service.

4.2. Data Sent to AI Providers

AI providers receive:

• Your current message;
• Relevant context from your memory and conversation history (to provide personalized responses);
• System instructions that define your Chief of Staff's behavior.

4.3. AI Provider Data Practices

We select AI providers and API configurations that do not use customer inputs/outputs for model training. However, AI providers may process your data in accordance with their own policies for purposes such as safety monitoring, abuse prevention, and legal compliance. We recommend reviewing the privacy policies of our AI providers:

• Anthropic: https://www.anthropic.com/privacy
• Google: https://ai.google.dev/terms
• OpenAI: https://openai.com/policies/privacy-policy

4.4. No Model Training by Us

We do not use your data to train, fine-tune, or improve AI models. Your data is processed solely to provide the Service to you.

5. Data Sharing and Disclosure

We do not sell your personal information. We share your information only in the following circumstances:

5.1. Service Providers

We share data with third-party service providers that help us operate the Service. Our current providers include:

These providers process your data only to provide their services to us. We select AI providers and API configurations that do not use customer inputs/outputs for model training (see Section 4.3).

5.2. Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation, subpoena, court order, or government request;
• Protect our rights, property, or safety, or that of our users or the public;
• Detect, prevent, or address fraud, security, or technical issues.

5.3. Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such transfer and any choices you may have regarding your information.

5.4. With Your Consent

We may share your information with third parties when you give us explicit consent to do so (e.g., connecting an integration).

6. Your Rights and Choices

6.1. Access and Review

You can access and review your stored information at any time:

• Chat history: Available in the chat interface.
• Memories: Viewable and editable through the Memory Map feature.
• Account settings: Accessible in the Settings page.

6.2. Edit and Correct

You can edit your profile information in Settings and correct or update individual memories through the Memory Map.

6.3. Delete

• Individual memories: Delete specific memories from the Memory Map at any time.
• Chat history: Request deletion by contacting support@meetloreva.com.
• Full account deletion: Contact support@meetloreva.com to delete your account and all associated data permanently. Account deletion is irreversible. We will process deletion requests within 30 days.

6.4. Export

You may request an export of your data by contacting support@meetloreva.com. We will provide your data in a standard, machine-readable format within 30 days.

6.5. Opt Out of Communications

You may opt out of non-essential communications by contacting support@meetloreva.com. You cannot opt out of service-related notices (e.g., security alerts, billing notifications).

7. Data Retention

7.1. Active Accounts

We retain your data for as long as your account is active and as needed to provide the Service.

7.2. After Account Deletion

Upon account deletion, all personal data — including memories, chat history, and account information — is permanently deleted from our systems within 30 days. Backup copies may persist for up to an additional 30 days before automatic expiration.

7.3. Anonymized Data

We may retain anonymized, aggregated usage statistics that cannot be linked to your identity. This data is used for analytics and service improvement.

7.4. Legal Holds

We may retain data beyond normal retention periods when required by law or to comply with legal proceedings.

8. Cookies and Tracking

8.1. Session Cookies

We use essential session cookies to maintain your login state and provide the Service. These cookies are strictly necessary and cannot be disabled.

8.2. Analytics

We use PostHog to collect pseudonymized usage analytics — such as page views, feature usage, and masked session recordings — to understand how the Service is used and to identify areas for improvement. All text inputs and on-screen content are masked before capture; we do not record the content of your conversations or memories. We do not use third-party advertising trackers.

8.3. No Advertising

We do not display advertisements or share your data with advertising networks.

9. Children's Privacy

The Service is not intended for and may not be used by anyone under 18 years of age. You must be at least 18 years old to create an account. If you are under 18, do not use the Service or provide any personal information. We do not knowingly collect personal information from anyone under 18. If we become aware that a person under 18 has created an account or provided personal information, we will delete the account and all associated data promptly. If you believe someone under 18 has provided us with personal information, contact us at support@meetloreva.com.

10. International Users

The Service is operated from and hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer and processing.

10.1. Users in the European Economic Area (EEA), United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have the following rights under applicable data protection law (including GDPR and UK GDPR):

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data, subject to legal exceptions.
• Right to Restriction: Request that we restrict processing of your personal data in certain circumstances.
• Right to Data Portability: Request your personal data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing of your personal data for certain purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

Many of these rights are built into the Service — you can access, edit, and delete your memories and data directly through the Memory Map and Settings at any time (see Section 6). To exercise any additional rights, contact us at support@meetloreva.com. We will respond within 30 days.

Our legal basis for processing your personal data is: (a) performance of the contract to provide you the Service; (b) your consent, where applicable; and (c) our legitimate interests in maintaining and improving the Service, provided these do not override your fundamental rights.

You also have the right to lodge a complaint with your local data protection authority.

10.2. Users in Other Jurisdictions

If you are located in a jurisdiction with applicable data protection laws, we will comply with those laws to the extent they apply. The rights described in Section 6 and Section 10.1 are available to all users regardless of location.

11. California Privacy Rights

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA/CPRA). To the extent these rights apply:

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the purposes for collection, and the categories of third parties with whom it was shared.
• Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• No Sale or Sharing: We do not sell or share (as defined by CCPA/CPRA) your personal information for cross-context behavioral advertising.

To exercise your rights: Contact us at support@meetloreva.com with your request. We will verify your identity by confirming your account email address before processing. You may also designate an authorized agent to submit requests on your behalf — the agent must provide written authorization from you and we may still verify your identity directly.

We will respond to verified requests within 45 days. If additional time is needed, we will notify you of the extension and the reason.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes your acceptance of the updated Privacy Policy. Previous versions of this Privacy Policy will be available upon request.

Policy Version: 1.1

13. Contact Us

For questions about this Privacy Policy or your data, contact us at:

Email: support@meetloreva.com Data Deletion Requests: support@meetloreva.com

Loreva United States