Lugue← Back to Lugue

Privacy Policy

This policy explains what data Lugue collects, how we use it, and the rights you have over it. Plain English, no tricks.

Data Controller

Lugue operates as the data controller for personal data you provide. For privacy questions, data-subject requests, or concerns, contact hello@lugue.ai.

Data We Collect

  • Account email address and profile name
  • Lead data you upload, import via CSV, or sync from connected CRMs
  • Outreach drafts, research briefs, and interactions generated inside Lugue
  • Usage telemetry — credits consumed, operations run, LLM call metadata (operation name, model, token counts, duration, cost)
  • Billing details processed by Stripe (we never see or store card numbers)

How We Use It

We process your data to deliver the service: ICP scoring, outreach drafting, enrichment, research, CRM sync, and billing. We do not sell your data and do not use your content to train AI models. Anonymized, non-identifying usage telemetry is used for capacity planning and pricing analysis.

Legal Basis for Processing (GDPR)

  • Contract performance — to deliver Lugue under the terms you agreed to
  • Legitimate interest — for fraud prevention, security, and service improvement
  • Consent — for optional enrichment and research features you actively trigger

AI Processing & Transparency

Lugue uses large language models (Anthropic Claude as primary, with Groq and OpenAI as fallbacks) to generate scores, research briefs, and outreach drafts. Output is suggested content, not professional advice. Consistent with the EU AI Act (Art. 50) transparency obligations, we disclose that content labelled as drafts, analyses, or briefs inside the application is AI-generated. Your input data is transmitted to these providers only to produce the output you requested and is not retained by them for model training under their data-processing terms.

Google User Data

When you sign in with Google, we access your name, email, and profile picture solely for account creation and authentication. We do not access Gmail, Drive, Contacts, Calendar, or other Google services.

Lugue's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements.

Third-Party Processors

  • Anthropic, Groq, OpenAI — AI inference (scoring, research, drafting)
  • Serper, DuckDuckGo — web search for lead research
  • Apollo.io, Netrows, Prospeo, Hunter — contact and LinkedIn enrichment
  • Stripe — payment processing and subscription management
  • Supabase — database, authentication, storage
  • Vercel — application hosting
  • Sentry — error monitoring and error-triggered session replay
  • Upstash — rate-limit infrastructure

Each processor operates under its own published terms and data-processing addendum consistent with GDPR Art. 28.

International Data Transfers

Your data is processed by services primarily located in the United States. Where personal data of EEA, UK, or Swiss residents is transferred outside those regions, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK/Swiss equivalents offered by our processors. By using Lugue, you acknowledge these transfers.

Data Retention

We retain account and lead data while your account is active. On deletion, personal and lead data is removed within 30 days. Anonymized usage telemetry (non-identifying llm_calls rows used for capacity planning) may be retained longer. Billing records are kept for the period required by applicable tax law.

Your Rights

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct data that is wrong or incomplete
  • Erasure — delete your account in-app; we remove personal data within 30 days
  • Portability — export your lead data as CSV from the app, anytime
  • Restriction / Objection — ask us to limit processing or object to legitimate-interest use
  • Withdraw consent — for optional features, at any time, without losing access to the core service
  • Lodge a complaint — with your local data protection authority

Exercise any of these by emailing hello@lugue.ai. We respond within 30 days.

California Residents (CCPA)

If you reside in California, you have the right to know what personal information we collect and how we use it, to request deletion, to correct inaccurate data, to opt out of any sale or share of personal information (we do not sell or share your personal information), to limit the use of sensitive personal information, and to non-discrimination for exercising these rights. Exercise them by emailing hello@lugue.ai.

Children's Privacy

Lugue is a business-to-business product not directed to individuals under 18. We do not knowingly collect personal data from children. If we learn we have collected data from a child, we will delete it.

Security & Breach Notification

We use TLS in transit, encrypted storage at rest, row-level security on tenant data, and rate-limit infrastructure. No system is perfectly secure. In the event of a personal data breach affecting your information, we will notify you without undue delay and, where required, the relevant supervisory authority within 72 hours of discovery, consistent with GDPR Art. 33-34.

Cookies

We use a single Supabase authentication session cookie. No tracking, analytics, or advertising cookies.

Changes to This Policy

We may update this policy as the service evolves. Material changes are announced via email or in-app notice at least 14 days before taking effect.

Contact

Privacy questions, access requests, or data-protection concerns — hello@lugue.ai.

Last updated: April 2026

Lugue © 2026hello@lugue.ai
Privacy Policy — Lugue