Privacy Policy

Effective date: February 13, 2026

This Privacy Policy explains how Lapin AI LLC ("LexPair," "we," "us") collects, uses, discloses, and protects personal data when you use our website, learning platform, and related services (the "Services").

1. Controller Information

Controller: Lapin AI LLC
Address: 643 N York St, Suite 70, Elmhurst, IL 60126
Privacy contact: salvador@possiblaw.com

2. Personal Data We Collect

  • Account and authentication data: email, password (handled by Supabase Auth), and OAuth identity data (for example, Google account email/name when you choose Google sign-in).
  • Profile and onboarding data: full name, role, AI experience level, goals, onboarding status, and account tier.
  • Learning activity data: lesson progress, quiz attempts/scores/answers, reflections, and XP events.
  • Billing and transaction data: Stripe checkout session IDs, payment status, amount/currency, Stripe customer/payment intent IDs, and account email used for billing.
  • AI feature inputs/outputs: text you submit to AI-assisted evaluation features and resulting model outputs.
  • Technical and usage data: authentication cookies and, when enabled, analytics/telemetry events (for example via PostHog and Google Analytics).

3. Cookies and Similar Technologies

We use cookies and similar technologies to operate and secure the Services, and to understand usage trends.

  • Strictly necessary cookies: used for authentication/session continuity (including Supabase Auth cookies) and security/traffic protection at the edge (including Cloudflare security and performance tooling).
  • Analytics cookies and event tools (optional): when enabled, PostHog and/or Google Analytics may collect pseudonymous usage data (for example pages viewed, feature usage, technical metadata, and event properties).
  • Preference storage: local storage or similar browser storage may be used for user-interface preferences.

In jurisdictions requiring prior consent for non-essential cookies, we seek consent before enabling analytics cookies. You can also control cookies through browser settings, but disabling essential cookies may affect login and core functionality.

4. Why We Process Personal Data (GDPR Legal Bases)

  • Contract performance (Art. 6(1)(b)): account creation, login, course delivery, progress tracking, purchases.
  • Legitimate interests (Art. 6(1)(f)): platform security, abuse prevention, service improvement, and internal admin operations.
  • Consent (Art. 6(1)(a)): non-essential cookies and optional analytics where required by law.
  • Legal obligations (Art. 6(1)(c)): financial, tax, and compliance record-keeping.

5. AI Processing Disclosures

Certain features may send text you provide to a configured model provider (for example Cloudflare Workers AI, OpenAI, Anthropic, Google Gemini, or a self-hosted local provider).

Do not submit confidential, privileged, export-controlled, or sensitive personal data into AI fields unless you have explicit legal authorization and technical safeguards in place.

See our AI Disclosure for additional detail.

6. Sharing and Processors

We share data only as needed with service providers, including:

  • Supabase (authentication and database hosting).
  • Cloudflare (hosting, edge delivery, optional AI services).
  • Stripe (payment processing).
  • Google OAuth (if you choose Google sign-in).
  • PostHog (if enabled for telemetry/analytics).
  • Configured AI model provider(s) for AI features.

7. International Data Transfers

Data may be processed outside your country. Where GDPR applies, we rely on approved transfer safeguards (such as Standard Contractual Clauses) and vendor contractual commitments.

8. Retention

  • Account/profile/onboarding/progress/reflection/quiz data: retained while your account is active. We target removal or anonymization after 24 months of inactivity unless a longer period is legally required.
  • Security and authentication logs: generally retained for 90 days and up to 12 months for active abuse/security investigations.
  • Billing and tax records: retained for 7 years where required by accounting/tax law.
  • Consent records (when used): retained for 5 years after the last consent state change.
  • Backup snapshots: retained on a rolling basis for approximately 30-35 days.

9. Your GDPR Rights

Subject to applicable law, you may request access, rectification, deletion, restriction, objection, and portability of personal data, and may withdraw consent where processing relies on consent.

You also have the right to lodge a complaint with your local data protection authority.

10. Automated Decision-Making

We do not use personal data for decisions based solely on automated processing that produce legal or similarly significant effects.

11. Security

We use technical and organizational measures designed to protect data, including access controls and managed infrastructure providers. No method of transmission or storage is fully secure.

12. Children

The Services are not intended for children under 18, and we do not knowingly collect personal data from children under 18.

13. Changes to this Policy

We may update this Privacy Policy. If we make material changes, we will update the effective date and provide notice where required.

14. Contact

For privacy requests or questions, contact:
Lapin AI LLC
643 N York St, Suite 70, Elmhurst, IL 60126
salvador@possiblaw.com