Short version: We collect only what's needed to run the Service. We do not sell your data. Your generation inputs and outputs belong to you. You can request deletion at any time.
| Data | Why |
|---|---|
| Email address | Account creation, login, transactional emails (receipts, password reset) |
| Display name | Personalising your studio experience |
| Generation inputs | Sending to Claude AI to produce your output; stored in your history |
| Generation outputs | Displaying your history; improving Service reliability (not used for AI training) |
| Usage counts | Enforcing plan limits and displaying your usage |
| Plan and billing status | Unlocking paid features; stored by Stripe and mirrored in our database |
| Session tokens (localStorage) | Keeping you signed in securely without exposing tokens in URLs or cookies |
| IP address / request logs | Security, abuse prevention, and operational monitoring (Vercel infrastructure) |
We do not collect payment card details. All payment data is handled directly by Stripe under their privacy policy.
We do not use your data to train AI models. We do not send marketing emails without your explicit opt-in. We do not sell, rent, or broker your personal data to any third party.
We work with the following sub-processors to deliver the Service. Each is bound by data processing agreements or standard contractual clauses appropriate to their role:
| Service | Purpose | Data shared |
|---|---|---|
| Anthropic (Claude) | AI generation engine | Your generation prompt text. Anthropic's privacy policy applies. |
| Supabase | Authentication and database | Email, name, usage data, generation history. Stored on AWS infrastructure (us-east-1 by default). |
| Stripe | Payment processing | Email address (for Stripe customer record). Payment card details are collected and stored by Stripe directly. |
| Vercel | Hosting and edge delivery | IP address and request logs for infrastructure operation. |
Lorvy stores your authentication session token in browser localStorage, not cookies. This means your session data is not transmitted to any third party server on every request and cannot be accessed by other domains.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Supabase may set a limited session cookie for OAuth flows; this is strictly necessary for authentication and does not track your browsing activity.
Depending on your location, you may have the following rights under GDPR, CCPA, or other applicable data protection laws:
To exercise any of these rights, email info@lorvyai.com. We will respond within 30 days. We may need to verify your identity before processing your request.
We implement industry-standard security practices: all data is encrypted in transit (TLS 1.3), authentication tokens are short-lived JWTs stored in localStorage (not cookies), and our database uses row-level security policies to ensure you can only access your own data.
No method of transmission or storage is 100% secure. We will notify you promptly in the event of a data breach that affects your personal information.
Lorvy operates globally. Your data may be processed on servers located in the United States (Vercel, Supabase on AWS us-east-1) and processed by Anthropic (US). If you are in the European Economic Area, we rely on standard contractual clauses and adequacy decisions to lawfully transfer your data.
The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us at info@lorvyai.com and we will delete it.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the Service. The effective date at the top of this page will reflect the latest update. Your continued use of the Service constitutes acceptance of the updated policy.
For privacy-related questions, data requests, or concerns, contact us at info@lorvyai.com.
For general support: info@lorvyai.com