Lufios

Privacy Policy

Last updated: February 2026

Lufios Inc. ("Lufios", "we", or "the company") considers protecting the personal data of our customers and users who use the Lufios platform as one of our most important responsibilities. This Privacy Policy explains how your personal data is collected, processed, stored, and protected. Lufios Teknoloji A.S. is planned to be established for operations in Turkey; all provisions of this policy will equally apply to Lufios Teknoloji A.S.

This policy has been prepared to meet our obligations under the Turkish Personal Data Protection Law No. 6698 (KVKK) and the European Union General Data Protection Regulation (GDPR).

1. Data Controller

The legal entity acting as data controller with respect to your personal data:

Lufios Inc.
Email: security@lufios.com

For our enterprise customers (B2B), the customer organization acts as the data controller and Lufios acts as the data processor. In such cases, data processing conditions are governed by a separate Data Processing Agreement (DPA).

2. Personal Data Collected

The following categories of personal data may be collected during use of the Lufios platform:

  • Identity information: Name, surname, email address, password (stored as hash)
  • Contact information: Email address, phone number (optional)
  • Usage data: Session information, platform interaction records, feature usage statistics
  • Technical data: IP address, browser type, operating system, device information, cookie data
  • Content data: Chat messages created on the platform, uploaded files, AI interaction history
  • Connection data: Data accessed through third-party integrations (Gmail, Outlook, Google Drive, etc.), only when explicitly authorized by the user

3. Purposes of Data Processing

Your personal data is processed for the following purposes:

  • Providing and maintaining Lufios platform services
  • Creating, authenticating, and managing user accounts
  • Operating AI-powered features (chat, analysis, reporting, automation)
  • Customer support and technical troubleshooting
  • Ensuring platform security, detecting and preventing misuse
  • Fulfilling legal obligations
  • Improving service quality and performance analytics (using anonymous and aggregated data)
Your personal data is never used for advertising, profiling, or sale to third parties for marketing purposes under any circumstances.

4. Legal Basis for Data Processing

Under KVKK, your personal data is processed based on the following legal grounds:

  • Performance of contract: Data processing necessary for the delivery of platform services
  • Legitimate interest: Security, fraud prevention, and service improvement
  • Legal obligation: Tax, accounting, and regulatory requirements
  • Explicit consent: Non-essential data processing activities and third-party integration authorizations

The same legal bases apply under GDPR (Article 6(1)(a), (b), (c), (f)).

5. AI and Data Usage

Lufios is an AI platform, and we have specific data usage commitments in this regard:

  • Customer data is never used to train general AI models under any circumstances
  • Each customer's AI interactions are fully isolated; no data is shared between customers
  • AI inputs and outputs are logged for audit purposes
  • AI-generated content belongs to the customer
  • Data sent to third-party AI providers (Google Vertex AI) is subject to the provider's data processing policies, and these providers also commit to not using data for model training

6. Data Retention and Deletion

Your personal data is retained for the duration required by the processing purpose:

  • Active account data: Retained while the account is active
  • Chat history and files: Deleted according to the retention policy set by the customer or upon account closure
  • Audit records: Retained for a specified period under legal obligations
  • Backup data: Purged from backups within a maximum of 30 days after production data is deleted

When you close your account or submit a deletion request, your personal data is permanently deleted within 30 days, except for data subject to legal retention obligations.

7. Data Sharing and Transfer

Your personal data may be shared with third parties in the following situations:

  • Infrastructure providers: Google Cloud Platform (GCP), data hosting and processing infrastructure
  • AI providers: Google Vertex AI, AI model calls (data is not used for model training)
  • Legal requirement: Upon court order, legal regulation, or request from authorized public authorities
  • Business partners: Only partners essential for service delivery and bound by confidentiality agreements
Your data is never sold to third parties or shared for marketing purposes under any circumstances.

International data transfers: The platform infrastructure is hosted on Google Cloud Platform. Data may be stored in US or European regions based on customer preference. International data transfers are conducted in compliance with safeguards under KVKK and GDPR (Standard Contractual Clauses or adequacy decisions).

8. Data Security

We implement the following technical and administrative measures to ensure the security of your personal data:

  • TLS 1.2+ encryption in transit
  • Platform-level encryption at rest (AES-256)
  • Role-based access control (RBAC) and least-privilege principle
  • Multi-factor authentication (for administrative access)
  • Regular security scans and dependency audits
  • Access audit logs and immutable logging infrastructure
  • Full data isolation between customers (multi-tenant architecture)

9. Cookie Policy

The Lufios platform uses the following types of cookies:

  • Essential cookies: Authentication, session management, and security (CSRF protection). These cookies are required for the platform to function and cannot be disabled.
  • Functional cookies: Language preference and user interface settings. These cookies are used to improve user experience.

Lufios does not use third-party cookies for advertising or tracking purposes.

10. User Rights

Under KVKK and GDPR, you have the following rights:

  • Right to information: Learn whether your personal data is being processed
  • Right of access: Request access to your processed personal data
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data (right to be forgotten)
  • Right to restrict processing: Request restriction of data processing under certain conditions
  • Right to data portability: Receive your data in a structured, commonly used, and machine-readable format
  • Right to object: Object to data processing based on legitimate interest
  • Automated decision-making: Right not to be subject to decisions based solely on automated processing

To exercise these rights, you may contact security@lufios.com. Requests are responded to within 30 days at the latest.

You retain the right to file a complaint with the Personal Data Protection Board under KVKK, or with the relevant EU data protection authority under GDPR.

11. Children's Privacy

The Lufios platform is designed for enterprise use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware of such a situation, the relevant data is deleted immediately.

12. Policy Changes

We may update this Privacy Policy from time to time. When significant changes are made, notification is provided through the platform or via email. The updated version of the policy is published on this page and the "Last updated" date is revised.

13. Contact

For questions or requests regarding privacy:

Lufios Inc.
Email: security@lufios.com