Privacy Policy

Effective date: May 11, 2026

LESSLAB LLC (“we”, “us”) operates the Lunabot service at lunabot.ai, including the Lunabot website, web app, browser extension, and desktop app (collectively, the “Service”). This Privacy Policy describes what personal data we collect, how we use it, who we share it with, how long we keep it, and the choices you have.

This policy applies to all parts of the Service. A separate “Browser Extension” section below explains the data practices that are specific to the Lunabot browser extension distributed through the Chrome Web Store and other extension stores.

1. Data We Collect

We collect only the data necessary to operate the Service. We do not buy personal data from data brokers.

a. Account information. When you sign in with Google, we receive your email address, name, and profile picture from Google’s OAuth response, and we generate an internal user ID and an authentication token. We store these so that you can sign in and so that your chat history is tied to your account.

b. Chat content and AI inputs/outputs. When you send a message, ask the assistant to rewrite or summarize selected text, or use a built-in prompt, we receive the text you submit, any context you attach (e.g. selected text from a web page, the page title, or the page URL when you explicitly invoke an action on it), the model you chose, and the model’s response. We store this conversation history so that you can revisit it.

c. Usage and diagnostic data. When you use the Service we receive standard request metadata (IP address, user agent, timestamp, the API endpoint called, and a usage counter so we can enforce plan limits). We use server logs for security, abuse prevention, and troubleshooting. We do not run third-party analytics or error-reporting SDKs inside the browser extension itself.

d. Billing data (paid plans only). If you purchase a paid plan, payment is processed by Stripe. Stripe receives your payment instrument details directly; we do not see or store full card numbers. We store the Stripe customer ID, subscription status, plan, and billing email so that we can grant access to paid features and issue receipts.

e. Website analytics and error reporting (lunabot.ai website and web app). The lunabot.ai website and web app use Google Analytics and Google Tag Manager to measure aggregate traffic (page views, referrer, country, device class), and Sentry to collect client-side error reports (stack traces, browser version, the URL where the error occurred). These tags do not load inside the browser extension or the desktop app.

2. How We Use Your Data

  • To provide and operate the Service: authenticating you, routing your prompts to the AI model you selected, returning the response, and saving your conversation history.
  • To enforce plan limits and prevent abuse (rate limiting, fraud detection).
  • To process payments and provide customer support.
  • To send transactional messages (e.g. sign-in verification, receipts, security notices).
  • To improve the Service through aggregate, de-identified analytics of the marketing website.

We do not sell your personal data. We do not use your chat content to serve advertising. We do not use your chat content to train our own models. We do not share your data with anyone for purposes unrelated to providing or improving the Service or complying with the law.

3. Third Parties We Share Data With

We share data only with the service providers listed below, and only to the extent needed for them to perform their function. Each is contractually required to handle data on our behalf and not to use it for their own purposes.

  • AI model providers — When you send a prompt, we forward it together with any context you supply (such as selected text) to the model provider you selected so they can generate a response. Depending on which model you pick, this may be OpenAI (GPT family), Anthropic (Claude family), or Google (Gemini). These providers receive the prompt and return the response under their respective API terms; we do not enable training on customer data with these providers.
  • Google (Sign-In) — If you use Google Sign-In we exchange an OAuth token with Google to verify your identity and retrieve your basic profile.
  • Google (Analytics & Tag Manager) — Used on the lunabot.ai website and web app for aggregate traffic measurement.
  • Sentry — Used on the lunabot.ai website and web app to collect client-side error reports so we can fix bugs.
  • Stripe — Processes payments and stores card details for paid plans.
  • Hosting and infrastructure — We host the Service on commercial cloud providers (database, application servers, edge proxies, transactional email) that store data on our behalf inside their data centers.
  • Legal compliance — We may disclose data when required by law, court order, or to protect the rights, safety, or property of users or the public.

4. Browser Extension — Specific Disclosures

This section describes the data practices of the Lunabot browser extension. In compliance with the Chrome Web Store “Limited Use” policy, we affirm that our use of information received from Chrome APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.

What the extension reads from web pages. The extension runs a content script on web pages so that you can invoke the assistant from anywhere. It does not send the full content of pages you browse to our servers. Specifically:

  • The active tab’s URL and title are sent to our server when you open the assistant on a page, so we can return per-site configuration (for example, the prompt presets that are appropriate for the site you are on).
  • The text you select on a page, or the text in an input field you have focused, is read locally and is included in your request only when you explicitly invoke an action on it (e.g. clicking a prompt in the selection menu, asking the assistant to rewrite or summarize it).
  • The extension does not record keystrokes, does not capture form data you have not selected, and does not scrape page content in the background.

What is stored on your device. The extension uses chrome.storage to keep your settings (theme, language, model preference, drawer width), your sign-in token, your prompt preferences and recent prompts, your last selection, and cached configuration data retrieved from our server (model list, web config, prompt library). This data lives on your device and is sent to our server only when the extension makes an API call to operate the Service.

Network destinations. The extension communicates exclusively with https://api.lunabot.ai. It does not call AI providers directly from your browser; AI requests are proxied through our backend. It does not load third-party analytics or error-tracking SDKs.

Permissions and why we need them.

  • host_permissions for all sites and a content script that matches all URLs — required so that the assistant’s selection menu and side drawer can be invoked on any page you are on.
  • storage — to persist your settings and sign-in token on your device, as described above.
  • tabs — to know which tab is active so that the side drawer can open in the right window and apply per-site configuration.
  • scripting — to inject the assistant UI into the page when you open it.
  • contextMenus — to expose Lunabot actions in the browser’s right-click menu.

5. Data Retention

  • Account data is retained while your account is active.
  • Chat history is retained until you delete it or delete your account.
  • Server logs (request metadata) are retained for up to 90 days for security and troubleshooting.
  • Billing records are retained for the period required by applicable tax and accounting law (typically up to 7 years).

6. Your Choices and Rights

You can delete individual conversations from within the app. You can request export or deletion of your account and associated data by emailing support@lunabot.ai. Depending on where you live, you may have additional rights under GDPR, UK GDPR, or CCPA — including the right to access, correct, port, or restrict processing of your data. We will honor verified requests within the timeframes required by applicable law.

7. Security

We use HTTPS for all network traffic, store authentication tokens in scoped browser storage, and restrict access to production data to personnel who need it. No method of transmission or storage is perfectly secure, but we work to protect your data using commercially reasonable measures.

8. Children

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will delete it.

9. International Transfers

We are based in the United States and our service providers may be located in the United States, the European Union, or other jurisdictions. By using the Service you understand that your data may be transferred to and processed in those countries.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will update the “Effective date” above and, where appropriate, notify you in the app or by email. Continued use of the Service after an update constitutes acceptance of the revised policy.