← Back to Lavern

Privacy Policy

Last Updated: 20 March 2026

Lavern ("we," "us," or "our"), a limited liability company registered in Finland with its registered address at Helsinki, Finland, operates Lavern (the "Service"). This Privacy Policy explains how we collect, use, and protect your personal data.

1. Data Controller

The data controller responsible for your personal data is Lavern. You can contact our data protection contact at privacy@lavern.ai.

2. Personal Data We Collect

We may collect the following categories of personal data:

• Account data: name, email address, password (hashed), billing information
• Usage data: IP address, browser type, device information, pages visited, access times
• Communications: support inquiries, feedback, correspondence
• Documents: files you upload for analysis (processed transiently to deliver the Service; not stored beyond the active session and the retention period described in Section 7)
• Session identifiers: essential cookies for authentication and session management

3. Legal Bases for Processing (GDPR Art. 6)

We process personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): to provide and maintain the Service
• Legitimate interests (Art. 6(1)(f)): to improve the Service, prevent fraud, ensure security
• Consent (Art. 6(1)(a)): for marketing communications
• Legal obligation (Art. 6(1)(c)): to comply with applicable laws and regulations

4. How We Use Your Data

We use personal data to: (a) provide and operate the Service; (b) process transactions and send related information; (c) respond to support requests; (d) send service updates and, with your consent, marketing communications; (e) monitor and analyze usage trends; and (f) detect and prevent fraud or abuse.

5. Data Sharing

We do not sell your personal data. We may share data with:

• Service providers: the subprocessors listed below, who process data on our behalf under data processing agreements:
  • Anthropic (United States) — AI language model processing
  • Mistral AI (European Union) — AI language model processing (available as the EU Sovereign option for users who prefer EU-only processing)
  • Stripe (United States / European Union) — Payment processing
  • Resend (United States) — Transactional email delivery
  • Plausible Analytics (European Union) — Privacy-friendly website analytics (no personal data collected)
  • Netlify (United States) — Website hosting
• Legal requirements: when required by law, regulation, or legal process
• Business transfers: in connection with a merger, acquisition, or sale of assets (with notice to you)

6. International Transfers

If we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions. When you select the EU Sovereign provider option, your document content is processed exclusively within the European Union via Mistral AI.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this policy, typically the duration of your account plus 180 days. Session archives are retained for 180 days after completion. We may retain certain data longer where required by law or for legitimate business purposes.

8. Your Rights

Under applicable data protection law, you have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Erase your data ("right to be forgotten")
• Restrict processing in certain circumstances
• Data portability — receive your data in a structured, machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent at any time (without affecting prior processing)

To exercise these rights, contact us at privacy@lavern.ai. We will respond within 30 days. You may also exercise your right to erasure and data export directly from your account settings in the My Page section.

9. Cookies

We use essential session cookies for authentication and security. We do not use tracking cookies or third-party advertising cookies. Our analytics provider (Plausible Analytics) does not use cookies and does not collect personal data. No cookie consent banner is required as we only use strictly necessary cookies.

10. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, password hashing (bcrypt), and regular security assessments.

11. Children

The Service is not directed at individuals under 16. We do not knowingly collect personal data from children. If we learn we have collected such data, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or prominent notice on the Service at least 30 days before they take effect.

13. Supervisory Authority

If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (tietosuoja.fi).

14. Contact

For privacy-related inquiries, contact us at privacy@lavern.ai or write to Lavern, Helsinki, Finland.