Privacy Policy

(Hereinafter referred to as "Larund", "we", "us", or "the Platform".)

Data Protection Officer (DPO): Under Article 37 of the GDPR, Larund is not currently required to appoint a mandatory DPO given the nature and scale of its data processing activities. For all data protection enquiries, please use the privacy contact e-mail above.

This Privacy Policy ("Policy") applies to all natural persons ("Data Subjects" or "Users") who use or interact with the Larund AI platform — including its web application (www.larund.com) and all associated API endpoints — and whose personal data is processed by Larund.

The Platform is an AI-powered productivity workspace designed for founders, entrepreneurs, and small teams. It provides an integrated AI assistant with persistent memory, task management, document editing, email and calendar management, a media creation studio, social media automation, voice interaction, payment processing, and an affiliate referral program.

This Policy has been prepared in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Hungary), and all other applicable data protection legislation.

• Personal data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on personal data (collection, storage, use, transfer, deletion, etc.).
• Data processor — a third party that processes personal data on behalf of Larund.
• Data subject / User — the natural person whose personal data is processed (registered users, visitors).
• GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council.
• Cookie — a small data file placed on the User's device.
• Integration — a connection to a third-party service supported by the Platform (e.g. Google, X/Twitter, Meta, Stripe).
• AI Memory — contextual data about the User's work environment stored with the User's prior consent to enable cross-session continuity.
• Credit — a virtual unit within the Platform used to access AI-powered services.

We base our processing activities on the following legal grounds under Article 6 GDPR:

a) Performance of a Contract — Art. 6(1)(b)

Processing necessary to create and maintain your account, deliver the Service, manage subscriptions, and perform all core platform functions.

b) Legal Obligation — Art. 6(1)(c)

Processing required to comply with applicable accounting, tax, and financial regulations (e.g. retention of Stripe transaction records).

c) Legitimate Interests — Art. 6(1)(f)

Processing for maintaining platform security, preventing abuse, improving the Service, troubleshooting, and operating the affiliate/referral programme — where such interests are not overridden by your fundamental rights and freedoms.

d) Consent — Art. 6(1)(a)

Processing based on your freely given, specific, informed, and unambiguous consent when activating optional integrations (Google Workspace, X/Twitter, Meta), enabling Voice Mode, enabling AI Memory, or receiving marketing communications. Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

5.1 — Account & Identity Data

• Email address
• Password (stored exclusively as a cryptographic hash — Larund never has access to your plaintext password)
• Full name (used as display name)
• Unique user identifier (UUID, generated by Supabase)
• Account creation date and last login timestamp
• Language preference (English / Hungarian)
• Appearance setting (Light / Dark mode)

BasisPerformance of contract. Processor: Supabase, Inc. (authentication & database).

5.2 — AI Assistant & Chat Data

• Full text of messages and questions you type into the chat interface
• AI-generated responses
• Chat session ID and title
• AI model identifier used (e.g. Google Gemini, Claude, GPT, DeepSeek)
• Message timestamps
• File attachment metadata (filename, MIME type, size) and, for images, the visual content processed during the session
• Document excerpts referenced via @mention
• Web search results (when the web search feature is enabled)

BasisPerformance of contract. Processors: Supabase, Inc. (storage); OpenRouter, Inc. (AI model routing — underlying providers include Google DeepMind, Anthropic, OpenAI, DeepSeek, Mistral AI, and others depending on the model selected).

5.3 — AI Memory & Context Data

• Structured facts extracted from your conversations (e.g. business goals, team size, key decisions, communication style)
• Memory entry key, value, and category
• Timestamp of each memory entry

BasisConsent. AI Memory is an opt-in feature. All memory entries are visible, editable, and deletable by you at any time. Memory data is strictly user-isolated and never shared with other users.

5.4 — Documents & Tasks

• Text content of documents created inside the Platform
• Document name, type, and modification date
• Google Drive document IDs and metadata (only for documents you explicitly link)
• Task titles, descriptions, priority levels, due dates, recurrence settings
• Task completion status and timestamps
• Task domain/category

Basis Performance of contract.

5.5 — Google Workspace Integration (Gmail, Drive, Calendar)

• Google OAuth2 access token and refresh token (stored with AES-256-GCM encryption)
• Gmail read, compose, and send permissions: gmail.readonly · gmail.compose · gmail.send
• Inbox message metadata (sender, subject, date, snippet)
• AI-generated email draft content and status
• Google Drive file identifiers and content (only for files you open or create through the Platform — drive.file scope)
• Google Calendar events: title, time, location, description
• AI-suggested or AI-created calendar events

BasisConsent (revocable at any time via Settings → Connections → Disconnect). Processor:Google LLC. Google's own Privacy Policy also applies to your Google account data.

5.6 — X (Twitter) Integration

• X OAuth2 access token and (if applicable) refresh token (AES-256-GCM encrypted)
• X/Twitter user ID and username
• Authorised scopes: tweet.read · tweet.write · users.read
• AI-drafted and published tweet content
• Tweet analytics (likes, retweets, replies, impressions)
• Scheduled post data (content, scheduled publish time, status)
• API usage logs (operation type, credit cost, timestamp)

BasisConsent (revocable at any time). Processor: X Corp.

5.7 — Meta (Facebook) Integration

• Meta OAuth2 access token (AES-256-GCM encrypted)
• Meta user ID, display name, email address, and profile picture URL
• Authorised scopes: public_profile · email

BasisConsent. Processor: Meta Platforms, Inc.

5.8 — Voice Mode (Speech Interaction)

• Microphone audio recording — processed in real time for transcription only; not stored permanently
• Transcribed text (prompt) — stored as a chat message in your conversation history
• Text-to-speech (TTS) audio output — streamed for playback; not stored permanently
• Voice/TTS model preference settings

BasisConsent (you must manually activate Voice Mode and grant microphone permission in your browser). Processors: OpenAI, LLC (speech-to-text via Whisper; TTS synthesis — via OpenRouter or directly); the relevant LLM provider for conversation.

Audio recordings are not retained. Only the transcribed text appears in your chat history and is governed by section 5.2.

5.9 — Payment & Subscription Data (Stripe)

• Stripe-generated customer ID (stripe_customer_id)
• Subscription ID and status (active, expired, cancelled)
• Subscription period start and end dates
• Transaction amounts and currency
• Stripe webhook event payloads (payment success/failure, subscription update/cancellation)

BasisPerformance of contract (subscription management) · Legal obligation (accounting retention). Processor: Stripe, Inc.

5.10 — Credits & Usage Data

• Current credit balance
• Daily message count and daily limit (for free-tier users)
• Credit usage log per operation (AI chat, image/video generation, X/Twitter API calls, voice transcription)
• OpenRouter API key (AES-256-GCM encrypted, only if you supply your own key — BYOK mode)

Basis Performance of contract · Legitimate interests (abuse prevention).

5.11 — Affiliate / Referral Programme

• Unique referral code (up to 10 characters)
• Referring user ID and referred user ID
• Referral and conversion timestamps
• Total number of invitations sent
• Referral cookie (max. 30 days, stored in-browser to attribute sign-ups to the referrer)
• Anonymised visit statistics for affiliate links

Basis Legitimate interests (operating the referral programme).

5.12 — Scheduled Tasks & Automation

• Scheduled AI task content (e.g. text of a scheduled tweet)
• Scheduling timestamps and recurrence patterns
• Execution status (pending, success, failed)
• Execution logs (run time, output, error messages)

Basis Performance of contract.

5.13 — Technical & Logging Data

• IP address (in authentication and security logs)
• Browser type and version (User-Agent header)
• Operating system type
• Device type (desktop, mobile, tablet)
• URLs of pages visited and visit timestamps
• HTTP request/response status codes
• Error messages and server-side log entries

Basis Legitimate interests (security & abuse prevention). Retained for 90 days, then automatically deleted.

Larund shares personal data with third parties only to the extent necessary to operate the Service. All processors are bound by Data Processing Agreements (DPAs) ensuring data is used solely for the specified purpose.

We may disclose personal data to law enforcement or courts only where required by a binding legal obligation, court order, or governmental request.

We never sell your personal data to any third party.

Most of our processors (Supabase, Google, Stripe, OpenRouter, OpenAI, X Corp., Meta) are headquartered in the United States, meaning your data may be transferred outside the European Economic Area (EEA). We rely on one or more of the following safeguards:

• EU–US Data Privacy Framework (DPF): Where the processor is certified under the DPF, or an EU adequacy decision applies to their country.
• Standard Contractual Clauses (SCCs): European Commission-approved clauses incorporated into our Data Processing Agreements.
• Binding Corporate Rules (BCRs): Where applicable for processors with approved intra-group transfer mechanisms.

For details of the safeguards applied by each processor, please refer to their respective privacy documentation.

We retain personal data only for as long as necessary for the stated processing purpose or as required by law.

After the applicable retention period, data is irreversibly deleted or anonymised.

Under Chapter III of the GDPR, you have the following rights regarding your personal data. To exercise any of them, email info.arsenaillc@gmail.com with the subject line "Data Subject Request". We will respond within 30 days (extendable to 60 days for complex requests).

9.1 — Right to Information (Art. 13–14)

This Policy fulfils our obligation to inform you. It is always accessible through the Platform.

9.2 — Right of Access (Art. 15)

You may request confirmation of whether we process your personal data, and if so, obtain a copy of that data and information about how it is processed.

9.3 — Right to Rectification (Art. 16)

If your data is inaccurate or incomplete, you may request immediate correction. Most profile data can be updated directly in Profile Settings.

9.4 — Right to Erasure / Right to be Forgotten (Art. 17)

You may request deletion of your personal data if the processing purpose has ceased, you have withdrawn consent, or the processing was unlawful. Exceptions apply where retention is legally mandated (e.g. accounting records). You can initiate full account deletion from Settings → Account Management or by emailing us.

9.5 — Right to Restriction (Art. 18)

You may request that we restrict processing of your data where you contest its accuracy (pending verification), the processing is unlawful but you prefer restriction to deletion, or you need the data for a legal claim despite our processing having ended.

9.6 — Right to Data Portability (Art. 20)

Where processing is based on consent or contract and carried out by automated means, you may receive your personal data in a structured, machine-readable format (JSON/CSV) and transmit it to another controller.

9.7 — Right to Object (Art. 21)

You may object at any time to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

9.8 — Rights re Automated Decision-Making (Art. 22)

Larund does not make decisions about you solely by automated means that produce legal or similarly significant effects (e.g. automated credit scoring). AI assistant suggestions always require your judgment and action.

The Platform does not use third-party advertising cookies, behavioural tracking cookies, or third-party analytics cookies (e.g. Google Analytics).

You may disable or delete cookies through your browser settings. Disabling essential cookies will prevent you from logging in and using the Platform.

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, alteration, or disclosure.

Encryption

• In transit: HTTPS/TLS 1.2 or higher on all endpoints
• OAuth tokens (Google, X/Twitter, Meta): AES-256-GCM encryption at rest; encryption keys stored as server-side environment variables
• Passwords: bcrypt hashing via Supabase Auth (we never store or access plaintext passwords)
• Database: Supabase PostgreSQL with built-in encryption at rest

Access Control

• Supabase Row Level Security (RLS) enforced on every database table — users can access only their own data
• Internal admin access is role-scoped and limited to the minimum required
• Sensitive operations (payments, token exchange) are performed server-side only — never in client-side code

Data Breach Response

In the event of a personal data breach, Larund will notify the competent supervisory authority (NAIH) within 72 hours as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, you will also be notified without undue delay (GDPR Article 34).

Despite our best efforts, no internet-based transmission is 100% secure. Please keep your password confidential and contact us immediately if you suspect any unauthorised account activity.

The Larund Platform is intended for users aged 16 years or older. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has registered, we will delete their account immediately.

If you are a parent or legal guardian and believe your child has registered on the Platform, please contact us at info.arsenaillc@gmail.com.

We reserve the right to update this Policy at any time. For material changes — such as the introduction of new data categories, new processors, or a change of legal basis — we will notify registered users by email at least 30 days before the changes take effect.

The current version of this Policy is always available in Settings → Legal on the Platform and at larund.com/privacy. The effective date of the latest version is shown at the top of this page. Continued use of the Platform after the effective date of a revised Policy constitutes acceptance of the revised terms.