1. Scope & our role
This policy describes how Lossless, Inc. ("Lossless") collects, uses, shares, and protects personal information across lossless-ai.com and the Lossless apps. Third-party services you connect are governed by their own policies, linked from our subprocessors page.
Our role. For data about you as a Lossless user (account, billing, telemetry, records we generate while serving you) we act as a controller. For data you ingest from a connected source (your emails, transactions, files, rental records — which include information about other people) we act as your processor.
2. What we collect
- Account data. Email, SSO identifier, password hash if applicable, display name, preferences, MFA settings.
- Billing data. Plan, billing address, last four of card, transaction history — handled by Stripe. We do not store full card numbers.
- Connector-source data. What you authorize each Connector to read: email content + attachments, calendar events, files, financial-account data, rental-platform data (listings, reservations, guests, messages, payouts), cross-platform messages, voice transcripts, tax/accounting/legal materials you upload, chat content.
- Derived records. Normalized merchants, lease summaries, AI tags or categorizations, links between records.
- Usage data. Counts of queries, connector errors, performance metrics. Content of queries minimized.
- Device and log data. User-agent, OS version, app version, time zone, IP address, crash logs.
- Support data. Info you send when contacting support.
We do not collect: browsing history outside the Service, precise GPS, unauthorized contacts, cross-site tracking IDs, fingerprinted device IDs, advertising IDs. No third-party advertising pixels.
3. Sources
- You — signup, configuration, content uploads, support.
- Connectors — Gmail, Google Calendar, Google Drive, Plaid, Stripe, rental platforms, others on the subprocessors page.
- Authentication providers — Google, Microsoft, Apple SSO.
- Service providers — Stripe billing telemetry, ESP deliverability, APM stack traces (PII-scrubbed).
4. Why we collect it & legal bases (GDPR)
| Purpose | Categories | GDPR basis |
|---|---|---|
| Provide the Service | All | Contract (Art. 6(1)(b)) |
| Bill you | Account, billing | Contract |
| Authenticate & secure | Account, device, log | Contract; legitimate interest |
| Debug, investigate abuse, fraud | Usage, device, log | Legitimate interest |
| Transactional emails | Account | Contract; legal obligation |
| Product update emails (opt-in) | Account | Consent |
| Compliance with law | As required | Legal obligation |
| Defense of legal claims | As required | Art. 9(2)(f) |
We do not use your data to advertise to you, profile you for marketing, sell your data, or allow AI providers to train shared models on it.
5. Sensitive personal information
Depending on Connectors enabled, the Service may handle:
- Account log-in credentials (OAuth tokens; not passwords).
- Financial-account numbers and transaction history.
- Contents of your messages.
- Government identifiers like SSN last-4 where a connector provides it.
- Precise location of financial transactions.
We use sensitive PI only to provide the Service, authenticate, prevent and investigate security incidents, and comply with law. Not for marketing inference or profiling.
6. Sharing & subprocessors
- With you.
- With subprocessors under contracts restricting their use. Current list at subprocessors.
- With your direction — CPA, spouse, attorney, family.
- With law-enforcement — only on valid legal process. We notify you unless legally prohibited.
- Corporate transaction — same protections; we notify and offer deletion before transfer.
We do not sell personal information. We do not share for cross-context behavioral advertising. (CCPA/CPRA §§1798.120 / 1798.121.)
30 days' advance notice before adding any new subprocessor.
7. AI processing
- What is sent. Only content needed for your specific request. Not OAuth tokens, not payment instruments.
- Training. Providers do not use your data to train shared models. We set per-call no-training / no-logging flags where supported.
- Retention. Zero-retention / short-retention API tiers where available. Prompt caches expire within one hour and are not used for training.
- Inferences. AI-derived inferences are personal data; all rights in §9 apply.
- Automated decisions. No solely-automated decisions producing legal or similarly significant effects on you.
8. Retention
Full schedule in retention & deletion. Summary:
- Active account: as needed.
- Standard delete: 24h primary; 30d backup.
- Instant delete: immediate primary; 7d backup; typed attestation required.
- Audit logs and billing records: 7 years.
- Legal hold: deletion suspended; you are notified.
9. Your rights
- Access — full machine-readable export.
- Correction — editable in-product; or privacy@lossless-ai.com.
- Deletion — standard or instant.
- Portability — JSON + original files.
- Objection / restriction — disconnect a Connector; restrict processing.
- Withdraw consent — without affecting prior lawful processing.
- Opt out of "sale" / "sharing" — we don't do either; default-honored.
- Limit use of SPI — California default.
- Non-discrimination.
- Appeal — reply to our response or write to privacy@lossless-ai.com. 45-day response.
10. How to exercise your rights
- Most rights in Settings → Privacy & data.
- Otherwise: privacy@lossless-ai.com from the account email.
- 45-day response; extendable once.
- We verify identity via sign-in authentication.
- Authorized agents accepted with written authorization.
11. International transfers
Default storage US-WEST1 (Google Cloud, Oregon). EU/UK customers may opt into EU-WEST3 (Frankfurt). Transfers under EU Standard Contractual Clauses and UK International Data Transfer Addendum.
12. Security
- TLS 1.3 in transit; AES-256 at rest with KMS-managed keys; per-workspace data scoping.
- Role-based access control with append-only audit log of production data access.
- MFA required before connecting financial or legal sources.
- OAuth tokens encrypted at rest with a customer master key.
- Subprocessor diligence and contractual data-protection commitments.
- Vulnerability management; security@lossless-ai.com for responsible disclosure.
13. Data of other people
Our system often contains information about people who are not Lossless users. If you are one of those people, contact privacy@lossless-ai.com. Your request first goes to our customer (the controller); binding legal requests are honored directly.
14. Cookies & local storage
Four cookies. See cookies. No analytics, no advertising.
15. Children
Not intended for users under 16. If we have collected data from a child, write to privacy@lossless-ai.com and we will delete it.
16. California rights (CCPA / CPRA)
- Categories collected: identifiers, commercial info, internet/network activity, inferences, sensitive PI (per §5).
- Sources, purposes, disclosures: §3, §4, §6.
- Sale or sharing: none.
- Right to limit use of sensitive PI: default; adjustable in Settings.
- Authorized agents: §10.
- "Do Not Sell or Share": default no. Global Privacy Control honored.
- Financial incentives: none.
17. EU/UK rights (GDPR / UK GDPR)
- Controller / processor: §1. Legal bases: §4.
- Rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent; right not to be subject to solely-automated decisions with legal effects.
- Complaint: your local DPA; UK: ICO (ico.org.uk).
- EU/UK representative: subprocessors page.
18. Breach notification
On confirmation of a personal-data breach affecting your data, we notify you in writing within 72 hours, with known facts, suspected scope, and remediation. Post-incident summary within 30 days of containment. Statutory deadlines met.
19. Changes
30 days' email notice. Prior versions in version archive. Material changes that expand data use require explicit re-consent.
20. Contact
Lossless, Inc.
548 Market Street #84301
San Francisco, CA 94104, USA
Privacy: privacy@lossless-ai.com
Security: security@lossless-ai.com
Legal: legal@lossless-ai.com
EU/UK representative: subprocessors page