Privacy Policy

1. Data Controller and Collection of Personal Data

Lovar-AI is responsible for processing personal data related to the use of our Services and website functionalities. We collect data provided by users as well as data automatically gathered during the use of our Services, in accordance with:

Regulation (EU) 2016/679 (GDPR)
The California Consumer Privacy Act (CCPA)
Nevada state regulations

2. Contact Information

All inquiries regarding this Privacy Policy or your data rights should be directed to:
shaowei98@gmail.com

3. Purposes and Legal Grounds for Personal Data Processing

We may process your personal data for the following purposes:

A. Use of Services:
We process data to perform a contract (Art. 6(1)(b) GDPR), to comply with legal obligations (Art. 6(1)(c) GDPR), to protect our legitimate interests, and to pursue claims.

B. Contact (Chat/Email):
We process data to respond to inquiries and to enter into contracts (Art. 6(1)(f) GDPR).

C. Marketing and Newsletter:
We process data based on our legitimate interests; consent may be withdrawn by unsubscribing.

D. Social Media:
We process data for communication and marketing purposes (Art. 6(1)(f) GDPR) – your name (or pseudonym) and photo will be visible.

E. Job Applications:
We process recruitment data; providing such data is voluntary but often necessary.

4. Types of Data Processing

We may collect and process various forms of personal data based on the functionalities you utilize:

A. Services: If you access and use our Services, we will process your identification data, including your name, surname, country and email address.

We may also automatically collect information, including:

Usage and log information, encompassing data on your activity, log files, diagnostic, crash, website, and performance logs and reports.
Subscription informations.
Locations informations, such as location name, location address, latitude and longitude, location contact details: email, phone, fax.

B. Contacting Us: When contacting us via our contact form (chat) or email, we will process your identification data, such as your name and email address, along with any other data you provide.

C. Marketing and Newsletter: Your email address will be processed if you subscribe to our newsletter or consent to marketing of our services.

D. Social Media: When you interact with our social media profiles, we may process personal data posted on your profile and other data related to our use of social media functionality.

E. Job Applications: In the case of job applications, we may process your personal data in accordance with the Labour Code and other specific laws as required by legal provisions.

5. Right to Object

Users have the right, at any time, to object to the processing of their data based on legitimate interests or for marketing purposes. In such cases, we will cease processing unless overriding grounds exist (e.g., pursuing claims).

6. Data Retention

We retain data as follows:

For the duration of the account service, until the account is deleted by the user, or until the service (application) is uninstalled.
During the term of contracts and as required by legal obligations.
For the duration of pursuing claims.
Until an objection is raised or the legitimate interests expire.
As part of dispute resolution, marketing activities, social interactions, and the recruitment process (up to 48 months or until consent is withdrawn).
Technical logs: Retained for 8 days.

7. Data recipients

Data may be transferred to service providers supporting our activities, such as:

Web hosting providers (for websites and services)
Data storage entities
ICT service providers
Social media providers (e.g., Meta Platforms Ireland Limited, Twitter Inc., Google LLC)
IT companies, law firms, auditors, and other entities that are legally required to receive data.

We use third-party services, including Heroku (Salesforce), Amazon Web Services (AWS), Fly.io, and Cloudflare, to host, secure, and deliver our applications. These services may process personal data, such as IP addresses and location information, on our behalf. For more information about how these providers handle data, please refer to their respective privacy policies: Heroku Privacy Policy, AWS Privacy Policy, Fly.io Privacy Policy, and Cloudflare Privacy Policy.

We use Gleap, a third-party customer support platform, to provide live chat functionality and assist you with your inquiries. When you use the chat feature, Gleap may process personal data, such as your name, email address, and the content of your messages. This data is processed in accordance with Gleap's privacy policy, which you can find here: Gleap Privacy Policy.

Some of the service providers we use (including Heroku, Amazon Web Services, Cloudflare, and Gleap) are based outside the European Economic Area (EEA), including in the United States. In such cases, the transfer of personal data is conducted in accordance with the requirements of the GDPR, based on the European Commission’s Standard Contractual Clauses (SCCs) or under the EU–US Data Privacy Framework (DPF) for certified entities, ensuring an adequate level of data protection.

8. Your Rights as a Data Subject

Users have the right to:

Obtain information regarding data processing
Access their data
Rectify inaccurate or incomplete data
Request deletion of data ("right to be forgotten"), subject to exceptions
Restrict processing
Request data portability
Object to data processing (including for marketing purposes)
Withdraw consent (without affecting the lawfulness of previous processing)
Lodge a complaint with a data protection authority
Request explanation and human intervention in the case of automated decision-making

We provide these services free of charge unless the requests are manifestly unfounded.

9. Information on Data Transfers Outside of the EEA

Although most data is processed within the EEA, some data may be transferred to the USA or other countries outside the EEA, in accordance with GDPR. In case of disputes, the courts in Radomsko shall have exclusive jurisdiction.

10. Automated Decision-Making, Including Profiling

In addition to cookie-based profiling, automated decisions (e.g., onboarding, personalized offers) may have legal effects. Should you disagree with such decisions, you may request explanations and human intervention.

11. Security of Your Personal Data

We implement measures to protect data against loss, destruction, unauthorized access, or disclosure; however, no method of transmission or storage guarantees 100% security. We act in accordance with EU and USA regulations.

We ensure data security through encryption:

Data transmitted is encrypted using the SSL/TLS protocol.
Data stored in our database is encrypted using the AES-256 algorithm.

We have also implemented Data Loss Prevention (DLP) strategies by:

Monitoring data flow,
Limiting access – only a minimal group of employees have access,
Logging – every access to personal data is recorded,
Conducting periodic employee training.

To further ensure the security of data stored in our database, we regularly perform backups. These backups are securely stored and may be used to restore data in the event of a system failure. Backups are retained for a specified period, and only authorized personnel have access to them.

12. Cookies

We use cookies to:

Provide and secure our Services (web/desktop)
Enhance user experience, personalization, and FAQ analysis
Remember user preferences (e.g., language)
Distinguish mobile users from desktop users
Display advertisements, offers, and promotions

We use essential, preference, statistical, marketing, and unclassified cookies. Blocking cookies may affect the functionality of the site. Removal instructions are available for popular browsers (Firefox, Opera, Internet Explorer, Chrome, Safari).

13. Information and Notice for California Residents

This section covers the collection, use, disclosure, and sale of personal data of California consumers in accordance with the CCPA and the California Privacy Rights Act. It relates to data from the previous calendar year and is updated annually.

"Do Not Track" signals are not considered.
We do not process sensitive personal data (SPI).
Data may be used for commercial purposes if consent is not withdrawn.
We do not sell data; the opt-out option ("DO NOT SELL OR SHARE MY PERSONAL INFORMATION") can be activated.

Users have the right to access, rectify, delete, and port their data. Please contact us.

14. Nevada Residents

Nevada law allows customers to "opt out" of the sale of certain personal information, known as "covered information." We do not sell covered information as defined in the law, and we have no plans to change this practice. If you wish to be notified if we change this practice, you can email us and provide your name, Nevada resident address, and email address. We will contact you if there are any changes, and you can complete your opt-out at that time. If your contact information changes, please contact us to update it. We may share your data for different purposes as explained in this Privacy Policy, which are separate from your opt-out request.

15. Links to Other Sites

Customers from Nevada may opt out of the sale of "covered data." We do not sell such data and will inform you of any changes in our practices; if your contact information changes, please update it accordingly.

16. Children's Privacy

The Service is not intended for individuals under 13 years of age. We do not knowingly collect data that could identify children; if such data is disclosed without parental consent, we will take steps to remove it.

17. Changes to this Privacy Policy

This Privacy Policy may be updated periodically. Changes will be communicated by publishing a new version on the website, with the last updated date clearly indicated at the beginning of the document.

18. Incident Response and Data Breach Notification

We have implemented an internal Incident Response Policy to promptly detect, investigate, and mitigate security incidents.

In the event of a personal data breach that poses a risk to your rights or freedoms, we will:

Immediately work to contain and eliminate the threat,
Assess the impact and affected data,
Notify the competent supervisory authority (for example, the Polish Personal Data Protection Office) within 72 hours if required by applicable law,
Inform affected users without undue delay when the breach may result in a high risk to their rights and freedoms,
Document the incident and the actions taken.

For security incidents not involving personal data, we will still investigate and take remediation measures to protect the Services and user accounts.