Privacy Policy

This Privacy Policy explains how Paridae UG (haftungsbeschränkt) ("we", "us", "our") collects, uses, and protects your personal data when you use Lunatic AI. We process personal data in compliance with the General Data Protection Regulation (GDPR) and applicable German data protection laws.

The controller responsible for data processing is Paridae UG (haftungsbeschränkt). For contact details and company information, please refer to our Imprint.

Data Protection Contact: Franklin Houser (contact@lunatic-ai.com)

Data you provide: When you register and use Lunatic AI, we collect the information you provide directly, including your name, email address, password (stored in hashed form), profile details (such as LinkedIn URL, headline, about text, and skills), onboarding questionnaire responses, and your preferred posting language.

Data generated through use: As you use the service, we store the content you create and interact with, including ideas, prompts, AI-generated posts, voice profiles, content plans, your edits to generated content, and LinkedIn posts imported via the sync feature.

Technical data: When you access the service, we automatically collect technical information such as your IP address, browser type and version, session data (authentication tokens, session identifiers), and date and time of access.

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary for the provision of our service, including account management, content generation, and profile management.
• Legitimate interest (Art. 6(1)(f) GDPR): Processing necessary for service security, fraud prevention, and service improvement.
• Consent (Art. 6(1)(a) GDPR): Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with legal requirements, such as tax and accounting obligations.

We use your data for the following purposes:

• Providing and operating the Lunatic AI service
• Managing your account and authentication
• Sending transactional emails (verification, password reset, account notifications)
• Ensuring the security and integrity of the service

We use the following third-party service providers to operate Lunatic AI. Data processing agreements (DPAs) are in place with each provider where required.

5.1 Anthropic (AI Processing)

We use Anthropic's API for AI-powered content generation. When you generate content, your inputs (ideas, questionnaire responses, voice profile data) are sent to Anthropic's servers for processing. Anthropic's servers are located in the United States. A data processing agreement (DPA) is in place with Anthropic. The transfer of data to the US is conducted in accordance with Chapter V GDPR, relying on appropriate safeguards including Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework.

Provider address: Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, California 94104, United States. See Anthropic's Privacy Policy.

5.2 Hetzner (Hosting)

Our application and database are hosted on Hetzner infrastructure located in Germany. All stored data (account data, profiles, content) remains within the European Union. A data processing agreement (DPA) is in place with Hetzner.

Provider address: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. See Hetzner's Privacy Policy.

5.3 Stripe (Payment Processing)

For paid subscriptions, we use Stripe as our payment processor. Stripe processes your payment information directly. We do not store credit card numbers or bank account details on our servers. A data processing agreement (DPA) is in place with Stripe.

Provider address: Stripe Technology Company Limited (STC), One Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland. See Stripe's Privacy Policy.

5.4 Bright Data (LinkedIn Data Retrieval)

When you initiate a LinkedIn profile or post sync, we send your LinkedIn URL to Bright Data, a third-party data provider. Bright Data retrieves publicly available information from your LinkedIn profile (such as name, headline, about text, location, skills, and avatar) and/or your public LinkedIn posts. This processing is initiated exclusively by you and only occurs when you explicitly request a sync. A data processing agreement (DPA) is in place with Bright Data. Bright Data is headquartered in Israel, which benefits from an EU adequacy decision (Commission Decision 2011/61/EU), meaning that data transfers to Israel are recognised as providing an adequate level of data protection under the GDPR.

Provider address: Bright Data Ltd., 4 Hamahshev St., Netanya 4250714, Israel. See Bright Data's Privacy Policy.

5.5 Analytics (PostHog)

We use PostHog for product analytics to understand how the service is used and to improve the user experience. PostHog tracks pageviews, feature usage patterns, and user journeys. No content data (posts, voice profiles) is sent to PostHog.

PostHog operates in two modes depending on your consent preferences:

• With consent (cookie-based): Full analytics with cross-session tracking. PostHog sets cookies to recognize returning visitors. Legal basis: Consent (Art. 6(1)(a) GDPR).
• Without consent (cookieless): Anonymous hash-based tracking. No cookies are set. PostHog uses a daily-rotating hash of technical request data (IP address, user agent) to count unique daily visitors without identifying individuals across sessions. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

All analytics data is processed and stored on PostHog's EU servers (eu.i.posthog.com). A data processing agreement (DPA) is in place with PostHog. The data does not leave the European Union.

Provider address: PostHog, Inc., 2261 Market St., #4008, San Francisco, CA 94114, United States. See PostHog's Privacy Policy.

6.1 Essential Cookies

The following cookies are strictly necessary for the operation of the service and do not require consent:

• lunatic-ai.session_token: Maintains your authentication session (duration: 7 days).
• lunatic-ai.session_token.sig: Session cookie signature for integrity (duration: 7 days).

6.2 Analytics Cookies

With your consent, the following cookies may be set:

• ph_* (PostHog): Analytics identifier for cross-session tracking (duration: 1 year). Category: Statistics.

6.3 Cookieless Tracking

If you do not consent to analytics cookies, Lunatic AI uses PostHog's cookieless tracking mode. This mode uses a daily-rotating hash of technical request data (IP address, user agent) to count unique daily visitors. No cookies are set, and individuals cannot be identified across sessions or days.

6.4 Managing Your Preferences

When you first visit Lunatic AI, a consent banner allows you to accept or reject analytics cookies. You can change your preferences at any time by clicking the button below.

We retain your personal data for as long as your account is active or as needed to provide the service. Specifically:

• Account and profile data are retained until you delete your account.
• Content data (posts, ideas, voice profiles) are retained until you delete them individually or delete your account.
• Technical logs are retained as long as necessary for security and operational purposes.

Upon account deletion, all associated data is permanently and irreversibly deleted. Data recovery is not possible after deletion. Certain data may be retained longer where required by law (e.g., tax and accounting requirements).

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS)
• Encrypted storage of passwords (hashing)
• Access controls and authentication mechanisms
• Data storage within the EU (Germany) via Hetzner

Under the GDPR, you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection to processing (Art. 21). Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. To exercise any of these rights, please contact us at contact@lunatic-ai.com. We will respond within one month as required by the GDPR.

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence or place of work.

Your data is primarily stored and processed within the European Union (Germany). However, certain data is transferred to third countries:

• United States (Anthropic): Content data is sent to Anthropic's API for AI processing. This transfer is protected by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
• PostHog (EU-hosted): Analytics data is processed by PostHog, Inc. (US company) but stored exclusively on EU servers. No analytics data is transferred outside the European Union.
• Israel (Bright Data): When you initiate a LinkedIn sync, your LinkedIn URL is sent to Bright Data for retrieval of publicly available profile data and posts. Israel benefits from an EU adequacy decision (Commission Decision 2011/61/EU), ensuring an adequate level of data protection.

Lunatic AI is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The current version is always available at /privacy.

For questions or requests regarding this Privacy Policy or your personal data, please contact us at contact@lunatic-ai.com. For full company details, see our Imprint.