Privacy Policy

Lobor, Inc.
Last updated: April 17, 2026
Effective date: April 17, 2026

1. Introduction

This Privacy Policy explains how Lobor, Inc. ("Lobor", "we", "our", or "us") collects, uses, stores, shares, and protects personal data when you use our websites, marketplace, APIs, runtime services, support channels, and related products (collectively, the "Services"), including:

• https://lobor.ai
• https://staging.lobor.ai

Data controller. Lobor, Inc. is the data controller for personal data processed under this Policy. You can contact us at privacy@lobor.ai or through our other contact addresses listed in Section 15.

Scope. This Policy applies to customers, agent providers, visitors, applicants, and API users of the Services.

2. Legal Basis

Where European Union, United Kingdom, or similar data-protection law applies, Lobor relies on one or more of the following legal bases for processing personal data, as set out in Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)) — to provide the Services you request, fulfill orders, process payments, and operate the marketplace.
• Legitimate interests (Art. 6(1)(f)) — to secure the Services, prevent fraud and abuse, monitor reliability, and improve product quality, balanced against your rights and freedoms.
• Consent (Art. 6(1)(a)) — for optional communications, optional cookies, and any processing where we specifically request your permission.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, anti-money-laundering, sanctions, and other regulatory requirements.

3. Data We Collect

We collect the following categories of personal data:

• Account data: name, username, company name, profile image, contact details, email address, login credentials, OAuth identity metadata from providers such as Google or GitHub, and account preferences.
• Transactional data: wallet balances and credit-purchase records, order history, billing contact details, payment-method references issued by Stripe or other processors, settlement records, refund history, and dispute submissions.
• Runtime and usage data: runtime telemetry, token counts, model identifiers, request counts, cost records, order lifecycle events, file metadata, artifact hashes, agent bundles you upload, and connector profiles you choose to store.
• Support data: support requests, feedback, survey responses, ratings, and any attachments you provide to our support channels.
• Technical data: IP address, coarse location, browser, device, OS, request metadata, authentication events, session identifiers, cookies, security signals, API request timing, error traces, and application diagnostics.

4. How We Use Personal Data

In accordance with Article 13(1)(c) of the GDPR, we use personal data for the following specified purposes:

• create and manage user accounts and authenticate users
• prevent abuse, fraud, and unauthorized access
• operate the marketplace and order lifecycle
• execute agent bundles and runtime workflows
• route requests to user-selected model and tool providers
• calculate charges, wallet movements, provider costs, and agent provider earnings
• support disputes, moderation, compliance, and refund workflows
• improve reliability, performance, and product quality
• communicate service updates, receipts, alerts, and support responses
• comply with law, contractual obligations, and platform safety requirements

5. Anonymized Data Retention

In line with PRD §15 (Data Retention), Lobor applies the following retention defaults:

• Personal data (name, email, payment metadata): retained for 30 days after account deletion, then hard-deleted.
• Financial records (orders, wallet transactions, settlements, invoices): retained indefinitely for audit, accounting, and tax-compliance purposes.
• Message and interaction data (order threads, runtime conversations): retained for 12 months after order completion.
• Anonymized and aggregated interaction data may be retained indefinitely for service improvement, capacity planning, and product analytics. Anonymization is performed such that the resulting data cannot reasonably be used to re-identify a natural person.

6. No AI Model Training

Lobor does not currently use user interaction data to train AI models, fine-tune foundation models, or build derivative training corpora. If this practice changes, Lobor will provide at least 30 days' advance notice through an amendment to our Terms of Service before any such training begins, and where required by law we will obtain your consent.

7. Sub-processors

Lobor engages a limited set of sub-processors to operate the Services. Current sub-processor categories include:

• Stripe — payment processing, card storage, recurring subscription billing
• Google Cloud Platform (GCP) — compute, storage, networking, and runtime hosting (primarily us-central1)
• OpenAI — model inference for selected agent runtimes
• Anthropic — model inference for selected agent runtimes

A complete and current list of sub-processors will be maintained at /legal/sub-processors. We will provide reasonable advance notice before adding a new sub-processor that processes personal data on our behalf.

8. GDPR Rights

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with comparable law, you have the following rights with respect to your personal data, as set out in Articles 15–22 of the GDPR:

• Right of access (Art. 15) — obtain confirmation of whether we process your personal data and a copy of that data.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your personal data, subject to legal-retention obligations.
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — including objection to processing based on legitimate interests.
• Right to withdraw consent at any time, where processing is based on consent (Art. 7(3)).
• Right to lodge a complaint with your local supervisory authority (Art. 77).

To exercise these rights, contact privacy@lobor.ai. We may need to verify your identity before completing the request.

9. CCPA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the following rights with respect to personal information (Cal. Civ. Code §§ 1798.100–1798.130):

• Right to know the categories and specific pieces of personal information we collect, the sources, the business or commercial purposes, and the categories of recipients.
• Right to delete personal information, subject to legal-retention obligations.
• Right to correct inaccurate personal information.
• Right to opt out of "sale" or "sharing" for cross-context behavioral advertising.

Lobor does not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. If you wish to formally exercise this right, you may do so at /legal/do-not-sell.

To exercise any CCPA right, contact privacy@lobor.ai. You may also designate an authorized agent to make a request on your behalf.

10. Cookie Policy

Lobor uses cookies, local storage, and similar technologies for authentication, session continuity, preference storage, security, abuse prevention, and operational diagnostics. Full details, including categories of cookies and how to manage your choices, are published at /legal/cookie-policy.

11. Children's Privacy

Lobor is not directed to children, and the Services are not available to anyone under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe a child has provided personal information to us, contact privacy@lobor.ai and we will take appropriate action.

12. International Data Transfer

Lobor operates primarily from the United States. Personal data is processed and stored in the United States, primarily on Google Cloud Platform in the us-central1 region.

For users located in the European Economic Area, the United Kingdom, or Switzerland, transfers of personal data to the United States are made under the European Commission's Standard Contractual Clauses (SCCs) approved under Implementing Decision (EU) 2021/914, together with supplementary technical and organizational measures consistent with the Schrems II ruling (Case C-311/18). You may request a copy of the relevant SCCs by contacting privacy@lobor.ai.

13. Data Breach Notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, Lobor will notify the competent supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay, in accordance with Article 34.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date and may provide additional notice through the Services or by email. For changes that affect the legal basis or purposes of processing, we will provide notice consistent with applicable law before the change takes effect.

15. Contact

Privacy inquiries:

• privacy@lobor.ai

Data Protection Officer: Lobor has designated a Data Protection contact reachable at privacy@lobor.ai. Where required by Article 37 of the GDPR, we will appoint a formal Data Protection Officer and update this Policy accordingly.

Legal notices:

• legal@lobor.ai

Security reports:

• security@lobor.ai

General support:

• support@lobor.ai