Legal

Privacy Policy

Last updated: March 25, 2026

This Privacy Policy describes how Lumea Technologies, Inc. ("Lumea," "we," "us," or "our") collects, uses, stores, and protects your information when you use the Polpo platform, including the website at polpo.sh, the cloud dashboard at cloud.polpo.sh, the API at api.polpo.sh, and all related services (collectively, the "Service").

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name and email address.
  • Authentication credentials (passwords are hashed and never stored in plain text).
  • Organization name (if applicable).
  • Billing information (processed and stored by our payment processor; we do not store full payment card details).

1.2 Usage Data

We automatically collect information about how you interact with the Service, including:

  • API request metadata (endpoints called, timestamps, response codes, latency).
  • Dashboard activity (pages viewed, features used).
  • CLI and SDK version and usage patterns.
  • IP address, browser type, operating system, and device information.
  • Referral URLs and landing pages.

1.3 Agent Configurations and Project Data

When you use the Service to deploy and run AI agents, we process and store:

  • Agent definitions and configurations.
  • Mission, task, and orchestration data.
  • Files uploaded to project volumes.
  • Execution logs and session data.
  • Data stored in your project databases.

1.4 LLM API Keys (BYOK)

If you use the Bring Your Own Key (BYOK) feature, we store your LLM provider API keys. These keys are encrypted at rest using industry-standard encryption. We use your keys solely to make API calls to the specified LLM providers on your behalf during agent execution. We do not use your keys for any other purpose, and we do not share them with any third party.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service — To operate, maintain, and deliver the features and functionality of the Polpo platform.
  • Account Management — To create and manage your account, authenticate your identity, and process billing.
  • Communication — To send you service-related notices, security alerts, and support messages.
  • Improvement — To analyze usage patterns, diagnose technical issues, and improve the Service.
  • Security — To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
  • Compliance — To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use your User Content (agent configurations, project data, execution outputs) to train machine learning models.

3. Data Storage and Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it.

3.1 Infrastructure

  • Project databases are hosted on Neon (serverless PostgreSQL), with each project receiving its own isolated database. Data is encrypted at rest and in transit.
  • Agent execution occurs in isolated Daytona sandbox environments that are ephemeral and destroyed after use.
  • Application data is served through Cloudflare's global network with DDoS protection and TLS encryption.

3.2 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher.
  • All data at rest is encrypted using AES-256 or equivalent.
  • LLM API keys (BYOK) are encrypted with a separate encryption key before storage.

3.3 Access Controls

Access to production systems is restricted to authorized personnel using multi-factor authentication. We follow the principle of least privilege and maintain audit logs for all administrative actions.

4. Third-Party Services

We use the following third-party services to operate the platform. Each processes data in accordance with their own privacy policies:

  • Neon — Serverless PostgreSQL hosting for project databases. Data is stored in Neon's infrastructure with encryption at rest.
  • Daytona — Sandbox execution environments for AI agent runs. Sandboxes are ephemeral; persistent data is stored separately.
  • Upstash — Serverless Redis for caching, rate limiting, and transient data. No personally identifiable information is stored long-term.
  • Stripe (via Autumn) — Payment processing and billing. We do not store full credit card numbers; all payment data is handled by Stripe in compliance with PCI DSS.
  • Cloudflare — CDN, DDoS protection, and DNS for the Service infrastructure.
  • Vercel — Hosting for the dashboard web application.

We do not share your personal information with third parties for their marketing purposes.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data — Retained for the lifetime of your account plus 30 days after deletion to allow for account recovery.
  • Project data — Retained for the lifetime of the project. When a project is deleted, associated databases and volumes are destroyed within 30 days.
  • Execution logs — Retained for 90 days by default, configurable per project.
  • Usage and analytics data — Retained in aggregated, anonymized form indefinitely for service improvement.
  • Billing records — Retained as required by applicable tax and accounting laws.

After the applicable retention period, data is securely deleted or anonymized.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

6.1 Access

You may request a copy of the personal information we hold about you. Account information and project data are accessible through the dashboard and API at any time.

6.2 Deletion

You may request deletion of your account and associated personal data. You can initiate account deletion through the dashboard settings or by contacting us at legal@lumea.dev. Upon deletion, we will remove your data in accordance with our retention policy, except where retention is required by law.

6.3 Export

You may export your data at any time using the Polpo API or CLI. We support data portability and provide tools to export your agent configurations, project data, and execution history.

6.4 Correction

You may update your account information at any time through the dashboard. If you believe any information we hold about you is inaccurate, contact us and we will correct it promptly.

6.5 Objection and Restriction

You may object to certain processing of your data or request that we restrict processing in certain circumstances, as permitted by applicable law.

To exercise any of these rights, contact us at legal@lumea.dev. We will respond to requests within 30 days.

7. Cookies and Analytics

We use cookies and similar technologies to:

  • Essential cookies — Maintain your authenticated session and remember your preferences. These are strictly necessary for the Service to function.
  • Analytics — Understand how users interact with the Service so we can improve it. Analytics data is aggregated and does not identify individual users.

We do not use third-party advertising cookies or tracking pixels. We do not participate in ad networks or cross-site tracking.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service.

8. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at legal@lumea.dev, and we will take steps to delete such information.

If we become aware that we have collected personal information from a child under 13 without parental consent, we will delete that information as quickly as possible.

9. International Data Transfers

Lumea Technologies, Inc. is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

We take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy when transferred internationally, including the use of Standard Contractual Clauses or other approved transfer mechanisms where required by applicable law.

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions as described in this section.

10. Security Incidents

In the event of a data breach that affects your personal information, we will notify you in accordance with applicable laws. Notification will include the nature of the breach, the data affected, and the steps we are taking to address it.

If you believe you have discovered a security vulnerability in the Service, please report it to legal@lumea.dev. We appreciate responsible disclosure and will work with you to address the issue.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify you via email or through a prominent notice in the Service.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Lumea Technologies, Inc.
Email: legal@lumea.dev
Website: polpo.sh