Privacy Policy
Last updated: 29 April 2026 Effective date: 28 April 2026
This Privacy Policy explains how CARREDASH SAS ("Lunem", "we", "us", or "our") collects, uses, shares, and protects personal data in connection with the website https://lunem.ai (the "Site") and the application https://app.lunem.ai (the "Application", together with the Site, the "Service").
We comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 modifiée).
1. Data Controller
The data controller for the personal data processed in connection with the Service is:
CARREDASH SAS 229 Rue Saint-Honoré, 75001 Paris, France RCS Paris 983 657 636 — VAT FR23983657636 Privacy contact: contact@lunem.ai
We have not appointed a Data Protection Officer (DPO) as we are not required to do so under Article 37 GDPR. For any privacy-related question, please contact us at the address above.
2. Scope of This Policy
This Policy covers personal data we process as a controller — for example, the data of Users who create an Account, visitors of the Site, and our prospects and customers.
When you, as a customer, use the Service to process personal data of third parties (for example, contacts you target through outreach features), you act as controller and we act as processor on your behalf. That processing is governed by Article 28 GDPR, and a separate Data Processing Agreement may be entered into between us upon written request. Please contact contact@lunem.ai.
3. Data We Collect
3.1 Data You Provide
| Category | Examples |
|---|---|
| Identification & contact | Email address, name, password (hashed), authentication identifiers (e.g., Google OAuth ID). |
| Workspace & brand data | Workspace name, brand domain, brand description, language, country, competitors, content strategy, onboarding inputs. |
| Billing data | Stripe customer ID, subscription plan, billing period, transaction history. Full card data is collected and stored by Stripe; we do not store full card numbers. |
| Integration credentials | API keys and OAuth tokens for connected services (Google, Peec, Sanity), encrypted at rest. |
| User-generated content | Prompts, instructions, chat messages, uploaded images, articles, video scripts, outreach drafts and contact lists. |
| Communications | Messages you send to support, feedback, survey responses. |
3.2 Data Collected Automatically
| Category | Examples |
|---|---|
| Account activity | Sign-in events, action history, status of generated content, saved actions/bookmarks, audit log of credit consumption. |
| Technical data | IP address, browser type, device type, operating system, language, time zone, referrer URL, server logs. |
| Cookies & local storage | Authentication session cookies (managed by Supabase), a theme preference stored in your browser's localStorage (7aeo:theme:v1). See Section 9. |
3.3 Data from Third Parties
When you connect a third-party service (e.g., Google Search Console, Peec, Sanity), we receive data from that service within the scope of the permissions you grant — for example, search analytics, brand visibility metrics, or content publishing endpoints.
We may also receive limited business contact data from optional lead enrichment providers (e.g., Apollo.io) when you use outreach features that rely on them.
3.4 Sensitive Data
We do not intentionally collect special categories of personal data under Article 9 GDPR (such as health data, racial or ethnic origin, political opinions, religious beliefs, biometric data). Please do not submit such data to the Service.
4. Why We Process Your Data and Legal Basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and operating your Account, providing the Service, executing actions you trigger. | Performance of a contract (Art. 6(1)(b)). |
| Processing payments, managing subscriptions, issuing invoices, recovering unpaid amounts. | Performance of a contract; legal obligation (accounting and tax law). |
| Sending service communications (transactional emails, security alerts, billing notices, product updates). | Performance of a contract; legitimate interest in keeping you informed. |
| Providing customer support. | Performance of a contract; legitimate interest. |
| Improving the Service, troubleshooting, monitoring usage, ensuring security and preventing abuse. | Legitimate interest (Art. 6(1)(f)) in operating and securing our Service. |
| Sending marketing communications about our own products to existing customers. | Legitimate interest, with the right to opt out at any time (and consent where required by ePrivacy law). |
| Sending marketing communications to prospects. | Consent (Art. 6(1)(a)) where required, or legitimate interest in B2B contexts permitted by the CNIL. |
| Complying with legal obligations (tax, accounting, responses to authorities). | Legal obligation (Art. 6(1)(c)). |
| Defending or asserting legal claims. | Legitimate interest. |
You may withdraw any consent at any time without affecting the lawfulness of past processing.
5. AI Processing — Important Disclosures
To deliver the Service, we send Content you submit to third-party AI providers. The current providers include Anthropic and OpenAI (text generation), and HeyGen, ElevenLabs, and Captions (video and voice generation). We have selected providers whose terms protect your data:
- Anthropic does not use Service inputs or outputs to train its foundation models when accessed via its API under our agreement. Anthropic processes data to provide its API service and may retain it for a limited period for trust-and-safety, abuse prevention, and legal compliance purposes, in accordance with its own privacy practices.
- OpenAI does not use API inputs or outputs to train its models by default under its API data usage policies. OpenAI processes data to provide its API service and may retain it for safety, security, and legal compliance purposes, in accordance with its own privacy practices.
- The other AI providers process the data we send to them solely to generate the requested output, in accordance with their respective contractual and privacy commitments. We restrict the data we send to what is strictly necessary to perform the requested action.
You are responsible for not submitting personal data to AI features beyond what is necessary, and for not submitting sensitive personal data at all.
6. Sharing of Personal Data
We do not sell personal data. We share personal data only with the following categories of recipients:
6.1 Sub-Processors
| Sub-processor | Role | Location | Data |
|---|---|---|---|
| Anthropic, PBC | AI agent and content generation. | United States | Prompts, chat messages, workspace context, tool results. |
| OpenAI, LLC | AI agent and content generation. | United States | Prompts, chat messages, workspace context, tool results. |
| HeyGen, Inc. | Generation of AI avatars and video content for social videos. | United States | Video script content, brand parameters. |
| ElevenLabs, Inc. | Generation of AI voiceovers for video content. | United States | Voice script content, brand parameters. |
| Captions, Inc. (Mirage) | Generation of AI video content. | United States | Video parameters, script content. |
| Stripe Payments Europe, Limited | Payment processing and subscription management. | Ireland (EU); group entities in the United States. | Email, billing details, payment data. |
| Supabase, Inc. | Database, authentication, file storage. | United States (with EU data region available). | All Account, Workspace, and content data. |
| Vercel, Inc. | Application hosting and edge delivery. | United States, with global edge network. | Request logs, runtime data. |
| n8n GmbH | Internal workflow automation for content generation. | Germany / European Economic Area. | Workspace ID, brand data, article parameters. |
| Peec AI | LLM brand visibility monitoring. | European Economic Area. | Workspace UUID, brand and competitor queries. |
| Google LLC | Search Console (when you connect it). | United States. | OAuth tokens, GSC property data you authorize. |
| Sanity.io | CMS publishing (when you connect it). | United States / EEA. | Article content you choose to publish. |
| Resend, Inc. | Transactional email delivery. | United States. | Email address, message content. |
| Apollo.io | Optional lead enrichment for outreach features. | United States. | Domain or company information you query. |
| Zernio (zernio.com) | Social accounts management and OAuth. | Spain (European Union). | OAuth tokens and social account data you authorize. |
| Napkin AI (napkin.ai) | Schema design and visualization. | United States. | Schema and diagram content you submit. |
We select sub-processors that publish data protection terms appropriate to the nature of their service, including, where applicable, GDPR-compliant data processing terms, technical and organizational security measures, and Standard Contractual Clauses for international transfers. The processing of your data by these sub-processors is governed by their own published terms.
6.2 Other Recipients
- Authorities and courts, where required by law or to defend our rights.
- Professional advisors (lawyers, accountants, auditors) under confidentiality obligations.
- A successor entity in the event of a merger, acquisition, restructuring, or sale of assets, in which case you will be informed.
7. International Transfers
Some sub-processors are located outside the European Economic Area, including in the United States. When personal data is transferred outside the EEA, the safeguards under Chapter V GDPR apply to those transfers through the data protection terms published by the relevant sub-processors, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, as incorporated in the data processing terms of the relevant sub-processor;
- adequacy decisions where applicable (e.g., the EU–U.S. Data Privacy Framework, where the recipient is certified);
- supplementary technical measures published by the sub-processor where applicable.
You may consult the data protection terms and transfer mechanisms of each sub-processor on its respective website. For any question, please contact contact@lunem.ai.
8. Data Retention
| Data | Retention period |
|---|---|
| Account and workspace data | For the duration of your Account, plus a reasonable archival period after deletion (typically up to 90 days in backups). |
| Generated content (articles, videos, action cards) | Until you delete the content, your Workspace, or your Account. |
| Credits ledger | Retained on an append-only basis for the duration of the Account, then archived for the period required for billing integrity, accounting, and audit (up to 10 years under French commercial law). |
| Billing and tax records | 10 years from the end of the fiscal year (Article L.123-22 of the French Commercial Code). |
| Free Trial Credits | 1 year from the date of grant; after expiry, the corresponding ledger entry is retained for billing integrity. |
| Server logs and security logs | Up to 12 months. |
| Marketing data (prospects) | Up to 3 years from the last contact, unless you object earlier. |
| Support communications | Up to 3 years from the last interaction. |
Where the law requires a longer retention period, we will comply with that requirement.
9. Cookies and Local Storage
The Service uses:
- Strictly necessary cookies and tokens to maintain your authentication session and security (managed by Supabase). These do not require consent.
localStorageto remember your interface theme preference (7aeo:theme:v1). This data stays on your device and is not transmitted to our servers.
We use Vercel Analytics and Vercel Speed Insights on the Site to measure page-view counts and Core Web Vitals performance metrics. These tools do not use cookies, do not fingerprint individual visitors, and do not collect personally identifiable information — they rely solely on anonymised, aggregated request metadata (country, referrer, device type, page path). No consent is required for this processing under CNIL guidance. We do not use advertising or third-party analytics cookies. If we introduce any non-essential cookie in the future, we will request your consent through a cookie banner in compliance with the CNIL guidelines.
10. Security
We implement technical and organizational measures appropriate to the risks of processing, including:
- TLS encryption for all data in transit;
- AES-256-GCM encryption of integration credentials at rest;
- Row-Level Security (RLS) on the database — Users can access only their Workspace's data;
- HMAC-SHA256 signature verification of payment webhooks;
- Bearer-token authentication of internal automation webhooks;
- Email-allowlist gating of administrative access;
- Logical separation of environments and least-privilege access controls;
- Backups and incident response procedures.
No system is perfectly secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours where required, and inform you when the breach is likely to result in a high risk.
11. Your Rights
Subject to the conditions of the GDPR, you have the right to:
- access your personal data and obtain a copy (Art. 15);
- rectify inaccurate or incomplete data (Art. 16);
- erase your data ("right to be forgotten") (Art. 17);
- restrict the processing of your data (Art. 18);
- portability — receive your data in a structured, machine-readable format and transmit it to another controller (Art. 20);
- object to processing based on legitimate interest, including direct marketing (Art. 21);
- withdraw consent at any time, where processing is based on consent;
- define directives regarding the fate of your data after your death under French law (Art. 85 of the French Data Protection Act).
You also have the right to lodge a complaint with the French data protection authority:
Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France www.cnil.fr
We encourage you to contact us first at contact@lunem.ai so that we can address your concerns directly.
How to exercise your rights
Send a request to contact@lunem.ai from the email address associated with your Account. We may ask for additional information to verify your identity. We will respond within one (1) month, extendable by two (2) further months for complex requests.
Some rights are not absolute: for example, we may not be able to delete data we are required to retain by law (e.g., billing records).
12. Automated Decision-Making
We do not use your personal data to take decisions producing legal or similarly significant effects on you based solely on automated processing within the meaning of Article 22 GDPR. AI features generate suggestions and Content for your review; the decision whether to publish or act on them remains yours.
13. Children
The Service is intended for business use and is not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe we have, please contact us at contact@lunem.ai and we will delete it.
14. Changes to This Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the current version. If we make material changes, we will notify you by email or through the Service before they take effect.
15. Contact
For any question about this Privacy Policy or our data practices:
CARREDASH SAS — Privacy 229 Rue Saint-Honoré, 75001 Paris, France Email: contact@lunem.ai