Privacy Policy

1. Identity & Contact Information (Controller)

Lazra Labs LLC is the data controller for personal information collected through our website and products. We are a Colorado-based company providing AI-powered SaaS products for automotive dealerships.

• Email: christopher@lazralabs.ai
• Address: Lazra Labs LLC, Colorado, United States

When we process data on behalf of our dealership customers (e.g., their customer records), we act as a data processor; the dealership is the controller of that data.

2. Categories of Personal Data Collected

2.1 Account & Billing Data

• Business name, contact name, email address, phone number
• Billing information processed by Stripe — we do not store full payment card numbers
• Subscription tier, order history, and usage records

2.2 Dealership Operational Data

• Performance metrics, sales figures, gross data, and KPIs you upload or connect to Lazra products
• Financial statements uploaded to Ledger for analysis and forecasting
• Vehicle inventory and appraisal data used by Scout and Carter
• Repair order data used for audit and intelligence functions (Gauge)

2.3 End-Customer & Lead Data (Processor Role)

• Names, email addresses, and phone numbers captured through Claire (webchat) or other lead-capture features
• Conversation transcripts from webchat and AI agent interactions
• Appointment and scheduling data where applicable

2.4 AI Agent Activity Logs

• All actions taken by Lazra AI agents are logged with timestamps, action type, data accessed, and outcome
• Management transparency reports are delivered to designated contacts via Slack or email
• Logs are retained for audit purposes and accessible to authorized account administrators

2.5 Usage & Technical Data

• IP address, browser type, device type, pages visited, session duration, clickstream data
• API call logs and integration activity
• Error logs and performance diagnostics

We do not collect: Social Security numbers, government IDs, biometric data, precise geolocation, or health information.

3. Purposes of Collection and Legal Basis

Purpose	Data Used	Legal Basis
Provide and operate the Services	Account, operational, usage data	Contract performance
Process payments and manage subscriptions	Billing information	Contract performance
Generate AI-powered insights, forecasts, reports	Dealership operational and financial data	Contract performance
Run AI agents with governance logging	Agent activity logs, data accessed	Contract / Legitimate interests
Deliver intelligence digests and alerts	Email, operational preferences	Contract performance
Prevent fraud and security incidents	Usage and technical data	Legitimate interests
Product improvement (de-identified only)	Aggregated, anonymized usage data	Legitimate interests
Legal compliance and enforcement	As required by applicable law	Legal obligation

We do not use personal data for targeted advertising, sale to third parties, or automated profiling that produces legal or similarly significant effects without human review.

4. AI Agents — Governance & Transparency

• Limited scope by design: Each agent operates within a declared permission boundary and cannot access data outside that scope.
• Full audit logging: Every agent action is logged with a timestamp, the data accessed, and the outcome. Logs are available to authorized account administrators on request.
• Management visibility: Summary reports and exception alerts are automatically delivered to designated management contacts via Slack or email. Agents do not operate as black boxes.
• Scheduled overnight operations: Agents running on automated schedules remain within their configured scope. All such schedules are disclosed to the account holder in advance.
• Human review required: AI-generated outputs — including forecasts, financial models, and market analyses — are decision-support tools only. No AI output constitutes an automatic action without human authorization.

5. Sharing and Disclosure of Information

We do not sell personal information. We share information only in the following limited circumstances:

5.1 Service Providers (Subprocessors) — We contract with third-party vendors who process data only as directed by us:

• Cloud infrastructure and hosting: Cloudflare
• Database and authentication: Supabase
• AI model inference: Anthropic, OpenAI (prompts only; not retained for training without consent)
• Email delivery: AgentMail
• Payment processing: Stripe
• Communication and alerting: Slack

5.2 Legal Requirements — We may disclose information when required by law, regulation, court order, or governmental authority, or to protect our rights or the safety of others.

5.3 Business Transfers — In the event of a merger, acquisition, or asset sale, personal data may be transferred. We will provide notice and the opportunity to opt out where required by law.

6. Colorado Privacy Act (CPA) — Your Rights

If you are a Colorado resident, the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) grants you the following rights:

• Right to Access: Know what personal data we hold about you and obtain a copy
• Right to Correction: Correct inaccurate personal data
• Right to Deletion: Request deletion of your personal data, subject to legal retention requirements
• Right to Data Portability: Receive your data in a portable format
• Right to Opt Out of Sale: We do not sell personal data; this right is not applicable but honored by default
• Right to Opt Out of Profiling: Opt out of profiling used to make decisions with legal or similarly significant effects
• Right to Appeal: If we deny a request, you may appeal and we will respond within 45 days

To exercise any right: email christopher@lazralabs.ai with subject line "CPA Privacy Request." We will respond within 45 days; one 45-day extension is permitted with notice. We will not discriminate against you for exercising these rights.

7. Other Applicable Privacy Rights

California (CCPA/CPRA): California residents have rights to know, delete, correct, and opt out of sale of personal data. We do not sell personal information. Contact us to exercise these rights.

GDPR / UK GDPR: EEA and UK residents have rights to access, rectification, erasure, restriction, portability, and to lodge a complaint with a supervisory authority. Our legal bases are set out in Section 3 above.

8. Data Retention

• Account data: Duration of subscription plus up to 12 months post-termination, unless deletion is requested
• Agent activity logs: Minimum 90 days for audit purposes; longer retention available at account level
• Financial documents (Ledger): Duration of subscription; deletable by the account holder at any time
• Conversation transcripts (Claire): Up to 12 months unless earlier deletion is requested
• De-identified analytics: May be retained indefinitely in aggregated, non-identifiable form

9. Security Measures

• TLS/HTTPS encryption for all data in transit
• Row-level security and multi-tenant access controls in our database infrastructure
• PII tokenization — customer identifiers travel between systems as UUID tokens, never as raw personal data
• Access to production systems limited to authorized personnel on a need-to-know basis
• Full audit logging of all AI agent activity with access controls

No system is completely secure. If you believe your account has been compromised, contact us immediately at christopher@lazralabs.ai.

10. Data Protection Assessments

In accordance with the Colorado Privacy Act, we conduct and document data protection assessments for any processing activities that present heightened risk, including any future use of personal data for profiling or targeted advertising. We do not currently engage in targeted advertising. These assessments are available to the Colorado Attorney General upon request.

11. Cookies & Tracking Technologies

We use essential cookies (required for authentication and session management) and analytics cookies (to measure product usage and improve the Services). We do not use advertising or behavioral tracking cookies. You can control cookies through your browser settings; disabling essential cookies may impair functionality.

We honor Global Privacy Control (GPC) signals in compliance with the Colorado Privacy Act.

12. International Data Transfers

Lazra Labs is based in the United States. Data may be processed in the US or other countries. Where required by applicable law, we implement appropriate safeguards such as Standard Contractual Clauses for cross-border transfers.

13. Children’s Privacy

Our Services are not directed to individuals under 13. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, contact us immediately.

14. Changes to This Policy

We may update this Policy at any time. For material changes, we will post an updated version here and notify active subscribers by email at least 14 days before changes take effect. Continued use after the effective date constitutes acceptance.

15. How to Contact Us

Email: christopher@lazralabs.ai (subject: "Privacy Request")
Mail: Lazra Labs LLC, Colorado, United States
We aim to respond to all privacy inquiries within 5 business days.