lavela Privacy Policy

Effective date: June 21, 2026 Last updated: June 21, 2026 Policy version: 2026-06-2

This Privacy Policy explains how lavela ("lavela," "we," "us," or "our") collects, uses, shares, and protects personal data when you use the lavela platform — including our web console, our MCP (Model Context Protocol) server used by AI agents such as Claude or Cursor, and the related APIs and services (together, the "Service").

lavela is a "launch and operations" platform. Acting as your agent under authority you grant us at signup, we provision and operate cloud infrastructure on your behalf — web hosting, compute/containers, databases, domains, and transactional email — connect your payment and advertising accounts, and run day-1-to-90 operations such as monitoring, security scans, compliance documents, and daily AI summaries. lavela never modifies your source code.

If you have questions about this policy or your data, contact us at legal@lavela.dev (see Contact).

A Plain-English Summary

This summary is not a substitute for the full policy, but here is the short version:

• We collect the minimum we need to run the Service: your account email, the projects and infrastructure you ask us to provision, usage/metering data so we can bill correctly, audit logs of the actions we take for you, identifiers for the accounts you connect (such as your Stripe or ad accounts), and one IP address + timestamp to record your consent.
• We do not store your card numbers — Stripe holds those.
• We do not sell your personal data, and we do not share it for cross-context behavioral advertising.
• You can access, export, correct, and delete your data.
• We use a small set of trusted infrastructure providers ("subprocessors") to run the Service — they are listed below. One of them (DeepSeek, used only for background AI summaries) processes data outside the EEA, including in China — see Section 7.
• We use automated logic for provisioning, billing, and non-payment suspension/teardown — see Section 3.

1. Who We Are and Our Role

lavela operates lavela. For the purposes of data protection law:

• lavela is the data controller for your account and platform data — the information you give us to create and use your lavela account and to operate the Service (for example, your email, your project configuration, usage/metering, billing records, audit logs, and your consent record). We decide how and why this data is processed.
• lavela is a data processor for the data and systems we provision and operate on your behalf. When you direct us (through the console or your AI agent) to stand up a database, hosting, email sending, or other infrastructure for your app, you are the controller of the personal data your app collects from your end users, and lavela processes that data only on your instructions as your agent and service provider. As your processor, we act only on your documented instructions, engage subprocessors under written terms that pass through equivalent data-protection obligations, assist you with data-subject requests and breach notification, and delete or return the data we provisioned on your behalf when our relationship ends — as set out in our Data Processing Addendum (DPA). Request the DPA at legal@lavela.dev.

In short: we control the data about you as a lavela customer; we process — on your behalf — the data inside the infrastructure we run for your app.

2. Data We Collect

We collect only what we need to operate the Service. We do not collect special categories of data (such as health, biometric, or political data), and we ask you not to put such data into fields where it isn't required.

2.1 Account identity

• Account email (and, where applicable, the identifier from the sign-in provider you use). This is how we create your account, authenticate you, and contact you about the Service.

2.2 Your projects and provisioning configuration

• The projects you create, your provisioning configuration (for example: which hosting, database, domain, email, compute, or ad modules you want and their settings), and the status of those modules.

2.3 Usage and metering data

• Usage and metering of the infrastructure we operate for you (for example: compute time, build runs, resource counts, ad-spend totals routed through us). We use this to operate the Service and to bill you accurately.

2.4 Audit logs of delegated actions

• Because lavela acts on your behalf, we keep an audit log of every delegated action — what was requested, by which surface (web console or a named MCP agent), the tool or route invoked, whether it succeeded, error codes, and timing. For privacy, the audit log stores a cryptographic hash of input/output payloads (a fingerprint, not their content) rather than the raw payload. The entry still records identifying metadata such as your account, the project, the surface used, the timing, and the result, which we keep as our accountability record.

2.5 Connected-account identifiers

• Identifiers for the accounts you connect — such as your Stripe / Stripe Connect account ID, your connected advertising account IDs, your domain names, and similar references. These let us operate those services for you.
• We do NOT collect or store your payment card numbers. When you set up billing, your card details go directly to Stripe, which stores them; lavela receives only a token/reference and basic billing metadata (for example, that a card is on file and the last four digits Stripe returns).

2.6 Consent record

• When you accept our clickwrap agreement at signup or first provisioning, we record the policy/consent version you accepted, the timestamp, and your IP address (and user-agent string). This is your legal record of what you agreed to and when.

2.7 Operational and diagnostic data

• Standard logs and error/diagnostic data generated while running the Service (for example, request metadata, error events, and performance traces), used to keep the Service reliable and secure.

2.8 Communications

• If you email us or contact support, we keep that correspondence to respond and for our records.

Note on your app's end users: when your app, running on infrastructure we provision for you, collects data from your customers, lavela handles that data as your processor under your instructions (see Section 1). This policy governs lavela's own collection from you; you are responsible for the privacy notice your app shows your end users. If you are an end user of a lavela customer's app and you contact us directly (for example, to access or delete your data), we will refer your request to that customer — the controller of your data — and assist them in responding, rather than acting on it ourselves.

3. How We Use Your Data

We use the data described above for the following purposes:

• To operate the Service — provision, configure, run, monitor, and tear down the infrastructure and operations you (or your AI agent) request; act as your agent for the delegated actions you authorize.
• To bill you — calculate and charge the monthly compute service charge, the ~10% commission on advertising spend you run through lavela, and pass through other infrastructure costs (such as email and domains) at provider cost; manage suspension/teardown on non-payment.
• For security and integrity — authenticate you, prevent fraud and abuse, enforce usage limits and consent gates, run security scans, and maintain the audit log of delegated actions.
• For support — respond to your requests, diagnose problems, and operate your account.
• For product operation and improvement — keep the Service reliable, understand aggregate usage, and improve features.
• For legal and compliance — comply with applicable law, respond to lawful requests, and enforce our Terms.

We do not use your data to build advertising profiles, and we do not sell it. A user's own AI agent (such as Claude or Cursor) performs most in-conversation generation on the user's side; lavela's own AI use is limited to server-side background tasks like summaries and suggestions.

Automated processing & AI

We use automated logic for provisioning, metering, billing, and non-payment suspension and teardown (when an invoice goes unpaid, the Service follows an automated suspension-then-teardown schedule). We also use a server-side AI provider (DeepSeek) to generate daily summaries and suggestions from your project and operational data. These processes do not produce legal or similarly significant effects about you without a human-reviewable basis — the daily-brief and suggestion outputs are advisory, and billing/teardown follow the terms and timelines you agreed to, with the ability to reach us to resolve a payment issue. The project/operational data sent to DeepSeek is limited to what the summary requires and, per DeepSeek's API terms, is not used to train third-party models (founder to verify against DeepSeek's then-current API terms before publishing). See Section 7 for where DeepSeek processes this data.

Important: we take 0% of your sales (but we are the merchant for our own charges to you)

lavela charges no fee on your revenue. Your customers pay you directly through Stripe Connect; you are the merchant of record for your sales, funds settle to your account in full, and lavela is not a party to those transactions. We therefore do not process your end-customers' payment data for our own purposes.

Separately, for lavela's own charges to you (the monthly compute service charge and the advertising commission), lavela is the merchant of record and Stripe processes those payments on our behalf. Your card is held by Stripe, not by lavela (see Section 2.5). In other words: your sales are entirely yours (0%, you are the merchant, you settle in full); our charges to you are processed by Stripe with lavela as the merchant.

4. Legal Bases for Processing (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR (and UK GDPR):

| Purpose | Legal basis | |---|---| | Creating and operating your account; providing the Service you requested; acting as your agent for delegated actions; billing | Performance of a contract (Art. 6(1)(b)) | | Security, fraud prevention, audit logging, keeping the Service reliable, and product improvement | Legitimate interests (Art. 6(1)(f)) — balanced against your rights | | Recording your consent at signup; any optional features that require it | Consent (Art. 6(1)(a)) — which you may withdraw at any time | | Retaining records and responding to lawful requests | Legal obligation (Art. 6(1)(c)) |

Where we rely on legitimate interests, you have the right to object (see Section 9). Where we rely on consent, withdrawing it does not affect processing already carried out.

5. Subprocessors

We use the following service providers ("subprocessors") to run lavela. Each processes personal data only as needed for its function and under contractual data-protection terms. We may update this list as the Service evolves; material changes are reflected here (see Section 14).

| Subprocessor | Purpose (one line) | |---|---| | Vercel | Web hosting and CDN for lavela and for the static/web apps we deploy for you | | Fly.io | Compute and container hosting (the pooled compute we run on your behalf) | | Neon | Managed PostgreSQL databases provisioned for your projects | | Supabase | Your account authentication and lavela's own application database, including our server-side audit-log, consent, and AI-usage records | | Resend | Transactional email delivery (for lavela and for the email we send on your behalf) | | Stripe / Stripe Connect | Payments — your connected merchant accounts, lavela's own billing, and card storage (cards stay with Stripe) | | Upstash | Redis cache and rate limiting | | Inngest | Workflow and background-job orchestration for delegated operations | | Axiom | Application logging | | Sentry | Error and exception monitoring | | Cloudflare R2 | Object storage (for example, generated assets and files) | | DeepSeek | Server-side background AI for summaries and suggestions (processes data outside the EEA, including in China — see Section 7) |

We may also use general business tools (such as our own email provider for support correspondence) and, for product analytics, a privacy-friendly analytics provider (see Section 11).

A current, dated subprocessor list is available on request at legal@lavela.dev. Customers under a DPA may request advance notice of new subprocessors as provided in the DPA.

6. How We Share Data

We share personal data only:

• With the subprocessors above, to run the Service.
• At your direction — when you ask us to connect or operate a third-party account (such as Stripe or an advertising platform), we exchange the data needed to perform that action with that provider, which then handles it under its own privacy policy.
• For legal reasons — to comply with law, enforce our Terms, or protect the rights, safety, and security of lavela, our users, or the public.
• In a business transfer — if lavela is involved in a merger, acquisition, or sale of assets, your data may transfer as part of that transaction, subject to this policy.

We do not sell your personal data, and we do not share it for cross-context behavioral advertising (see Section 10).

7. International Data Transfers

lavela uses providers that may process data in the United States and other countries, so your data may be transferred outside your home country, including from the EEA/UK to the United States. Where we transfer personal data internationally, we rely on appropriate safeguards, such as the EU Standard Contractual Clauses (and the UK Addendum / IDTA), and/or providers' certification under applicable frameworks.

lavela's own platform data (your account, audit logs, consent records, and billing data) is primarily processed in the United States.

Transfer to China (DeepSeek). Our server-side AI provider, DeepSeek, is based in China, which is not covered by an EU adequacy decision. When we generate a daily summary or suggestion, the limited project/operational data the summary requires is transferred to DeepSeek and may be processed outside the EEA and the US, including in China. We rely on Standard Contractual Clauses or other appropriate safeguards for this transfer (founder to confirm exactly what data leaves to DeepSeek and the safeguard relied on before publishing).

EU region option (compute only). If you require it, lavela offers an EU region option that pins the compute we run for you to EU regions (our default compute region is in the United States). This pins compute only — the regions of other subprocessors (Supabase, Neon, Vercel, Resend, Cloudflare R2, Sentry, Axiom, and DeepSeek) are set per provider, and the DeepSeek AI path is not removed by the EU compute option unless background AI is disabled or regionalized for your account. Contact legal@lavela.dev to discuss full-stack EU residency or to disable the AI path.

8. Data Retention

We keep personal data only as long as needed for the purposes in this policy:

• Account and project data — for as long as your account is active. After you close your account or request deletion, we delete or anonymize it within up to 90 days, except where we must keep it longer (see below).
• Audit logs of delegated actions — retained for a defined period to maintain an accurate, tamper-evident record of actions taken on your behalf (audit entries store hashes of payload content, plus identifying metadata). Typical retention: up to 24 months.
• Billing and transaction records — retained as required by tax, accounting, and legal obligations (commonly several years).
• Consent records — retained on an append-only basis for the life of your account (and a reasonable period afterward) so we have a durable record of what you agreed to and when.
• Backups and logs — operational logs and backups roll off on their normal cycle.

When we no longer need data, we delete it or irreversibly anonymize it.

9. Your Privacy Rights

Depending on where you live, you have rights over your personal data. lavela honors the following for all users:

• Access — get a copy of the personal data we hold about you.
• Export / portability — we provide an export of your account and project data in a portable, machine-readable format.
• Correction — fix inaccurate or incomplete data.
• Deletion — ask us to delete your data (subject to the legal-retention exceptions in Section 8).
• Object / restrict — object to or restrict certain processing (for example, processing based on legitimate interests).
• Withdraw consent — where we rely on consent, withdraw it at any time.
• Non-discrimination — we will not deny you service or charge you differently for exercising your rights.

How to exercise your rights: email legal@lavela.dev, or use the in-console controls where available. We will verify your identity (typically via your account email) and respond within the timeframe required by law — generally within 30 days (extendable where permitted). You may authorize an agent to act on your behalf, subject to verification. You also have the right to lodge a complaint with your local data protection authority; in the EEA you may contact your national supervisory authority, and in the UK the Information Commissioner's Office (ICO).

If you are an end user of a lavela customer's app, please direct your request to that customer (the controller of your data). If you contact us, we will refer your request to them and assist them in responding (see the end-user note in Section 2).

10. California Privacy (CCPA / CPRA)

If you are a California resident, you have the rights to know/access, delete, correct, and opt out of sale or sharing of your personal information, and the right not to be discriminated against for exercising them.

lavela does not "sell" your personal information, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. Because we do not sell or share, there is no "Do Not Sell or Share My Personal Information" action required — but you may still exercise your access, deletion, and correction rights using the methods in Section 9.

The categories of personal information we collect, the purposes, and the third parties we disclose to are described in Sections 2, 3, 5, and 6. We retain each category as described in Section 8.

11. Cookies and Analytics

We keep cookies and tracking to a minimum.

• Essential cookies — we use cookies that are strictly necessary to sign you in and keep your session secure (set by our authentication layer, Supabase). The Service does not work without these.
• Analytics — for product usage we use privacy-friendly, cookie-free analytics (Plausible), which measures aggregate visits and pageviews without using cookies or tracking you across sites and without collecting personal identifiers for advertising.
• No advertising or cross-site tracking cookies — we do not use third-party ad-tracking or cross-context behavioral advertising cookies on lavela.

Note: any analytics on your own app (for example, the Plausible snippet we hand you for your site) is added by you/your agent to your app and is governed by your privacy notice — lavela never edits your code.

12. Children's Privacy

The Service is intended for users aged 18 or older who are operating a business. We do not knowingly collect personal data from children under 16 (or the minimum digital-consent age in your jurisdiction, which in some places may be as low as 13). Consistent with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, contact legal@lavela.dev and we will delete it.

13. Security

We take reasonable and appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS) and at rest with our infrastructure providers.
• Scoped, least-privilege access — access to data and to the actions performed on your behalf is gated by per-scope authorization (for example, our provisioning scope refuses to act until your current consent is on file), and tenant data is isolated.
• Audit logging of every delegated action, so there is an accountable record of what was done for you.
• Secret handling — credentials and tokens are stored and brokered securely; card data is held by Stripe, not by lavela.
• Monitoring — error and security monitoring, plus security scans.

No system is perfectly secure. If we become aware of a personal-data breach, we will notify you and the relevant authorities where required by law and without undue delay.

Breaches affecting data we process on your behalf (processor duty). If we become aware of a personal-data breach affecting data we process on your behalf (your app's end-user data), we will notify you without undue delay, and in any event within 72 hours of confirming the breach, with the information you reasonably need to meet your own notification obligations (including your GDPR 72-hour clock to your supervisory authority and to affected individuals).

14. Changes to This Policy

We may update this Privacy Policy as the Service or the law evolves. When we make changes, we will update the version and effective date at the top and post the new policy.

• For non-material updates (such as clarifications or new subprocessors disclosed in Section 5), your continued use of the Service after the update means you accept the revised policy.
• For material changes — especially any change that affects a processing activity based on your consent — we will require your active re-acceptance of the new version before the change applies to you. Our consent record tracks which version you accepted, so continued use alone is not treated as acceptance of a material, consent-based change.

15. Governing Law

This Privacy Policy is governed by the laws of Canada, without regard to its conflict-of-laws rules, except where mandatory local data-protection law (such as the GDPR or CCPA) applies to you.

Contact Us

For privacy questions, to exercise your rights, or to request our subprocessor list or DPA:

• lavela
• Email: legal@lavela.dev
• Postal address: Canada (mailing address available on request at legal@lavela.dev)
• Data Protection contact / EU-UK representative (if applicable): [DPO / REPRESENTATIVE — appoint if required under GDPR Art. 27]

This document is a launch-grade draft prepared from lavela's actual architecture and data flows. Have it reviewed by qualified legal counsel for your jurisdiction before publishing to real users.

Questions? Contact us at the email in this document. · Terms · Privacy