1. Overview
This Privacy Policy explains how Lotus.build (“Lotus.build”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data when you use our website and services at https://lotus-build.vercel.app (the “Service”).
This policy applies to all users of the Service globally, including users in the European Economic Area (EEA), United Kingdom, and California. Where we are required to provide additional protections or rights under specific laws, we describe those in dedicated sections below.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Data Controller Information
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), the data controller responsible for your personal data is:
Organisation: Lotus.build
Website: https://lotus-build.vercel.app
Contact: arpkwebsitedevelopment@gmail.com
For all data protection enquiries, requests to exercise your rights, or complaints, please contact us at the email address above. We will respond to all requests within the timeframes required by applicable law (generally within 30 days).
3. Information We Collect
We collect personal data in three main ways: information you provide to us directly, information collected automatically, and information from third-party services.
3.1 Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email address, password (hashed), profile picture | Account creation, authentication, and communication |
| Billing data | Payment card details (processed by Stripe; we do not store raw card numbers), billing address, VAT number | Processing subscriptions and purchases |
| Prompts & content | Text prompts you submit, project names, custom instructions | Generating websites and applications as instructed by you |
| Support communications | Emails, in-app messages, feedback forms | Providing customer support and improving the Service |
| Team & workspace data | Team member email invitations, workspace names and settings | Enabling collaboration features |
3.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage data | Pages visited, features used, button clicks, session duration, error logs | Improving the Service, debugging, and analytics |
| Device & technical data | IP address, browser type and version, operating system, screen resolution, referrer URL | Security, fraud prevention, and optimising compatibility |
| Cookies & local storage | Session cookies, authentication tokens, preference cookies | Authentication, preferences, and session management |
| Log data | Server request logs including timestamp, IP address, and HTTP status codes | Security monitoring, debugging, and service reliability |
3.3 Information from Third-Party Services
When you connect third-party accounts to Lotus.build, we receive data as authorised by you through those platforms’ OAuth or permission flows. This may include:
- GitHub: repository access, profile information, and commit data (only the repositories you explicitly authorise)
- Supabase: project credentials, database credentials (stored encrypted)
- Google (Firebase Auth): email address, name, and profile picture if you sign in with Google
4. How We Use Your Data
We use the personal data we collect for the following purposes:
- Providing, operating, and maintaining the Service, including processing your prompts through AI systems
- Creating and managing your account and authenticating your identity
- Processing payments and managing your subscription
- Personalising your experience and remembering your preferences
- Sending transactional communications such as account notifications, invoices, and security alerts
- Sending service and product updates where you have consented or where we have a legitimate interest
- Analysing usage to improve the Service and develop new features
- Detecting, investigating, and preventing fraudulent activity, abuse, and security incidents
- Complying with our legal obligations and enforcing our Terms of Service
- Responding to legal requests from authorities as required by law
5. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases under Article 6 of the UK/EU GDPR:
Contractual necessity
Processing required to provide the Service you have signed up for, including account management, code generation, and billing.
Legitimate interests
Processing for security monitoring, fraud prevention, service improvement, and product analytics — where these interests are not overridden by your rights.
Legal obligation
Processing required to comply with applicable law, such as retaining financial records for tax purposes.
Consent
Processing for optional communications (marketing emails), certain cookies, and any use of your data for AI model training. You may withdraw consent at any time.
6. Data Sharing & Disclosure
We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:
6.1 Service Providers (Data Processors)
We use carefully selected third-party service providers who process data on our behalf under Data Processing Agreements:
| Provider | Purpose | Location |
|---|---|---|
| Google Firebase | Authentication, database, hosting | USA (EU transfer safeguards) |
| OpenAI | AI code & content generation | USA (EU transfer safeguards) |
| Anthropic | AI code & content generation (Claude models) | USA (EU transfer safeguards) |
| Stripe | Payment processing | USA (EU transfer safeguards) |
| E2B | Sandboxed code execution | USA |
| Vercel | Application hosting & CDN | USA/Global |
6.2 Legal Disclosures
We may disclose your personal data to law enforcement, government authorities, or other parties where required by applicable law, court order, or legal process, or where we believe disclosure is necessary to protect the rights, property, or safety of Lotus.build, our users, or the public.
6.3 Business Transfers
If Lotus.build is involved in a merger, acquisition, asset sale, or similar transaction, your personal data may be transferred as part of that transaction. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes set out in this policy and to comply with our legal obligations:
- Account data: retained for the duration of your account and deleted within 90 days of account closure, unless longer retention is required by law
- Billing records: retained for 7 years to comply with financial and tax regulations in applicable jurisdictions
- Prompts and generated content: retained while your account is active and for up to 90 days after deletion, after which it is permanently removed
- Server logs: retained for up to 12 months for security and debugging purposes
- Support communications: retained for up to 3 years to enable us to resolve disputes and improve our service
- Anonymised analytics data: may be retained indefinitely as it cannot be used to identify you
When data is no longer required, we securely delete or anonymise it in accordance with industry best practices.
8. Your Rights
Depending on your location, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at arpkwebsitedevelopment@gmail.com. We will respond within 30 days (or within the timeframe required by applicable law).
Right of Access
Request a copy of the personal data we hold about you, along with information about how we use it.
Right to Rectification
Request that we correct inaccurate or incomplete personal data we hold about you.
Right to Erasure
Request that we delete your personal data ("right to be forgotten"), subject to certain legal exceptions.
Right to Data Portability
Request a structured, machine-readable copy of the personal data you have provided to us.
Right to Restrict Processing
Request that we restrict how we process your data in certain circumstances.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent
Withdraw any consent you have given at any time. Withdrawal does not affect prior lawful processing.
Rights related to Automated Decisions
Not be subject to decisions made solely through automated processing that significantly affect you.
We will not discriminate against you for exercising any of these rights. We may need to verify your identity before fulfilling a request.
9. International Data Transfers
Lotus.build is operated with infrastructure and service providers located primarily in the United States. If you are accessing the Service from the EEA, UK, or other regions with data protection laws, your personal data will be transferred to and processed in countries outside your jurisdiction, including the United States.
For transfers from the EEA and UK, we rely on appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO
- Adequacy decisions where applicable
- Transfers to service providers certified under applicable frameworks
You may request a copy of the safeguards we use for international transfers by contacting us at arpkwebsitedevelopment@gmail.com.
10. Security
We implement technical and organisational security measures appropriate to the risk, including:
- Encryption in transit using TLS 1.2 or higher for all data transfers
- Encryption at rest for sensitive data, including third-party credentials and environment variables
- Hashed passwords — we never store plaintext passwords
- Access controls limiting staff access to personal data on a need-to-know basis
- Sandboxed code execution environments to isolate user-generated code
- Regular security monitoring and logging
No system is completely secure. In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law (generally within 72 hours of becoming aware of the breach for regulatory notification, and without undue delay for affected individuals).
If you discover a security vulnerability, please report it responsibly to arpkwebsitedevelopment@gmail.com.
11. Cookies & Tracking Technologies
We use cookies and similar technologies to operate and improve the Service. Cookies are small text files stored on your device.
Types of cookies we use
| Type | Purpose | Duration |
|---|---|---|
| Essential / Strictly necessary | Authentication sessions, security tokens, CSRF protection. Required for the Service to function. | Session / up to 1 year |
| Functional / Preference | Remembering your settings, theme preferences, and UI state. | Up to 1 year |
| Analytics | Understanding how users navigate and use the Service to improve it. | Up to 2 years |
You can control cookies through your browser settings. Note that disabling essential cookies may prevent the Service from functioning correctly. For users in the EEA and UK, we obtain consent for non-essential cookies in accordance with applicable law.
12. AI Data Processing
When you use Lotus.build’s AI features, your prompts and related context are transmitted to AI providers (currently OpenAI and Anthropic) to generate responses. You should be aware of the following:
- Prompts you submit are sent to third-party AI providers to generate code and content. These providers process data in accordance with their own privacy policies and API usage agreements.
- We do not use your prompts or generated content to train our own AI models. Our AI providers also commit not to use API inputs for model training under their enterprise API terms.
- Avoid including sensitive personal data, passwords, private keys, or confidential business information in your prompts. If you do, that data will be transmitted to AI providers.
- AI-generated content is stored in our database while your project is active so we can provide the Service. You may delete your projects at any time.
- We store anonymised metadata about AI usage (such as token counts and latency) for billing and service improvement purposes.
13. Children’s Privacy
The Service is not directed to, and we do not knowingly collect personal data from, individuals under the age of 18. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at arpkwebsitedevelopment@gmail.com and we will promptly delete that data.
14. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
Right to Know
Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell.
Right to Delete
Request deletion of personal information we have collected about you, subject to certain exceptions.
Right to Correct
Request correction of inaccurate personal information we maintain about you.
Right to Opt-Out of Sale/Sharing
We do not sell or share your personal information for cross-context behavioural advertising. No opt-out is necessary.
Right to Limit Use of Sensitive Data
Request that we limit the use of sensitive personal information to specific permitted purposes.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights.
To exercise your California rights, contact us at arpkwebsitedevelopment@gmail.com. We will verify your identity before processing your request. You may also designate an authorised agent to submit requests on your behalf.
Categories of personal information collected in the past 12 months: Identifiers (email, IP address); commercial information (purchase history); internet activity (usage data); inferences drawn from usage. We have not sold or shared any personal information in the past 12 months.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will post any changes on this page with an updated “Last Updated” date. For material changes, we will provide at least 30 days’ advance notice by email or prominent in-app notification where required by law.
Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree, please stop using the Service and delete your account.
16. Contact & Complaints
For any questions, concerns, or requests relating to your personal data or this Privacy Policy, please contact us:
Email: arpkwebsitedevelopment@gmail.com
Website: https://lotus-build.vercel.app
Complaints — EEA & UK Users
If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.
If you are located in the United Kingdom, you may lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk. We would, however, appreciate the opportunity to address your concerns before you contact a regulator, so please reach out to us first.
This Privacy Policy was last updated on 12 May 2026.
See also: Terms of Service