Privacy Policy

Levain Labs Pte. Ltd. is a company incorporated in Singapore. We are the controller of personal data we collect about Customers, prospects, website visitors, and Authorised Users (referred to as "Account Data" below). For Customer Content that contains personal data of the Customer's end users, we are a processor and the Customer is the controller.

If you have questions or want to exercise your rights, contact us at privacy@levainlabs.com.

Account Data. Name, work email, work phone, job title, employer, billing details (handled by our payment processor), authentication information, and account preferences.

Customer Content. The agents you build, the prompts and instructions you provide, the data sources you connect, the outputs your agents produce, and the metrics you choose to measure. Customer Content may contain personal data of your end users where you choose to send such data to the Service.

Usage and telemetry. System events from your use of the Service: timestamps, IP address, device and browser information, the pages and features you use, the agents you operate, error logs, and similar diagnostic information.

Communications. Emails and other messages you send to support, sales, or other functions, and our responses.

Cookies and similar technologies. See section 10.

We do not knowingly collect personal data of children. The Service is for business use only.

We use Account Data to:

• provide the Service and maintain your account;
• bill you and collect payment;
• communicate with you about the Service, support requests, security, and changes;
• send marketing communications where permitted, with the right to opt out;
• detect, prevent, and respond to security incidents, fraud, and abuse; and
• comply with legal obligations.

We use Customer Content to:

• run, monitor, and improve your agents on the Service. This is the core function of the Service. As part of this we measure performance, run experiments, and apply optimisations to your agents;
• provide you with support when you ask for it;
• detect and respond to security and abuse concerns; and
• comply with legal obligations.

We do not use Customer Content to:

• train foundation models, whether ours or anyone else's;
• feed Customer Content into another customer's agents; or
• generate marketing material about you.

We may aggregate and de-identify information derived from the operation of the Service — including optimisation patterns, evaluation outcomes, performance benchmarks, latencies, error rates, and feature usage — and use such information to operate and secure the Service, develop and improve our optimisation techniques and platform algorithms, build benchmark datasets, conduct research, and otherwise improve our products and services, in each case where the information cannot reasonably be re-identified to you or your end users. We may retain and use such aggregated and de-identified information indefinitely, including after termination.

Where the GDPR or UK GDPR applies, we rely on these legal bases:

• Performance of a contract for processing Account Data needed to operate the Service and your account.
• Legitimate interests for security, fraud prevention, internal analytics, and improving the Service. We balance these against your rights and interests.
• Consent where required, for example for non-essential cookies and certain marketing.
• Legal obligation for tax, accounting, and regulatory record-keeping.

Where we process Customer Content that includes personal data of your end users, we do so under your instructions as a processor. The legal basis for that processing is established by you as the controller.

The Service produces outputs by sending prompts to large language models operated by third-party providers, currently including Anthropic. Those providers process the data we send them under their commercial agreements with us, which include commitments not to use API content to train their models.

Specifically:

• we send prompts and context to model providers as needed to produce outputs;
• we retain outputs as part of Customer Content;
• the model providers we currently use are listed on our sub-processors page.

We use a small number of sub-processors to deliver the Service, including providers of cloud infrastructure, model inference, payments, identity, email, analytics, and customer support. A current list is published at levainlabs.com/sub-processors.html and is also available on request by emailing support@levainlabs.com. We give Customers advance notice before adding a new sub-processor that processes Customer Content, and Customers may object on reasonable grounds.

We share personal data with:

• Sub-processors, as described above.
• Professional advisors (legal, accounting, audit) under confidentiality.
• Authorities, where required by law or to protect rights, safety, or property.
• Successors in connection with a merger, acquisition, or sale of assets, with notice.

We do not sell personal data. We do not share personal data for cross-context behavioural advertising as those terms are defined under California law.

Subject to applicable law, you may have the right to:

• access the personal data we hold about you;
• have it corrected if it is wrong;
• have it deleted, where we are not legally required to keep it;
• restrict or object to certain processing;
• receive a copy in a portable format;
• withdraw consent where processing is based on consent; and
• lodge a complaint with a supervisory authority.

Under Singapore's Personal Data Protection Act (PDPA), you may also withdraw consent and request access and correction.

Under the California Consumer Privacy Act (CCPA), if you are a California resident, you may also request information about categories of personal information collected and disclosed, and have the right not to be discriminated against for exercising your rights.

To exercise rights, contact privacy@levainlabs.com. If you are an end user of one of our Customers and want to exercise rights with respect to data the Customer controls, please contact the Customer directly.

We are based in Singapore and our sub-processors operate from various countries. Personal data may be transferred to, processed, and stored outside the country where you live, including the United States and the European Economic Area.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses or other lawful transfer mechanisms. For transfers from Singapore, we comply with the PDPA's transfer requirements, including by ensuring recipients are bound to standards comparable to the PDPA.

Our website uses cookies and similar technologies for:

• Strictly necessary purposes (authentication, load balancing, security);
• Functional purposes (remembering preferences); and
• Analytics to understand how the website is used.

We do not use third-party advertising cookies. You can control cookies through your browser. Where required by law, we will ask for consent to non-essential cookies before setting them.

We keep personal data for as long as we need it for the purposes set out in this Policy.

• Account Data: while your account is active, plus up to ninety (90) days after termination, except where longer retention is required by law (for example, tax records).
• Customer Content: as agreed in your contract; on termination, for thirty (30) days unless you request earlier deletion.
• Usage and telemetry logs: typically up to thirteen (13) months for security and operational purposes, sometimes shorter.
• Marketing data: until you opt out, plus a short suppression period.

Backups are deleted on a rolling basis. We may keep records longer where required by law or to defend legal claims.

We protect personal data with administrative, technical, and physical safeguards appropriate to the risk. These include encryption in transit (TLS) and at rest, role-based access controls, audit logging, and a security incident response plan. No system is perfectly secure, and we cannot guarantee that data will never be accessed without authorisation, but we work to reduce that risk.

If we learn of a personal data breach affecting you, we will notify you as required by law and without undue delay. Suspected security issues can be reported to security@levainlabs.com.

The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under 18.

We may update this Policy. We will post the updated version with a new "Last updated" date and, for material changes, give reasonable advance notice by email or in-product.

To contact us about this Policy or to exercise your rights:

• Email: privacy@levainlabs.com
• Mail: Levain Labs Pte. Ltd., [Registered office address], Singapore

If we are unable to resolve a complaint, you may have the right to lodge a complaint with a supervisory authority. In Singapore, that is the Personal Data Protection Commission. In the EEA or UK, that is your local data protection authority.