Privacy Policy

Last updated: June 2025 β€’ Next review: April 2025

Overview

Lavoro AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered proposal generation service. We comply with applicable privacy laws including GDPR, PIPEDA, CCPA, Virginia CDPA, and Texas DPSA.

Information We Collect

Personal Information

  • Account Information: Name, email address, and encrypted password
  • Profile Information: Company name, phone number (optional)
  • Billing Information: Processed securely through Stripe (we don't store payment details)

Business Information

  • Client Data: Client names, companies, and project information you enter
  • Documents: Proposals and documents you upload for AI training
  • Generated Content: AI-generated proposals and their metadata

Usage Information

  • Service Usage: AI generation requests, feature usage, subscription status
  • Technical Data: IP address, browser type, device information, and cookies
  • Security Logs: Authentication attempts, access patterns for security monitoring

How We Use Your Information

  • Core Service: Provide AI-powered proposal generation using OpenAI technology
  • Document Management: Store and manage your documents securely with AES-256 encryption
  • Account Management: Authenticate users and manage subscriptions
  • Payment Processing: Process payments through Stripe's secure platform
  • Customer Support: Provide technical support and customer service
  • Service Improvement: Analyze aggregated, anonymized usage patterns
  • Security: Monitor for fraud, abuse, and security threats
  • Legal Compliance: Meet legal obligations and protect our rights

AI Data Processing & Compliance

OpenAI Integration & AI Governance

When you use our AI features, we securely send limited data to OpenAI to generate proposals:

  • Data Sent: Client name, company, project description, and tone preferences
  • Data NOT Sent: Personal identifiers, financial details, or sensitive information
  • Processing: OpenAI processes data according to their Enterprise privacy terms and EU AI Act requirements
  • Retention: OpenAI does not train on your data or retain it beyond immediate processing
  • Control: You control what information is included in AI requests
  • Transparency: AI-generated content is clearly marked as such

AI Risk Management & Ethics

We implement responsible AI practices including:

  • Risk Assessments: Regular evaluation of AI systems for bias, accuracy, and fairness
  • Human Oversight: All AI-generated proposals are subject to user review and editing
  • Algorithmic Transparency: Clear disclosure when automated decision-making affects users
  • Bias Mitigation: Ongoing monitoring to prevent discriminatory outputs
  • Data Minimization: AI systems only process data necessary for the requested functionality

Compliance with Emerging AI Regulations

We stay current with evolving AI laws including:

  • EU AI Act: Classification of our AI systems as "limited risk" with appropriate transparency measures
  • California ADMT Rules: Compliance with automated decision-making technology regulations
  • Federal AI Guidelines: Adherence to NIST AI Risk Management Framework
  • Sector-Specific Rules: Compliance with any applicable AI regulations in our industry

Data Storage and Security

Security Measures

  • Encryption: AES-256 encryption for all stored data, TLS 1.3 for data in transit
  • Access Controls: Multi-factor authentication and role-based access controls
  • Infrastructure: SOC 2 Type II compliant AWS infrastructure
  • Monitoring: 24/7 security monitoring and automated threat detection
  • Backups: Encrypted backups with 30-day retention for disaster recovery
  • Network Security: VPC isolation, security groups, and network access controls

Regional Data Storage

  • Primary Region: US East (Virginia) for global users
  • EU Users: Data processed in EU-compliant regions where required
  • Canadian Users: Currently US storage with equivalent protection (migration to Canada planned Q3 2025)
  • Data Residency: We can accommodate specific regional requirements for Enterprise customers

Data Sharing and Disclosure

We never sell your personal information to third parties.

Service Providers

We share limited data with trusted service providers under strict data processing agreements:

  • AWS: Cloud hosting and infrastructure services
  • OpenAI: AI processing for proposal generation (no training on your data)
  • Stripe: Payment processing (we don't see your payment details)
  • Supabase: Database and authentication services

Legal Requirements

We may disclose information when required by law or to:

  • Comply with legal process or government requests
  • Protect our rights, property, or safety
  • Prevent fraud or security threats
  • Enforce our Terms of Service

πŸ‡¨πŸ‡¦ Canadian Users (PIPEDA Compliance)

Data Collection Notice

We collect your information for these specific purposes:

  • AI-powered proposal generation
  • Secure document storage and management
  • Account management and billing
  • Customer support and service improvement

Cross-Border Data Transfer

Your data may be stored in our US region (Virginia) which provides equivalent protection to Canadian privacy laws through SOC 2 compliance, encryption, and strict access controls. Your data will be automatically migrated to our Canadian region when available (Q3 2025) at no cost.

Your PIPEDA Rights

  • Access: Request copies of your personal information
  • Correction: Update or correct inaccurate information
  • Withdrawal: Withdraw consent for data processing
  • Complaints: File complaints with the Privacy Commissioner of Canada

Privacy Officer Contact

For PIPEDA-related inquiries, contact our Privacy Officer at support@lavorodocs.com

πŸ‡ͺπŸ‡Ί European Users (GDPR Compliance)

Legal Basis for Processing

  • Contract Performance: Providing our AI proposal generation service
  • Legitimate Interests: Service improvement and security monitoring
  • Legal Compliance: Meeting regulatory requirements
  • Consent: Marketing communications (opt-in only)

Your GDPR Rights

  • Access: Obtain copies of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Export your data in machine-readable format
  • Restriction: Limit processing of your data
  • Objection: Object to processing based on legitimate interests

πŸ‡ΊπŸ‡Έ Virginia Residents (VCDPA Compliance)

Under the Virginia Consumer Data Protection Act (enhanced January 1, 2025), Virginia residents have comprehensive data protection rights:

Your Rights Under VCDPA

  • Right to Access: Confirm whether we process your personal data and access your data
  • Right to Correct: Correct inaccuracies in your personal data
  • Right to Delete: Delete personal data provided by or obtained about you
  • Right to Data Portability: Obtain a copy of your personal data in a portable format
  • Right to Opt-Out: Opt out of processing for targeted advertising, sale, or profiling in furtherance of decisions with legal effects
  • Right to Appeal: Appeal our decisions regarding your privacy requests

Enhanced Children's Privacy Protections (2025)

Virginia has strengthened protections for children under 13, including:

  • Prohibition on processing children's data for targeted advertising, sale, or profiling
  • Restrictions on collecting precise geolocation data from children
  • Enhanced parental consent requirements aligned with COPPA
  • Mandatory data protection assessments for services directed to children

Virginia Data Processing Notice

We maintain high standards by not:

  • Selling personal data to third parties for monetary consideration
  • Processing personal data for targeted advertising without clear opt-out mechanisms
  • Using personal data for profiling that produces legal or similarly significant effects without consent
  • Processing children's data without appropriate parental consent

πŸ‡ΊπŸ‡Έ Texas Residents (TDPSA Compliance)

Under the Texas Data Privacy and Security Act (effective July 1, 2024), Texas residents have comprehensive rights over their personal data:

Your Rights Under TDPSA

  • Right to Know: Confirm whether we process your personal data and access such data
  • Right to Correct: Correct inaccuracies in your personal data, taking into account the nature of the data and processing purposes
  • Right to Delete: Delete personal data provided by or obtained about you
  • Right to Data Portability: Obtain a copy of your personal data in a portable, readily usable format
  • Right to Opt-Out: Opt out of processing for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects
  • Right to Non-Discrimination: We will not discriminate against you for exercising these rights

Universal Opt-Out Mechanisms

Effective January 1, 2025, we honor universal opt-out preference signals (such as Global Privacy Control) sent by your browser or device.

Texas Sensitive Data Protections

We obtain explicit consent before processing sensitive personal data including:

  • Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship/immigration status
  • Genetic or biometric data for unique identification (we don't collect these)
  • Personal data from known children under 13
  • Precise geolocation data (only when necessary for service functionality)

Small Business Exemption Notice

While we may qualify as a small business under SBA definitions, we voluntarily comply with TDPSA standards to ensure consistent privacy protection for all users.

πŸ‡ΊπŸ‡Έ California Residents (CCPA/CPRA Compliance)

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have comprehensive privacy rights:

Your Rights Under CCPA/CPRA

  • Right to Know: What personal information we collect, use, disclose, or sell
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information
  • Right to Limit Use: Limit the use and disclosure of sensitive personal information
  • Right to Data Portability: Receive your personal information in a portable format
  • Right to Non-Discrimination: We will not discriminate against you for exercising these rights

Automated Decision-Making Technology (ADMT)

We may use automated systems for proposal generation. When we do:

  • We provide clear notice before using ADMT that affects significant decisions
  • You have the right to opt-out of ADMT for significant decisions or extensive profiling
  • You can request information about how ADMT outputs affect you
  • A human appeal process is available for certain automated decisions

California Privacy Protection Agency (CPPA) Updates

We comply with the latest CPPA regulations including:

  • Dark pattern prohibition in consent interfaces
  • Enhanced risk assessments for AI and automated processing
  • Strengthened data broker registry compliance
  • Universal opt-out preference signal recognition

Federal Compliance & Standards

Beyond state requirements, we comply with comprehensive federal laws and standards:

  • CAN-SPAM Act: All marketing emails include clear unsubscribe options and truthful subject lines
  • COPPA (Enhanced 2024): We do not knowingly collect data from children under 13 and comply with updated parental consent requirements
  • Section 508/WCAG 2.1 AA: We maintain accessibility standards for users with disabilities
  • FTC Act Section 5: We follow fair information practices and avoid deceptive or unfair practices
  • NIST Cybersecurity Framework 2.0: Our security measures align with the latest federal cybersecurity standards
  • NIST AI Risk Management Framework: We implement comprehensive AI governance and risk management
  • Executive Order 14110: We adhere to federal AI safety and security requirements
  • Gramm-Leach-Bliley Act: Financial data handling follows banking privacy standards where applicable

Emerging Technology Compliance

We proactively address emerging technology regulations:

  • Algorithmic Accountability: Documentation and testing of AI systems for bias and fairness
  • Privacy by Design: Building privacy protections into all new features from conception
  • Zero Trust Security: Implementation of modern security architectures
  • Quantum-Safe Cryptography: Preparing for post-quantum cryptographic standards
  • Biometric Data Protection: Comprehensive safeguards even though we don't currently collect biometric data

Data Retention

  • Active Accounts: Data retained while your account is active and functioning
  • Inactive Accounts: Data deleted after 2 years of account inactivity
  • Documents: Deleted immediately when you delete them, or after 7 years maximum
  • Generated Proposals: Retained until you delete them or close your account
  • Security Logs: Retained for 1 year for security and compliance purposes
  • Backups: Encrypted backups automatically deleted after 30 days
  • AI Processing: OpenAI doesn't retain your data beyond immediate processing

International Data Transfers

For users outside the United States, your data may be transferred to and processed in the US. We ensure appropriate safeguards through:

  • Adequacy Decisions: EU-US Data Privacy Framework participation
  • Standard Contractual Clauses: EU-approved data transfer mechanisms
  • Equivalent Protection: SOC 2 compliance and enterprise-grade security
  • Regional Storage: Moving toward regional data storage for compliance

Cookies and Tracking

  • Essential Cookies: Required for authentication and core functionality
  • Analytics: Anonymized usage analytics to improve our service
  • No Third-Party Tracking: We don't use advertising or social media tracking
  • Cookie Control: You can disable non-essential cookies in your browser

Children's Privacy

Our service is not intended for users under 18. We do not knowingly collect personal information from children under 18. If we discover we have collected such information, we will delete it immediately.

Privacy Rights Requests

To exercise your privacy rights, contact us with the following information:

  • Your name and email address associated with your account
  • Specific right you wish to exercise
  • Description of your request
  • Identity verification may be required for security

We will respond within 45 days of receiving your request (30 days for PIPEDA).

How to Submit Requests

  • Email: support@lavorodocs.com
  • Account Settings: Use the delete account option in your account settings
  • Support: Contact support@lavorodocs.com for assistance

Security Incidents

In the event of a data breach affecting personal information, we will:

  • Notify affected users within 72 hours when possible
  • Report to relevant supervisory authorities as required
  • Provide detailed information about the incident and remediation steps
  • Offer credit monitoring services if appropriate

Contact Information

For privacy-related questions or requests:

  • General Support, Privacy Officer, Security Issues: support@lavorodocs.com

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email and through our service at least 30 days before they take effect. The "Last updated" date will reflect when changes were made.

← Back to Home