Loneli (“we”, “us”, “our”) operates the Loneli AI platform. We are the data controller for the personal data described in this policy. For privacy enquiries, contact privacy@loneli.app.

We do not collect real names, phone numbers, physical addresses, or government ID (beyond date of birth for age verification).

• Contract performance — processing your email and payment data to provide the service you signed up for.
• Legal obligation — retaining age verification and payment records as required by EU law.
• Legitimate interests — fraud prevention, platform security, and service improvement.
• Consent — push notifications (you can withdraw at any time in your browser settings).

• Chat history: Retained for 12 months from the date of each message, then automatically and permanently deleted.
• Age verification & consent records: Retained for the lifetime of your account plus 3 years — required as legal proof of consent.
• Payment records: Retained for 7 years from the date of transaction, as required by EU accounting and tax law. These records are anonymised upon account deletion.
• Cookie consent logs: Retained for 3 years.
• All other data: Deleted within 30 days of account deletion.

We never sell your personal data. We share data only with:

• Supabase — our database provider (EU region). Data is stored on servers located in the European Union.
• Stripe — payment processing. Stripe is GDPR-compliant and certified PCI DSS Level 1.
• OpenRouter / AI model providers — your chat messages are sent to an AI model to generate responses. Messages are processed and not stored by the model provider beyond the duration of the API call.
• Law enforcement — only when required by a valid legal order.

All data is stored on EU-region Supabase servers. Data in transit is encrypted using TLS 1.3. Passwords are hashed using bcrypt and never stored in plaintext. Access to production data is restricted to authorised personnel only.

As an EU resident you have the following rights, exercisable by contacting privacy@loneli.app:

• Right of access — request a copy of all personal data we hold about you.
• Right to rectification — request correction of inaccurate data.
• Right to erasure (“right to be forgotten”) — request deletion of your data (subject to legal retention requirements).
• Right to data portability — receive your data in a machine-readable format.
• Right to restriction — request that we restrict processing of your data.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — withdraw consent for push notifications at any time.

We will respond to all requests within 30 days. You also have the right to lodge a complaint with your national data protection authority.

You can delete your account at any time from your Account settings. Upon deletion we will:

• Permanently delete all chat history, conversations, and profile data within 30 days.
• Anonymise payment transaction records (we remove your identity but retain transaction amounts for accounting purposes).
• Retain age verification and consent records for the legally required period.

We use the following cookies:

• sb-* (Supabase auth) — Strictly necessary. Stores your authentication session. Cannot be disabled without losing access to your account.
• dc_lang — Strictly necessary. Stores your language preference.
• dc_cookie_consent — Strictly necessary. Records your cookie consent choice.
• Analytics cookies — Optional. Only set if you choose “Accept all” in the cookie banner. Used to understand how the service is used so we can improve it.

You can change your cookie preferences at any time by clearing your browser cookies and reloading the page.

We may update this policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. Continued use of the service after changes take effect constitutes acceptance.

Data protection enquiries: privacy@loneli.app

Legal enquiries: legal@loneli.app