Your data is yours.
We collect the minimum data needed to run Lulal AI. Your emails are never stored on our servers and are never used to train AI models.
No data selling
Your data is never sold to third parties
No email storage
Emails are processed in transit, not stored
Full transparency
You know exactly what gets sent to AI
Data Collection
What We Collect
Lulal AI collects only the minimum data required to provide its features. Here is a complete breakdown of every data type we handle:
| Data Type | Why | Where Processed |
|---|---|---|
| Name, username | Account creation & identity | Our Server |
| Email address | Login, notifications, auth | Our Server |
| Gmail / Outlook email content | AI summarization, replies, classification | AI Provider + Server |
| Preferences (language, tone, UI) | Personalized experience | Browser only |
| JWT & Refresh Token | Session management | Browser only |
| Token usage stats | Subscription quota tracking | Our Server |
| Custom templates & prompts | Personal automation | Our Server |
Gmail & Outlook permissions
The extension reads email content only when you actively trigger a feature (summarize, reply, chat). No background scanning occurs.
Data Usage
How We Use Your Data
Collected data is used exclusively for the following purposes — nothing else.
- Service delivery — running AI summarization, reply generation, classification, and chat features.
- Authentication — keeping your account secure and managing sessions.
- Subscription management — tracking token quota, enforcing plan limits.
- Personalization — saving your preferred language, tone, and interface settings.
- Product improvement — anonymous, aggregate usage stats. Email content is never used here.
- Support — diagnosing technical issues and responding to requests.
AI Integrations
AI & Third-Party Services
Lulal AI integrates with the following external services. Email content is sent to an AI provider only when you trigger a feature, and only for that single request.
OpenAI
Default AI provider — GPT-4.1 Mini
Google Gemini
Optional AI provider
Azure OpenAI
Optional for enterprise accounts
Google / Microsoft OAuth
Social login only
AI training policy
Your email content is never used to train AI models. Per OpenAI and Google API terms, data sent via API is not retained for training purposes.
Third-party services are subject to their own privacy policies. You can change your AI provider in account settings.
Local Storage
Chrome Storage & Local Data
The following data is stored exclusively in your browser via chrome.storage.local and is never sent to third parties.
| Key | Content | Cleared When |
|---|---|---|
| jwt_token | Short-lived authentication JWT | On sign out |
| refresh_token | Token renewal key | On sign out |
| user_email | Signed-in user email | On sign out |
| auth_provider | 'classic' | 'google' | 'microsoft' | On sign out |
| pref_tone | Preferred reply tone | On extension removal |
| pref_lang | Preferred language | On extension removal |
| sidebar_width, toggle_btn_top | UI layout preferences | On extension removal |
Local storage guarantee
These values are scoped to the Lulal AI extension by the Chrome permission model. No other extension or website can access them.
Protection Measures
Security
We apply industry-standard security measures to protect your data at every layer.
- HTTPS / TLS — all server communication is encrypted in transit.
- JWT + Refresh Tokens — short-lived access tokens with automatic renewal keep sessions secure.
- XSS protection — user content is sanitized via escapeHtml() before rendering.
- Manifest V3 — Chrome's latest extension security standard, minimum required permissions only.
- PostgreSQL on Azure — backend data stored in encrypted databases on Azure infrastructure.
Found a security issue? Please report it to contact@lulal.ai
Data Lifecycle
Retention & Deletion
| Data Type | Retention Period |
|---|---|
| Email content (AI processing) | Never stored on our servers — processed in transit and discarded |
| Account info (name, email) | While account is active; deleted within 30 days of account deletion request |
| Token usage logs | Last 12 months (billing & quota management) |
| Custom templates & prompts | Until you delete them, or account closure |
| Chrome Storage data | Auto-deleted on sign out or extension removal |
Account deletion
To delete your account and all associated data, email us with subject contact@lulal.aiAccount Deletion Request". Requests are processed within 30 days.
GDPR / KVKK
Your Rights
Under the General Data Protection Regulation (GDPR) and applicable privacy laws, you have the following rights:
Right to Access
Request a copy of the personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to specific data processing activities.
Right to Complain
Lodge a complaint with your relevant data protection authority.
To exercise any of these rights, contact us at contact@lulal.ai. We respond within 30 days.
Child Protection
Children's Privacy
Lulal AI is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
If we become aware that we have collected data from a minor, we will delete it immediately. Please contact us if you have concerns.
Updates
Policy Changes
This privacy policy may be updated from time to time. When we make significant changes:
- You may be notified by email to your registered address.
- The "Last updated" date at the top of this page will be revised.
- Continued use of the service after an update constitutes acceptance of the revised policy.
Get in Touch
Contact
Privacy questions?
For anything related to your personal data, rights, or this policy — reach out and we'll respond within 30 days.