Privacy Policy

    Effective January 28, 2026 · Last updated March 23, 2026

    This Privacy Policy describes how Lilac Research Inc. ("Lilac," "we," "us," or "our") handles personal information collected through our website and services.

    Lilac Research Inc. is a Delaware C Corporation headquartered in California.

    Personal information we collect

    Information you provide

    • Contact data: Name, email, phone number, professional title, and organizational affiliation.
    • Account data: Username, password, and profile information.
    • Billing data: Payment information processed by Stripe. We do not store full credit card numbers.
    • Content: Deployment configurations, prompts, feedback, and other information you submit to the Service.
    • Communications: Messages you send us through email, support, or social media.

    Third-party sources

    • Identity providers: If you sign in with Google, we receive your username, email, and profile picture.
    • Public sources: Publicly available information from social media or government records.

    Automatic collection

    • Device data: IP address, browser type, operating system, and device identifiers.
    • Usage data: Pages visited, time spent, clicks, and navigation paths.
    • Cookies: We use cookies and similar technologies for functionality and analytics (via PostHog).

    How we use your information

    Service delivery

    • Provide, operate, and improve the Service
    • Process payments and transactions
    • Facilitate organization invitations
    • Send announcements, updates, and security alerts
    • Respond to support requests

    Research & development

    We analyze usage patterns to improve our Service. We may create anonymous, aggregated data that cannot identify you.

    Marketing

    We may send marketing communications. You can opt out at any time.

    Compliance & protection

    • Comply with legal obligations
    • Protect rights, privacy, and safety
    • Prevent fraud and abuse
    • Enforce our terms of service

    How we share your information

    • Service providers: See our subprocessor list below for the complete list of third parties that process data on our behalf.
    • Identity providers: If you link your account to Google, we share data as needed to maintain that connection.
    • Organization members: Your profile may be visible to other members of your organization.
    • Legal requirements: Law enforcement or government authorities when required by law.
    • Business transfers: In connection with a merger, acquisition, or sale of assets.
    • Professional advisors: Lawyers, auditors, and insurers as needed.

    Subprocessors

    The following third-party service providers process personal data on our behalf:

    Provider
    Purpose
    AWS
    Cloud infrastructure and hosting
    Stripe
    Payment processing
    PostHog
    Product analytics
    GitHub
    Code repository and CI/CD
    Vanta
    Compliance automation

    Your choices

    • Access & update: Log into your account to review and update your information.
    • Marketing opt-out: Unsubscribe from marketing emails using the link at the bottom of any email.
    • Linked accounts: Manage connected services (Google) through your account settings.

    Other sites and services

    Our Service may link to third-party websites. We are not responsible for their privacy practices.

    Security

    We use technical, organizational, and physical safeguards to protect your information. However, no system is completely secure.

    Data retention

    We retain your information according to the following schedule:

    • User account information: Duration of service plus 30 days after account closure.
    • Transaction logs: 7 years, as required for financial compliance.
    • API logs: 90 days.
    • Deleted user data: 30 days soft-delete period, after which data is permanently removed.

    We may retain certain information longer as required by law or for legitimate business purposes.

    International data transfer

    We are headquartered in the United States. Your information may be transferred to and processed in the US or other countries.

    Children

    The Service is not intended for anyone under 18. If you believe we have collected information from a child, please contact us.

    Changes to this policy

    We may update this policy from time to time. We'll notify you of material changes by updating the effective date at the top.

    Contact us

    Questions? Reach out at privacy@getlilac.com

    Lilac Research Inc.
    California, USA

    European data subject rights (GDPR)

    If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

    • Right of access: Request a copy of the personal data we hold about you.
    • Right to rectification: Request correction of inaccurate or incomplete personal data.
    • Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
    • Right to restrict processing: Request that we limit how we use your data in certain circumstances.
    • Right to data portability: Request your data in a structured, machine-readable format.
    • Right to object: Object to processing of your personal data for direct marketing or based on legitimate interests.

    To exercise any of these rights, email privacy@getlilac.com. We will respond to your request within 30 days.

    California privacy rights

    We do not sell your personal information. California residents have additional rights under the California Consumer Privacy Act (CCPA):

    • Right to know: Request information about data we've collected in the past 12 months.
    • Right to access: Request a copy of your personal information.
    • Right to delete: Request deletion of your personal information.
    • Non-discrimination: Exercise these rights without discriminatory treatment.

    To exercise these rights, email privacy@getlilac.com. We'll verify your identity and respond within 30 days.