Privacy Policy

1. Who We Are

LazySusan is operated by RGCO Services LLC ("RGCO Services," "we," "our," or "us"), a company committed to providing secure, privacy-respecting access to artificial intelligence tools. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the LazySusan platform, website, and related services (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (required for account creation and communication)
• Name (optional, used for personalization)
• Password (stored securely using industry-standard bcrypt hashing—we cannot see your password)
• Profile information you choose to provide
• Account preferences and settings

2.2 Usage Information

When you use our Service, we automatically collect:

• Token usage and consumption patterns (for billing and service optimization)
• Features and AI models you access (to improve service quality)
• Timestamps of your interactions (for session management)
• Device type, browser type, and operating system (for compatibility)
• IP address and general geographic location (for security and fraud prevention)
• Referring website and pages visited (for service improvement)

2.3 Conversation Data

Your conversations with AI models are the core of our service. We want to be completely transparent about how we handle them:

• Processing: Your prompts are transmitted through our secure servers to AI providers to generate responses
• Storage: Conversations are stored encrypted (AES-256) so you can access your history
• No Training: We have explicit agreements with all AI providers that your data is never used for model training
• No Mining: We never read, analyze, or mine your conversations for any purpose
• No Selling: Your conversations are never sold or shared with third parties for marketing
• Your Control: You can delete your conversations at any time, and they will be permanently removed

2.4 Payment Information

Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor (the highest level of payment security certification). We never receive or store your full credit card number. We only receive:

• Last four digits of your payment card
• Card type (Visa, Mastercard, etc.) and expiration date
• Billing address (for fraud prevention)
• Transaction history and subscription status

2.5 Communications

When you contact us or respond to our communications, we collect:

• Email correspondence and support tickets
• Feedback and survey responses
• Any information you voluntarily provide

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Provision

• Provide, maintain, and improve our Service
• Process your requests to AI models and return responses
• Manage your account and subscription
• Enable features like conversation history and sharing

3.2 Billing and Transactions

• Process payments and manage subscriptions
• Track token usage for billing purposes
• Send transaction confirmations and invoices
• Handle refunds and billing inquiries

3.3 Communication

• Send essential service notifications (password resets, security alerts)
• Respond to your inquiries and support requests
• Send product updates and announcements (you can opt out)
• Notify you of changes to our terms or policies

3.4 Security and Fraud Prevention

• Detect and prevent fraudulent or unauthorized activity
• Monitor for security threats and vulnerabilities
• Enforce our Terms of Service
• Protect the rights and safety of our users

3.5 Service Improvement

• Analyze usage patterns to improve features (in aggregate, not individual)
• Fix bugs and technical issues
• Develop new features based on user needs
• Optimize performance and reliability

4. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information only in the following limited circumstances:

4.1 AI Model Providers

To provide AI responses, we transmit your prompts to AI providers (such as OpenAI, Anthropic, Google, and others). These providers:

• Process your prompts solely to generate responses
• Are contractually prohibited from using your data for training
• Have enterprise-grade security and privacy practices
• Cannot identify you personally through our API integration

4.2 Service Providers

We work with trusted third-party service providers who assist in operating our Service:

• Stripe: Payment processing (PCI DSS Level 1 certified)
• Cloud Infrastructure: Secure data hosting and storage
• Email Services: Transactional and notification emails
• Analytics: Aggregated usage analysis (no personal data)

All service providers are bound by data protection agreements and can only use your data to perform services on our behalf.

4.3 Team and Shared Features

If you use team features or explicitly share content:

• Team administrators may see aggregated usage statistics
• Shared conversations are visible to users you designate
• You control what is shared and can revoke access

4.4 Legal Requirements

We may disclose your information if required by law or if we believe in good faith that such action is necessary to:

• Comply with a valid legal process (subpoena, court order)
• Protect the safety of any person
• Prevent fraud or abuse of our Service
• Protect our legal rights

We will notify you of legal demands for your data unless prohibited by law, and we will challenge requests we believe are overly broad or unlawful.

4.5 Business Transfers

If RGCO Services is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

5. Data Security

We implement comprehensive security measures to protect your information:

5.1 Encryption

• In Transit: All data is encrypted using 256-bit TLS/SSL
• At Rest: Sensitive data is encrypted using AES-256
• Passwords: Hashed using bcrypt with strong salting

5.2 Infrastructure Security

• Hosted on enterprise-grade cloud infrastructure
• Regular security audits and vulnerability assessments
• Intrusion detection and prevention systems
• DDoS protection and mitigation
• Redundant backups with encryption

5.3 Access Controls

• Strict role-based access controls for employees
• Multi-factor authentication for administrative access
• Regular access reviews and audit logs
• Principle of least privilege for all systems

5.4 Payment Security

• Secure payment processing via Stripe
• PCI DSS Level 1 compliant payment handling
• No storage of full card numbers on our systems

6. Data Retention

We retain your information only as long as necessary:

• Active Accounts: Data is retained while your account is active
• Conversation History: Retained until you delete it or your account
• Account Deletion: Personal data permanently deleted within 30 days
• Backups: Removed according to our backup rotation schedule
• Legal Requirements: Some data may be retained if required by law

You can request immediate deletion of your data by contacting our support team.

7. Your Rights and Choices

Depending on your location, you have the following rights regarding your personal data:

7.1 Access and Portability

• Request access to all personal data we hold about you
• Receive your data in a portable, machine-readable format
• Export your conversation history

7.2 Correction and Deletion

• Correct inaccurate or incomplete data
• Delete your account and all associated data
• Delete specific conversations at any time

7.3 Objection and Restriction

• Object to certain processing of your data
• Restrict processing in certain circumstances
• Withdraw consent where processing is based on consent

7.4 Communication Preferences

• Opt out of marketing communications
• Manage notification preferences in your account settings
• Essential service communications cannot be opted out of

To exercise any of these rights, contact us at privacy@lazysusan.ai. We will respond within 30 days.

8. Cookies and Tracking Technologies

We use minimal cookies and tracking technologies:

8.1 Essential Cookies

• Authentication and session management
• Security and fraud prevention
• User preferences and settings

8.2 Analytics Cookies

• Aggregate usage patterns (not individual tracking)
• Performance monitoring
• Error tracking and debugging

8.3 What We Don't Use

• No advertising or targeting cookies
• No third-party tracking pixels
• No cross-site tracking
• No sale of cookie data

You can control cookies through your browser settings. Note that disabling essential cookies may affect Service functionality.

9. International Data Transfers

RGCO Services is based in the United States. If you access our Service from outside the US, your information may be transferred to and processed in the US or other countries. We ensure appropriate safeguards for international transfers:

• Standard Contractual Clauses approved by the European Commission
• Data processing agreements with all service providers
• Compliance with applicable data protection laws
• Appropriate technical and organizational measures

10. Children's Privacy

Our Service is not directed to children under 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@lazysusan.ai, and we will delete it.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information
• Right to Non-Discrimination: No penalty for exercising your rights

Important: We do not sell personal information. We have not sold personal information in the preceding 12 months, and we will not sell personal information in the future.

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

12.1 Legal Basis for Processing

• Contract: Processing necessary to provide our Service
• Legitimate Interest: Processing for security, fraud prevention, and service improvement
• Consent: Where you have given explicit consent
• Legal Obligation: Processing required by law

12.2 Your GDPR Rights

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

13. Third-Party Links

Our Service may contain links to third-party websites or services not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of changes by:

• Posting the new policy on this page
• Updating the "Last updated" date
• Sending email notification for material changes
• Providing notice in our Service for significant updates

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes indicates acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your privacy rights, please contact us:

For privacy complaints, you also have the right to lodge a complaint with your local data protection authority.