Lua Labs

Privacy Policy

Last updated: June 14, 2026

1. Introduction

This Policy describes how Lua Care collects, uses, stores, and protects your personal data when you use Lua Labs at lua.care/labs. The Lua Labs subscriber is managed independently of the Lua Care mobile app account.

2. Information we collect

  • Email address: which you provide to receive the access code (OTP) and to associate your subscription.
  • Access code (OTP): we store only a hash of the code, never the code in clear text; it expires within minutes.
  • Technical and usage data: IP address, user agent (browser/device), dates and times of verification and use, number of verifications, and registration source (report or chat).
  • Subscription data: plan purchased, subscription status, current period, and Stripe identifiers (customer, subscription, and price). We do not store your card data; Stripe processes it.
  • AI assistant usage metadata: for each query we log the model and provider used, number of messages, tokens consumed, language, IP, and user agent, associated with your email. We do not store the text of your conversations; it stays in your browser and is transmitted to the AI provider only to generate the answer.

3. How we use your information

We use your data to: grant access via OTP and maintain your session; operate and bill your subscription; enforce usage quotas and prevent abuse (rate limiting); answer your chat queries; and, if you opt in, send you notices of new reports.

We never sell or rent your personal data, nor use it for advertising or to train third-party AI models.

4. Artificial-intelligence processing

When you use the chat, your question and the relevant corpus excerpts are sent to our AI provider (currently Anthropic via Amazon Web Services, in the United States) to generate the answer. The text is not stored by Lua Labs after the answer, but it is transmitted to the provider, which processes it under its own data-protection commitments and does not use it to train its models. For this reason, we ask you not to enter sensitive personal data in the chat. Answers are based on peer-reviewed literature and are educational in nature.

5. Payments

Payments are processed through Stripe, which collects and safeguards your payment-method data under its own privacy policy. Lua Care only receives from Stripe the identifiers and subscription status necessary to operate the service.

6. Data sharing and subprocessors

We do not sell your data. We share it only with providers that enable us to operate the service, under confidentiality and data-protection agreements:

  • Resend — sending the access code (OTP) and notices — processes your email address.
  • Stripe — payment and subscription processing — processes your email, payment data, and subscription identifiers.
  • Anthropic / Amazon Web Services (Bedrock) — chat AI model — processes the query text and corpus excerpts.
  • Supabase — database and storage — processes your email, technical data, subscription, and usage metadata.
  • Vercel — web hosting and infrastructure — processes technical connection data.

We may also disclose data if required by law, a court order, or valid legal process, or to protect the rights, property, or safety of Lua Care, its users, or others.

7. Email communications

The access code (OTP) is a transactional email required to use the service. If in the future we send newsletters with new reports, we will do so with your consent and every email will include a one-click unsubscribe option.

8. Storage and security

We protect your data with encryption in transit (TLS), storing the OTP only as a hash, row-level security policies in the database, rate limiting, and security headers. The session is maintained via a signed cookie (labs_session, httpOnly).

9. Data retention

We retain your email and subscription data while you are a Lua Labs subscriber. OTP codes are deleted upon expiry. You may request deletion of your Lua Labs data by writing to soporte@lua.care; we will proceed within a maximum of 30 days, unless a legal obligation requires retention (e.g., tax records of payments).

10. Your rights

You have the right to access, rectification, cancellation/deletion, objection, portability, and to withdraw your consent. To exercise them, write to soporte@lua.care; we will respond within a maximum of 15 business days.

11. Adults only

Lua Labs is exclusively for people over 18 years old. We do not intentionally collect data from minors; if we detect a minor’s data, we will delete it.

12. Cookies and similar technologies

We use a session cookie (labs_session) to maintain your access, and browser local storage for preferences (e.g., remembering you already saw a prompt). We do not use advertising tracking cookies.

13. International transfers

To operate the service, your data may be processed on servers outside your country of residence (e.g., the United States, where our AI, payment, and infrastructure providers operate). We apply appropriate protection measures under applicable law.

14. Changes to this policy

We may update this Policy. The "last updated" date indicates the latest revision; we will notify significant changes through the service or by email.

15. Legal framework

This Policy follows the principles of Mexico’s Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and adheres to international best practices, including the principles of the GDPR (EU) and the CCPA (California). Data controller: Lua Care — soporte@lua.care.

16. Contact

soporte@lua.care