Privacy Policy — laminai

1

Information We Collect

laminai collects the minimum data necessary to operate the service. Here is exactly what we collect and why:

Account data (stored in our database):

Email address — used to identify your account and for essential communications.
Display name — optional, used to personalise your experience.
Password hash — a one-way hash of your password (the plaintext is never stored).
Google OAuth ID & avatar URL — only if you sign in with Google.
Plan & credit balance — to enforce usage limits.

Usage data (stored in our database):

Credit logs — operation type, credits used, AI model, timestamp. No content is stored.
Payment records — gateway order/payment IDs, amount, currency, plan, status. Card numbers are never stored (handled by Razorpay / Stripe).

Processed content (temporary, never persisted):

YouTube audio, uploaded audio/video files, and documents are processed in memory and on-disk temporarily. They are overwritten or deleted as soon as processing completes.
Transcripts, summaries, and chat messages are sent to our AI provider (see Section 4) and are held in server memory only for the duration of your session.

We do not sell, rent, or share your personal data with any third party for marketing purposes.

2

How We Use Your Information

We use your data exclusively to:

Authenticate you and maintain your session.
Enforce plan limits and deduct credits for each AI operation.
Process payments and manage subscriptions.
Send transactional emails (account creation confirmation, password reset). We do not send marketing emails without explicit opt-in.
Detect and prevent abuse (e.g. credential stuffing, billing fraud).

We do not use your data for advertising, profiling, or model training.

3

Data Retention & Log Periods

We follow the principle of minimum retention — data is kept only as long as legally or operationally required.

Data type	Retention period	Reason
Uploaded files (audio, video, documents)	Immediate Overwritten on next upload or deleted after processing	Temporary processing only
Session data (in-memory transcript, chat)	Immediate Cleared on logout or server restart	Held in RAM only
Session cookies	30 days Expires or on logout	Flask-Login remember-me
Credit logs	90 days Then auto-purged	Abuse detection & billing disputes
Payment records	7 years Legally required	Financial & tax compliance
Account data (email, name, plan)	Until deleted Deleted immediately on account deletion request	Service delivery
AI provider request logs	Up to 30 days Per provider policy	Abuse monitoring (Groq policy)

Note: Payment record retention for 7 years is required by financial regulations in most jurisdictions. These records are anonymised — they contain order IDs and amounts, not personal content.

4

Third-Party Services

laminai integrates with the following third-party services. Each is bound by their own privacy policy:

Groq (AI Inference) — transcription, analysis, chat, and quiz generation. Groq does not train its models on your data. Requests may be logged for abuse monitoring for up to 30 days. Zero Data Retention (ZDR) is available on enterprise plans.
Razorpay & Stripe (Payments) — payment processing. Card details are handled exclusively by these PCI-DSS compliant providers. We never see or store your card number.
Google OAuth (optional) — if you choose to sign in with Google, we receive your name, email, and profile picture from Google's API.
Google Fonts — the Inter typeface is loaded from Google's CDN. Subject to Google's standard font service privacy policy.
ipapi.co — a single anonymous request to detect your country for currency selection on the pricing page. No personal data is sent or stored.

We use no advertising networks, no analytics trackers, and no social media pixels.

5

Cookies & Local Storage

We use two types of browser storage:

Session cookie (essential)

Name: session (Flask secure cookie)
Purpose: authenticates your logged-in session.
Duration: 30 days with "Remember me", or until you log out.
This cookie is strictly necessary for the service to function. It cannot be opted out of while using the app.

Browser localStorage (functional)

Stores: theme preference (dark/light), currency preference, cookie consent flag.
Never sent to our servers.
You can clear it at any time via Settings → Clear Site Data in your browser, or via the History view inside the app.

We use no tracking cookies, no advertising cookies, and no third-party analytics cookies.

Cookie banner: We display a one-time consent notice on your first visit. Clicking "Accept" stores your preference in localStorage. The only cookie set is the essential session cookie described above.

6

GDPR — Your Rights (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

Right of access (Art. 15) — you can request a copy of all personal data we hold about you. Email us at support@laminaidigital.com.
Right to rectification (Art. 16) — update your name or email at any time in your Profile settings inside the app.
Right to erasure / right to be forgotten (Art. 17) — you can permanently delete your account and all associated data by going to Profile → Danger Zone → Delete Account inside the app, or by sending a deletion request to our privacy email. Account deletion is processed immediately. Payment records are retained for 7 years as required by financial law.
Right to data portability (Art. 20) — email us to receive your account data in a machine-readable format (JSON).
Right to object (Art. 21) — we do not process your data for direct marketing or profiling. There is nothing to object to beyond service-essential processing.
Right to withdraw consent (Art. 7) — you may close your account at any time. This is your withdrawal of consent.

We will respond to all verified requests within 30 days as required by GDPR Article 12.

Lawful basis for processing: We process your personal data under the following lawful bases: Contract performance (Art. 6(1)(b)) — to provide the service you signed up for; Legal obligation (Art. 6(1)(c)) — to retain financial records; Legitimate interests (Art. 6(1)(f)) — to detect and prevent fraud and abuse.

7

HIPAA Notice

laminai is not a HIPAA-covered platform and does not offer HIPAA compliance.

laminai is a general-purpose AI content analysis tool designed for educational, research, and professional productivity use cases. It is not intended for use with Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).

Do not upload medical records, patient data, clinical notes, or any other health-related personally identifiable information to laminai.

HIPAA compliance requires Business Associate Agreements (BAAs) with every data processor in the chain — including our AI provider (Groq) and cloud infrastructure. We do not hold BAAs with these vendors and therefore cannot guarantee HIPAA-compliant handling of health data.

If you work in healthcare and need to analyse medical content, please use a HIPAA-compliant platform with appropriate BAAs in place.

8

Children's Privacy

laminai is not directed at children under the age of 13 (or 16 in the EU under GDPR). We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us at support@laminaidigital.com and we will delete the account immediately.

9

Security

We take reasonable technical and organisational measures to protect your data:

Passwords are stored as bcrypt hashes — never in plaintext.
All API communication uses HTTPS/TLS in production.
Session tokens are cryptographically signed (Flask SECRET_KEY).
Payment processing is fully delegated to PCI-DSS certified providers (Razorpay, Stripe).

No system is 100% secure. If you discover a vulnerability, please report it responsibly to support@laminaidigital.com.

10

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we'll update the "Last updated" date at the top of this page. For significant changes, we'll add a notice on the main landing page. Continued use of laminai after changes constitutes acceptance of the updated policy.

11

Contact & Data Controller

laminai is the data controller for personal data processed through this service. If you have any questions about this Privacy Policy, wish to exercise your rights, or need to report a concern:

📧 support@laminaidigital.com

We aim to respond to all privacy-related requests within 5 business days and no later than 30 days as required by GDPR.