Privacy Policy
- Status
- Pre-launch draft
- Effective
- Not yet in force
- Last updated
- 15 July 2026
- Applies to
- Website, account, marketplace, and desktop data
Operator: [Lorevik Pty Ltd (proposed), ACN [●], ABN [●]]
This pre-launch document requires review by a qualified Australian legal professional before commercial use.
1. Introduction
[Lorevik Pty Ltd (proposed), ACN [●], ABN [●]] (“Lorevik”, “we”, “us”, “our”) operates a local-first Living Surface platform and marketplace at lorevik.com (the “Platform”). This Privacy Policy explains how we collect, use, store, and protect personal information and cloud metadata. Where the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to Lorevik, we handle personal information in accordance with those requirements. We also use the commitments in this policy as our public operating standard.
The English version of this Privacy Policy controls to the extent permitted by law. Any translation is provided for convenience only and does not limit any mandatory rights available under applicable law.
This policy is not a request for blanket consent. Where consent is required for an optional upload, connector, AI provider, sensitive information flow, or another feature, we ask for it separately at the relevant time and explain the information and purpose involved.
2. Information We Collect
2.1 Information You Provide
- Account information: Name and email address when you register
- Payment information: Billing details processed through Stripe (we do not store full credit card numbers on our servers)
- Creator information: Details provided during the creator application process, including profile, payout, public handle, and creator surface settings
- Living Surface and workflow metadata: Titles, descriptions, file names, timestamps, tool names, model names, provenance markers, consent state, and other metadata you choose to publish or sync
- Content: Content you upload, publish, or submit to the Platform. Raw local vault files are not uploaded by default.
2.2 Information Collected Automatically
- Product lifecycle events: Limited events such as signup completion, checkout start, and subscription start, together with timestamps and the associated account identifier
- Request and log data: Hosting and security providers may process IP address, request time, route, country signal, and server error information needed to deliver and protect the Platform
- Essential session and preference data: Authentication cookies and device-local settings described in Section 8
2.3 Local Vault and Raw Materials
Lorevik is designed around a local-first boundary. Raw workflow files, private notes, credentials, screenshots, source files, and other vault materials are not uploaded merely because you install or browse a Living Surface. Data may be processed or transmitted when you enable or initiate an upload, publication, export, connector, AI provider, agent, or another permissioned feature. A public page, manifest, or buyer-facing preview should use metadata and reviewed excerpts rather than exposing raw files by default.
3. How We Use Your Information
We use your personal information for the following purposes:
- Providing the service: Operating your account, creator dashboard, workspace, manifest, and public profile features
- Payment processing:Facilitating direct charges to Creator connected accounts and Lorevik's own subscriptions through Stripe
- Communication: Sending account-related notifications, updates, and support responses
- Improvement: Analysing limited product lifecycle events and aggregated metadata to improve features and performance
- Security: Detecting and preventing fraud, abuse, and security incidents
- Legal compliance: Meeting our obligations under applicable laws and regulations
4. Consent and Permissioned Features
Some Platform features act only after you make a specific choice. A permission screen or collection notice may identify the information involved, its destination, the purpose of the action, and what happens if you do not enable it. We do not treat agreement to this Privacy Policy as consent to every optional feature.
- Uploads and publication: You choose the files, bundle, metadata, or reviewed excerpts to submit
- Connectors and AI providers: You enable a provider or initiate a request before selected information is sent
- Sensitive information: Where consent is required, we seek a current and specific choice for the relevant purpose
- Withdrawal: You may withdraw an optional consent for future handling, subject to actions already completed and any lawful retention requirement
5. How We Share Your Information
We do not sell your personal information. We share information only with the following categories of third parties, solely for the purposes described. Raw local vault content is not shared merely because you install or browse a Living Surface. It may be transmitted when you enable or initiate an upload, publication, export, connector, AI provider, agent, or another permissioned feature.
| Third Party | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Name, email, payment details |
| Supabase | Database, authentication, and Storage | Account data, marketplace metadata, explicit workspace uploads, avatars, banners, and Living Surface bundles |
| Vercel | Hosting and content delivery | IP address, usage data |
| Google Workspace | Business email and account administration | Email address, message metadata, support correspondence |
| OpenRouter or another AI provider you select | AI requests you explicitly initiate | Prompt text, selected Living Surface instructions or context, and attachment file names included in that request |
| Google or GitHub OAuth | Optional account sign-in, if enabled | OAuth account identifier, email, and profile fields you approve |
| Resend | Waitlist email, only if the email integration is configured | Email address and email delivery metadata |
| Cloudflare | Only where Cloudflare-hosted legacy media or proxied traffic is enabled | IP address, request data, and requested media |
If you enable a connector or open a third-party site, the information you choose to send is also provided directly to that service under its own terms and privacy policy. Available connectors can include GitHub, Gmail, Google Calendar, Notion, Stripe, Supabase, Vercel, weather, and RSS sources; availability does not mean a connector is enabled for you.
We may also disclose information where required by law, regulation, or legal process.
6. Data Storage and Security
- Cloud data is stored on servers operated by our third-party service providers, primarily Supabase, Vercel, Stripe, and Google Workspace, plus any optional provider you deliberately enable
- We use technical and organisational measures designed to reduce the risk of unauthorised access, loss, misuse, alteration, or disclosure, taking account of the service and provider controls currently in use
- Data in transit is ordinarily protected by TLS where the relevant service supports it. Storage protection, including encryption at rest, depends on the provider and configuration in use
- Administrative access uses the account and provider access controls configured for the relevant system. Different providers and features may use different access models
- We reassess material data-handling controls when relevant systems, providers, or features change
Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
If a data breach is an eligible data breach under the Notifiable Data Breaches scheme and that scheme applies to Lorevik, we will notify the Office of the Australian Information Commissioner and affected individuals as required by law.
7. Data Retention
We retain personal information while it is reasonably needed for the purposes described in this policy, including providing the Platform, maintaining transaction and audit records, preventing fraud, resolving disputes, and meeting legal obligations. When information is no longer needed for a permitted purpose, we take reasonable steps to delete or de-identify it where required by applicable law. Some information may remain for a limited period in backups or where tax, accounting, security, dispute, or other legal requirements require retention.
8. Cookies
We use cookies and device-local storage for:
- Essential cookies: Required for the Platform to function (authentication, security)
- Local preferences: Device-local storage used to remember settings, workspace state, and similar preferences
Lorevik does not currently install a third-party behavioural analytics cookie. You can manage cookies and local storage through your browser or app settings. Disabling essential session storage may affect Platform functionality.
9. Access, Correction, and Account Requests
You may contact us to:
- Request access to personal information we hold about you
- Request correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading
- Request closure of your account and deletion or de-identification of associated information, subject to lawful retention and technical limitations explained in Section 7
- Withdraw a consent for future optional handling where we rely on that consent
We may need to verify your identity before completing a request. A right available under a privacy law depends on whether that law applies to Lorevik and to the request. We will explain any lawful reason why a request cannot be completed in full.
10. International Data Transfers
Personal information may be processed in Australia, the United States, and countries in which a service provider used for the relevant feature operates. Where practicable, we identify likely overseas recipient countries in this policy or in the collection notice for the feature. We take reasonable steps required by applicable law before disclosing personal information to an overseas recipient.
Confirmed provider hosting regions and overseas recipient countries will be identified in the relevant feature notice or production data map before the affected commercial data flow is enabled.
11. Children's Privacy
The Platform is not intended for users under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy when our information handling or legal obligations change. We will publish the updated policy, update the “Last updated” date, and take reasonable steps to notify affected users of material changes. Where a new activity requires consent, we will request that consent separately rather than treating continued use as consent.
13. Complaints
If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us using the contact details below. We will acknowledge and handle the complaint in accordance with applicable law; response timing depends on the circumstances and any legally required timeframe. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
14. Contact Us
For privacy-related enquiries or to exercise your rights:
- Privacy contact: Privacy Officer
- Email: privacy@lorevik.com
- Telephone: [●]
- Postal address: [●]
- Business: [Lorevik Pty Ltd (proposed), ACN [●], ABN [●]]