Privacy Policy

Status
Pre-launch draft
Effective
Not yet in force
Last updated
15 July 2026
Applies to
Website, account, marketplace, and desktop data

Operator: [Lorevik Pty Ltd (proposed), ACN [●], ABN [●]]

This pre-launch document requires review by a qualified Australian legal professional before commercial use.

1. Introduction

[Lorevik Pty Ltd (proposed), ACN [●], ABN [●]] (“Lorevik”, “we”, “us”, “our”) operates a local-first Living Surface platform and marketplace at lorevik.com (the “Platform”). This Privacy Policy explains how we collect, use, store, and protect personal information and cloud metadata. Where the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to Lorevik, we handle personal information in accordance with those requirements. We also use the commitments in this policy as our public operating standard.

The English version of this Privacy Policy controls to the extent permitted by law. Any translation is provided for convenience only and does not limit any mandatory rights available under applicable law.

This policy is not a request for blanket consent. Where consent is required for an optional upload, connector, AI provider, sensitive information flow, or another feature, we ask for it separately at the relevant time and explain the information and purpose involved.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name and email address when you register
  • Payment information: Billing details processed through Stripe (we do not store full credit card numbers on our servers)
  • Creator information: Details provided during the creator application process, including profile, payout, public handle, and creator surface settings
  • Living Surface and workflow metadata: Titles, descriptions, file names, timestamps, tool names, model names, provenance markers, consent state, and other metadata you choose to publish or sync
  • Content: Content you upload, publish, or submit to the Platform. Raw local vault files are not uploaded by default.

2.2 Information Collected Automatically

  • Product lifecycle events: Limited events such as signup completion, checkout start, and subscription start, together with timestamps and the associated account identifier
  • Request and log data: Hosting and security providers may process IP address, request time, route, country signal, and server error information needed to deliver and protect the Platform
  • Essential session and preference data: Authentication cookies and device-local settings described in Section 8

2.3 Local Vault and Raw Materials

Lorevik is designed around a local-first boundary. Raw workflow files, private notes, credentials, screenshots, source files, and other vault materials are not uploaded merely because you install or browse a Living Surface. Data may be processed or transmitted when you enable or initiate an upload, publication, export, connector, AI provider, agent, or another permissioned feature. A public page, manifest, or buyer-facing preview should use metadata and reviewed excerpts rather than exposing raw files by default.

3. How We Use Your Information

We use your personal information for the following purposes:

  • Providing the service: Operating your account, creator dashboard, workspace, manifest, and public profile features
  • Payment processing:Facilitating direct charges to Creator connected accounts and Lorevik's own subscriptions through Stripe
  • Communication: Sending account-related notifications, updates, and support responses
  • Improvement: Analysing limited product lifecycle events and aggregated metadata to improve features and performance
  • Security: Detecting and preventing fraud, abuse, and security incidents
  • Legal compliance: Meeting our obligations under applicable laws and regulations

Some Platform features act only after you make a specific choice. A permission screen or collection notice may identify the information involved, its destination, the purpose of the action, and what happens if you do not enable it. We do not treat agreement to this Privacy Policy as consent to every optional feature.

  • Uploads and publication: You choose the files, bundle, metadata, or reviewed excerpts to submit
  • Connectors and AI providers: You enable a provider or initiate a request before selected information is sent
  • Sensitive information: Where consent is required, we seek a current and specific choice for the relevant purpose
  • Withdrawal: You may withdraw an optional consent for future handling, subject to actions already completed and any lawful retention requirement

5. How We Share Your Information

We do not sell your personal information. We share information only with the following categories of third parties, solely for the purposes described. Raw local vault content is not shared merely because you install or browse a Living Surface. It may be transmitted when you enable or initiate an upload, publication, export, connector, AI provider, agent, or another permissioned feature.

Third PartyPurposeData Shared
StripePayment processingName, email, payment details
SupabaseDatabase, authentication, and StorageAccount data, marketplace metadata, explicit workspace uploads, avatars, banners, and Living Surface bundles
VercelHosting and content deliveryIP address, usage data
Google WorkspaceBusiness email and account administrationEmail address, message metadata, support correspondence
OpenRouter or another AI provider you selectAI requests you explicitly initiatePrompt text, selected Living Surface instructions or context, and attachment file names included in that request
Google or GitHub OAuthOptional account sign-in, if enabledOAuth account identifier, email, and profile fields you approve
ResendWaitlist email, only if the email integration is configuredEmail address and email delivery metadata
CloudflareOnly where Cloudflare-hosted legacy media or proxied traffic is enabledIP address, request data, and requested media

If you enable a connector or open a third-party site, the information you choose to send is also provided directly to that service under its own terms and privacy policy. Available connectors can include GitHub, Gmail, Google Calendar, Notion, Stripe, Supabase, Vercel, weather, and RSS sources; availability does not mean a connector is enabled for you.

We may also disclose information where required by law, regulation, or legal process.

6. Data Storage and Security

  • Cloud data is stored on servers operated by our third-party service providers, primarily Supabase, Vercel, Stripe, and Google Workspace, plus any optional provider you deliberately enable
  • We use technical and organisational measures designed to reduce the risk of unauthorised access, loss, misuse, alteration, or disclosure, taking account of the service and provider controls currently in use
  • Data in transit is ordinarily protected by TLS where the relevant service supports it. Storage protection, including encryption at rest, depends on the provider and configuration in use
  • Administrative access uses the account and provider access controls configured for the relevant system. Different providers and features may use different access models
  • We reassess material data-handling controls when relevant systems, providers, or features change

Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

If a data breach is an eligible data breach under the Notifiable Data Breaches scheme and that scheme applies to Lorevik, we will notify the Office of the Australian Information Commissioner and affected individuals as required by law.

7. Data Retention

We retain personal information while it is reasonably needed for the purposes described in this policy, including providing the Platform, maintaining transaction and audit records, preventing fraud, resolving disputes, and meeting legal obligations. When information is no longer needed for a permitted purpose, we take reasonable steps to delete or de-identify it where required by applicable law. Some information may remain for a limited period in backups or where tax, accounting, security, dispute, or other legal requirements require retention.

8. Cookies

We use cookies and device-local storage for:

  • Essential cookies: Required for the Platform to function (authentication, security)
  • Local preferences: Device-local storage used to remember settings, workspace state, and similar preferences

Lorevik does not currently install a third-party behavioural analytics cookie. You can manage cookies and local storage through your browser or app settings. Disabling essential session storage may affect Platform functionality.

9. Access, Correction, and Account Requests

You may contact us to:

  • Request access to personal information we hold about you
  • Request correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading
  • Request closure of your account and deletion or de-identification of associated information, subject to lawful retention and technical limitations explained in Section 7
  • Withdraw a consent for future optional handling where we rely on that consent

We may need to verify your identity before completing a request. A right available under a privacy law depends on whether that law applies to Lorevik and to the request. We will explain any lawful reason why a request cannot be completed in full.

10. International Data Transfers

Personal information may be processed in Australia, the United States, and countries in which a service provider used for the relevant feature operates. Where practicable, we identify likely overseas recipient countries in this policy or in the collection notice for the feature. We take reasonable steps required by applicable law before disclosing personal information to an overseas recipient.

Confirmed provider hosting regions and overseas recipient countries will be identified in the relevant feature notice or production data map before the affected commercial data flow is enabled.

11. Children's Privacy

The Platform is not intended for users under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy when our information handling or legal obligations change. We will publish the updated policy, update the “Last updated” date, and take reasonable steps to notify affected users of material changes. Where a new activity requires consent, we will request that consent separately rather than treating continued use as consent.

13. Complaints

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us using the contact details below. We will acknowledge and handle the complaint in accordance with applicable law; response timing depends on the circumstances and any legally required timeframe. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

14. Contact Us

For privacy-related enquiries or to exercise your rights:

  • Privacy contact: Privacy Officer
  • Email: privacy@lorevik.com
  • Telephone: [●]
  • Postal address: [●]
  • Business: [Lorevik Pty Ltd (proposed), ACN [●], ABN [●]]