Privacy Policy

Last updated: March 20, 2026

LunaRabbit ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our services, including LunaRabbit Office for Microsoft Office and Google Workspace, and any associated products (collectively, the "Services").

1. Information We Collect

Account Information

When you create an account, we collect:

• Email address
• Password (stored in hashed form; we never store plaintext passwords)
• Display name

Usage Data

We automatically collect:

• Feature usage statistics (which tools and functions you use)
• Performance metrics (response times, error rates)
• Device and browser information
• IP address (for rate limiting and security)

Document Data

When our Services become available, we will access your active document content to provide context for AI responses. Specifically:

• Google Sheets: The content of your active sheet (used range) will be sent to our servers for processing. Sheet names will also be sent for navigation context.
• Microsoft Excel: The content of your active worksheet (used range), sheet names, and cell formatting data will be sent to our servers for processing. This applies to both Excel desktop and Excel Online.

We plan to expand to additional platforms (Google Docs, Google Slides, Microsoft PowerPoint, Microsoft Word) in the future. When these platforms become available, similar data access policies will apply, and this Privacy Policy will be updated accordingly.

We do not access data from other files, closed documents, or documents you are not actively working with. During a conversation, the AI may read additional content from your active document as needed to complete your request.

Document content sent for AI processing is used to generate a response and is held in server memory only during your active session. No original conversation data is stored on disk or in any persistent database. Temporary processing caches are deleted within 24 hours.

Conversation History

Conversations are held in server memory only during your active session and are permanently deleted when the session ends. We do not store your original conversation content on our servers. There is no conversation history to restore — when your session ends, the conversation is gone.

Anonymized Data Collection

After each conversation turn, an anonymized, non-identifiable snapshot of the interaction is retained for service improvement purposes (including prompt optimization, caching strategies, and feature development). This anonymized data has all personal information permanently removed (names, emails, phone numbers, cell values, etc.) and cannot be traced back to any individual user. This is consistent with GDPR Recital 26, which states that data protection principles do not apply to anonymous information.

All plans are subject to the same anonymized data collection policy. You may contact us to request details about what anonymized data is retained.

2. How We Use Your Information

We use your information to:

• Provide and improve our AI services
• Process your AI queries and return results
• Manage your account and billing
• Monitor service health and prevent abuse
• Communicate important service updates
• Enforce our Terms of Service

3. Third-Party AI Services

To process your AI queries, we send relevant data to third-party AI model providers, including:

• OpenAI (GPT models)
• Anthropic (Claude models)
• Google (Gemini models)
• Serper (web search results)
• Perplexity (web search synthesis)
• Jina (web page content extraction)
• E2B (Python code execution sandbox)
• FRED / Finnhub (financial data APIs for market research features)
• Iconify (icon search for presentation and document features)

These providers process data according to their own privacy policies. We select the optimal model for each task automatically. We do not share your personal account information with these providers. None of these providers use your data to train their AI models — all API calls are made under their commercial API terms, which prohibit the use of customer data for model training.

4. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our AI service providers operate. We rely on your consent and, where applicable, standard contractual clauses or other lawful transfer mechanisms to ensure adequate protection of your data. These jurisdictions may have different data protection laws than your country of residence.

5. Data Security

We implement industry-standard security measures:

• All data is transmitted over HTTPS (TLS 1.2/1.3)
• JWT-based authentication with 24-hour token expiry
• Rate limiting to prevent abuse
• Regular security audits and vulnerability assessments
• Server access restricted to authorized personnel

6. Data Retention

• Account data: Retained until you delete your account.
• Conversation history: Active session only. Conversations are held in server memory during your session and permanently deleted when the session ends. No original conversations are stored on disk.
• Anonymized conversation data: Anonymized, non-identifiable interaction patterns are retained permanently for service improvement. This data cannot be traced to any individual user.
• AI processing cache: Temporary data (images, context) is deleted within 24 hours. Custom function result caches are retained for up to 30 days to improve performance.
• Usage analytics: Retained in aggregated, anonymized form.
• Billing records: Retained as required by applicable law.

7. Cookies and Local Storage

Our Services use browser local storage and session storage to maintain your authentication state and preferences. We do not use third-party tracking cookies. Essential storage is required for the Services to function and cannot be disabled.

For full details on what we store and how to manage it, see our Cookie Policy.

8. Your Rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and associated data
• Export a machine-readable copy of your personal data (GDPR Art. 20 — Data Portability). You can download your data directly from the Settings menu in the add-in, or by contacting us.
• Opt out of non-essential data processing (available with future paid plans)

To exercise any of these rights, contact us at privacy@lunarabbit.ai. For data export, you can also use the self-service "Download My Data" option in the add-in's menu, which provides a JSON file containing your profile, transaction history, and usage records.

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell your personal information.

Our Services do not respond to "Do Not Track" (DNT) browser signals because there is no industry-accepted standard for DNT. However, we do not engage in cross-site tracking.

European Economic Area (EEA) and UK Residents (GDPR)

If you are located in the EEA or UK, the following additional provisions apply:

• Legal Basis for Processing (Art. 6): We process your personal data based on: (a) your consent (account registration, optional data sharing); (b) performance of a contract (providing our Services under these Terms); and (c) our legitimate interests (service improvement, security, fraud prevention), balanced against your rights.
• Data Controller: LunaRabbit is the data controller for your personal data processed through our Services.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed unlawfully.
• Automated Decision-Making: Our AI features process your data to generate responses. This processing is necessary for the performance of our contract with you. You may request human review of any AI-generated output by contacting us.
• International Transfers: When your data is transferred outside the EEA/UK, we rely on standard contractual clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms, to ensure adequate protection.

9. Google API Services User Data Policy

LunaRabbit's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only access Google user data necessary to provide the Services (active spreadsheet content for AI processing).
• We do not use Google user data for serving advertisements.
• We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, or it is required by law.
• We do not transfer Google user data to third parties except as necessary to provide the Services (AI model providers under their commercial API terms, which prohibit the use of customer data for model training), with your consent, for security purposes, or as required by law.

10. Children's Privacy

Our Services are not intended for children under the age of 13 (or the minimum age required by applicable law in your jurisdiction). We do not knowingly collect personal information from children under 13. By creating an account, you represent that you meet the minimum age requirement in your jurisdiction. If we learn that we have collected personal information from a child under the applicable minimum age, we will promptly delete that information.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, as required by applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending an email to your registered address. Your continued use of the Services after such changes constitutes acceptance of the updated policy.

13. Data Retention After Account Deletion

Upon account deletion, your personal identifiers (email, name, IP address) are removed immediately. Anonymized, aggregated usage data (such as feature usage counts, response time metrics) that was previously de-identified during your use of the Service is retained indefinitely for service improvement, consistent with Section 6. This data cannot be used to identify you.

14. AI-Generated Content Transparency

In anticipation of the EU AI Act transparency requirements (Art. 50, effective August 2026), all content generated by our AI services is proactively labeled as AI-generated within the user interface. When our AI agents produce text, formulas, code, or other outputs, a visible indicator is displayed alongside the response. This ensures you can always distinguish AI-generated content from human-authored content.

AI-generated outputs should be reviewed before use. We do not guarantee the accuracy, completeness, or fitness of AI-generated content for any particular purpose.

15. Contact Us

If you have questions about this Privacy Policy, contact us at:

• Email: privacy@lunarabbit.ai
• Website: https://lunarabbit.ai
• Service: LunaRabbit (personal project)