Privacy Policy

1. Who We Are

Lorkon AI, Inc. (“Lorkon,” “we,” “us,” or “our”) operates the Lorkon.ai website and related services. We provide AI-powered data protection services for LLC owners and individuals, including data broker removal, filing monitoring, and breach detection.

This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our website and services. We take your privacy seriously — it is, after all, the core of what we do.

2. Our Core Privacy Commitment

We will never sell, rent, license, trade, or otherwise disclose your personal information to third parties for their marketing purposes. Period.

Your data is used exclusively to provide, improve, and support the Lorkon services you subscribed to. We share your information only with the third-party service providers necessary to deliver our services (described in Section 6), and only to the minimum extent required.

3. Information We Collect

3.1 Information You Provide

• Free scan: LLC name, state of formation, and optionally your phone number. We use this solely to run the exposure scan.
• Email gate: Your email address, provided when you request your full scan results. Used to deliver your report and, if you opt in, to send product information.
• Phone scan: Your phone number and optionally your full name. Used to scan for breach exposure and broker listings.
• Subscription: Your email address and payment information (processed by Stripe — we never see or store your full card number).
• Dashboard login: Your email address, used to send magic login links. We do not store passwords.

3.2 Information Collected Automatically

• IP address: Used for rate limiting (preventing abuse) and rough geographic identification. Stored temporarily.
• Browser and device information: Standard HTTP headers (user agent, referrer). Used for security and troubleshooting. Not used for tracking or advertising.
• Cookies: We use a single session cookie (lorkon_session) to keep you logged into your dashboard. It is HTTP-only, secure, and contains only a session identifier. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

3.3 Information from Third-Party Sources

• State filing data: We retrieve publicly available LLC filing information from Secretary of State websites. This includes registered agent names, officer names, business addresses, and filing status. This data is already public.
• Data broker listings: We search data broker websites to determine if your personal information appears on them. We access only publicly viewable pages — the same information anyone can see.
• Breach databases: We query breach detection databases (LeakCheck) using your phone number, email, or derived domain to determine if your information has been exposed in known data breaches. We do not download or store breach data beyond what is shown in your scan results.

4. How We Use Your Information

We use your information solely for the following purposes:

• To provide our services: Running scans, submitting removal requests, monitoring filings, detecting breaches, and generating your dashboard and reports.
• To communicate with you: Sending scan results, weekly progress reports, SOS filing alerts, magic login links, and subscription-related emails (payment confirmations, renewal notices).
• To process payments: Your payment information is processed by Stripe. We receive only your email, subscription status, and Stripe customer ID — never your card details.
• To submit removal requests on your behalf: When our AI agents send opt-out requests to data brokers, they include your name, phone number, and/or LLC information as necessary to identify the records to be removed. This is the minimum information required by brokers to process an opt-out.
• To improve our services: Aggregate, anonymized data (scan success rates, broker response rates, common exposure patterns) helps us improve our AI agents and service quality. This data is never tied to individual users.
• To prevent abuse: IP addresses and request patterns are used to prevent automated abuse, fraudulent scans, and DDoS attacks.
• To comply with legal obligations: We may process or disclose information if required by law, court order, or government request.

5. Information We Never Collect

To be absolutely clear, Lorkon does not collect:

• Social Security numbers
• Government-issued identification documents (driver’s license, passport)
• Financial account numbers (bank account, credit card — Stripe handles all payment processing)
• Biometric data
• Location data beyond IP-based city/country
• Data from your personal devices, contacts, photos, or files
• Health or medical information
• Information about minors under the age of 18

6. Who We Share Information With

We share your information only with the following categories of service providers, and only to the minimum extent necessary to deliver our services:

• Data broker sites (for removal): When submitting opt-out requests, our AI agents provide your name, phone number, and/or LLC details to the broker so they can identify and remove your records. This is the core function of our service and is done solely at your direction.
• Stripe (payment processing): Processes your subscription payments. Stripe’s privacy policy governs their handling of your payment information. We never see or store your full card number.
• Supabase (database hosting): Our application database is hosted on Supabase infrastructure. All data is encrypted at rest and in transit.
• Resend (email delivery): Delivers our transactional and report emails. Receives only your email address and email content.
• Firecrawl (web scraping): Powers our AI agents’ ability to scan broker sites and submit opt-out forms. Firecrawl processes URLs and page content but does not store your personal information.
• Sentry (error monitoring): Captures technical errors to help us fix bugs. May include anonymized request data but never personal information.
• Railway (hosting): Our application runs on Railway infrastructure. Railway provides hosting only and does not access your data.
• LeakCheck (breach detection): Queries breach databases using your phone number or email to detect exposures. LeakCheck returns breach metadata only — we do not download raw breach data.
• Cobalt Intelligence (filing data): Provides LLC filing information for states where direct scraping is not available. Receives only your LLC name and state.

We do not share your information with: Advertisers, data brokers (except to request removal), marketing companies, social media platforms, government agencies (unless legally compelled), or any other third parties not listed above.

7. Data Storage and Security

Your data is stored in databases hosted by Supabase, which provides encryption at rest (AES-256) and in transit (TLS 1.2+). Our application uses Row Level Security (RLS) policies to prevent unauthorized access at the database level.

Additional security measures include:

• All API access uses service role keys — no public database access
• HMAC-SHA256 signed scan tokens prevent enumeration attacks
• JWT session tokens with 7-day expiry for dashboard access
• HTTP-only, secure, SameSite cookies prevent XSS token theft
• Content Security Policy (CSP) headers prevent code injection
• HSTS headers enforce HTTPS
• Rate limiting prevents brute-force and abuse
• IP-based rate limiting on all scan endpoints
• Honeypot fields to detect automated bot submissions

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security of your data. In the event of a data breach affecting your personal information, we will notify you by email within 72 hours of discovering the breach, in compliance with applicable breach notification laws.

8. Data Retention

• Free scan data: Retained for 90 days after scan completion, then deleted. If you subscribe, scan data is retained for the duration of your subscription.
• Subscriber data: Retained for the duration of your active subscription plus 90 days after cancellation. After 90 days, your account data, scan results, and removal history are permanently deleted.
• Email addresses: Retained until you unsubscribe from communications or request deletion.
• Payment records: Retained by Stripe according to their data retention policy and applicable financial regulations.
• Rate limiting data: IP-based rate limit records are automatically purged after 24 hours.
• Login tokens: Magic link tokens expire after 15 minutes (login) or 7 days (email links). Expired tokens are periodically cleaned from the database.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right to access: You can request a copy of all personal information we hold about you.
• Right to correction: You can request correction of inaccurate information.
• Right to deletion: You can request deletion of your personal information. We will comply within 30 days, except where retention is required by law.
• Right to portability: You can request your data in a machine-readable format.
• Right to object: You can object to processing of your data for specific purposes.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights.

To exercise any of these rights, email us at privacy@lorkon.ai. We will respond within 30 days.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information we collect, use, disclose, and sell
• Right to delete personal information we hold about you
• Right to opt out of the sale or sharing of personal information
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out — we simply do not engage in these practices.

To make a CCPA/CPRA request, email privacy@lorkon.ai or call us (contact details on our website).

11. Children’s Privacy

Lorkon services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will delete that information immediately. If you believe a child has provided us with personal information, please contact us at privacy@lorkon.ai.

12. International Users

Lorkon is based in the United States and our services are primarily designed for US-based LLC owners and individuals. If you access our services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using our services, you consent to this transfer.

13. Third-Party Links

Our website may contain links to third-party websites (data broker sites, state filing databases, etc.). We are not responsible for the privacy practices of these third-party sites. We encourage you to review their privacy policies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the email address associated with your account) or by posting a prominent notice on our website. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy, your personal data, or our privacy practices, please contact us:

Lorkon AI, Inc.
Email: privacy@lorkon.ai
Support: support@lorkon.ai

For data access, correction, or deletion requests, please email privacy@lorkon.ai with the subject line “Privacy Request” and include your name and the email address associated with your Lorkon account.