Lunsight Trust Center
Service Privacy Notice
Last updated: June 10, 2026
This Privacy Notice describes how LIMITED LIABILITY COMPANY “Lunsight” (ТОВАРИСТВО З ОБМЕЖЕНОЮ ВІДПОВІДАЛЬНІСТЮ «Лунсайт») (“Lunsight”, “we”, “us”) processes personal data in connection with the Lunsight platform — an AI-native security orchestration, automation and response (SOAR) service (the “Service”).
This notice covers the Service only. Visitors of our marketing website lunsight.com are covered by our separate Website Privacy Policy.
1. Who we are
LIMITED LIABILITY COMPANY “Lunsight” · Reg. No. 46333708 (EDRPOU)
Fontanska Doroha St. 10, block 93, apt. 48, Odesa, 65009, Ukraine
Contact: contact@lunsight.com
2. Two kinds of data: our role depends on the data
The Service is provided to organizations (“Customers”) under a written agreement. We process two distinct kinds of data, and our legal role differs between them:
Account Data — Lunsight is the controller. Data relating to the individual users your organization authorizes to access the Service: account and identity details, roles and permissions, AI assistant preferences and conversations, usage metrics, and audit records of actions taken on the platform. This notice describes how we handle Account Data.
Customer Data — Lunsight is the processor. Data your organization routes through the Service in the course of its own security operations: security events and alerts from connected integrations, incidents and their contents, automation scripts and their execution logs, stored files and artifacts, and inputs and outputs of AI agents your organization configures. Your organization is the controller of Customer Data; we process it only on its documented instructions, under the agreement and the Data Processing Agreement (DPA) between us. Questions about Customer Data should be directed to your organization. The third parties we engage to process Customer Data are listed on our Sub-processors page.
3. Account Data we collect
Account and identity. When you sign in, our identity provider (WorkOS) processes your name, email address, profile picture, email verification status, organization membership, role and permissions. We receive these details to authenticate you and authorize your actions. If an administrator invites you, we process the email address they enter in order to deliver the invitation.
AI assistant (Luna). The Service includes Luna, an AI assistant powered by Anthropic’s Claude models. We store your conversations with Luna, your assistant preferences (such as language and tone), and — to make Luna more useful across sessions — memory entries: short factual notes automatically derived from your conversations by a background process after a chat ends. You can view and delete individual memory entries, delete entire conversations, and reset your assistant preferences in the product. Conversation content is sent to Anthropic to generate responses; under Anthropic’s commercial terms, this data is not used to train Anthropic’s models.
Usage and billing metrics. For each AI request we record the requesting user, model, token counts, cost and latency. We use this for billing, cost accounting and usage dashboards.
Audit and attribution records. The Service keeps records of who deployed script and agent versions, who is assigned to incidents, who authored comments, and what actions the AI assistant performed on a user’s behalf (including a short summary of each tool invocation). These records exist to provide the audit trail that a security platform requires.
Operational telemetry. We operate our own observability infrastructure (self-hosted, on our own systems) that records request traces and logs containing user and organization identifiers. We use it for reliability, debugging and support. This data is not shared with any third-party analytics provider.
Cookies. The Service uses only strictly necessary cookies: an encrypted session cookie (wos-session, managed by our identity provider) and a functional cookie remembering your sidebar state (7 days). The Service itself uses no analytics or advertising cookies, so no cookie consent banner is shown in the product.
Edge infrastructure logs. The Service is delivered through Cloudflare, which processes IP addresses and request metadata at the network edge for security purposes (WAF, rate limiting, DDoS mitigation), retained for short periods in accordance with Cloudflare’s log retention.
4. Purposes and legal bases
| Purpose | Data | Legal basis (GDPR) |
|---|---|---|
| Providing the Service: authentication, authorization, account management | Account and identity data, cookies | Art. 6(1)(b) — performance of a contract |
| Operating the AI assistant and personalizing it across sessions | Conversations, preferences, memory entries | Art. 6(1)(b) — performance of a contract; Art. 6(1)(f) — our legitimate interest in providing a useful assistant, balanced by user-facing deletion controls |
| Billing and cost accounting | Usage metrics | Art. 6(1)(b); Art. 6(1)(c) — legal obligations regarding financial records |
| Maintaining audit trails of platform actions | Attribution and audit records | Art. 6(1)(f) — our and our Customers’ legitimate interest in accountability and security of a SOC platform |
| Securing and operating the Service | Telemetry, edge logs | Art. 6(1)(f) — legitimate interest in availability and security |
We do not sell personal data and do not use Account Data for advertising. We do not use automated decision-making that produces legal or similarly significant effects on you.
5. Who receives Account Data
We share Account Data only with the service providers needed to run the Service, currently: WorkOS, Inc. (identity and access management, US), Anthropic, PBC (AI model inference, US), Cloudflare, Inc. (edge security, content delivery and object storage), and DigitalOcean, LLC (cloud hosting and managed databases, Frankfurt, Germany). The authoritative, current list — including which data each receives — is maintained on our Sub-processors page.
We may also disclose personal data where required by applicable law or to establish, exercise or defend legal claims.
6. International transfers
Our primary infrastructure is hosted in the European Union (Frankfurt, Germany). Some providers process data in the United States (WorkOS, Anthropic, and parts of Cloudflare’s global network). Where personal data of individuals in the EU/EEA is transferred outside the EEA, we rely on safeguards under GDPR Chapter V, including Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework, as implemented in our agreements with these providers.
7. Retention
- Account and identity data: for the duration of your organization’s use of the Service; identity records are managed by our identity provider and removed in connection with account termination or on request.
- Luna conversations, memory entries, preferences: until you delete them in the product or your organization’s use of the Service ends.
- Usage and billing metrics: for the duration of the agreement with your organization plus the periods required by applicable law for financial records.
- Audit and attribution records: retained as part of the records they describe (e.g., deployment history of a script version); AI assistant action audit events are retained for up to 30 days.
- Telemetry and edge logs: short operational periods.
Backups of our managed databases are retained by our hosting provider for a limited period (currently up to 7 days) and then expire automatically.
8. Security
We maintain technical and organizational measures appropriate to the risk of the data we process, including encryption of data at rest and in transit, restricted production access with multi-factor authentication, and edge protection of all platform traffic. A current summary of our security controls — including measures still on our roadmap — is published on our Security Controls page.
9. Your rights
Depending on your location, you may have the right to access, correct, delete, or receive a copy of your personal data, to object to or restrict processing, and to lodge a complaint with a supervisory authority (in the EU, your local data protection authority; in Ukraine, the Ukrainian Parliament Commissioner for Human Rights).
Some of these rights can be exercised directly in the product (deleting conversations, memory entries and preferences). For everything else, email contact@lunsight.com and we will respond within the timelines required by applicable law. Note that where your access to the Service is provisioned by your employer or organization, some requests (for example, deletion of your account) may need to be coordinated with your organization as the party that controls workspace membership.
10. Children
The Service is a business product and is not directed at children under 16.
11. Changes to this notice
We may update this notice from time to time. The current version is always available at this page, with the “Last updated” date above. We will inform Customers of material changes.
12. Contact
LIMITED LIABILITY COMPANY “Lunsight” · Reg. No. 46333708 (EDRPOU)
contact@lunsight.com