Privacy Policy

Last updated : April 25, 2026

This policy describes how LemonPage AI (“we”, “the Service”) processes your personal data under the EU General Data Protection Regulation (GDPR) 2016/679 and the French Data Protection Act.

1. Data controller

The publisher of LemonPage AI, a French SASU (simplified single-shareholder company) registered in France, Compiègne, France. Contact: privacy@lemonpage.ai.

2. Data we collect

2.1 Account data

  • Email, name (optional), profile picture (Google OAuth)
  • Hashed password (bcrypt) for email signups
  • Account creation date, last login

2.2 Billing data

  • Stripe customer ID, plan, subscription status
  • No card data is stored on our servers (PCI-DSS handled by Stripe)

2.3 Usage data

  • Projects, pages and content you create
  • Leads captured through your published pages
  • Page stats (views, UTM source, duration, bounce)

2.4 Technical data

  • IP address (anonymized for analytics)
  • Browser user-agent
  • Server logs (kept 30 days)

3. Purposes & legal bases

PurposeLegal basisRetention
Service deliveryContract performanceAccount lifetime
Billing & accountingLegal obligation10 years
Aggregated usage statisticsLegitimate interestIndefinite (anonymized)
Transactional emailsContract performanceAccount lifetime
Marketing emailsConsentUntil withdrawal

4. Sub-processors

Your data is processed by the following sub-processors, all bound by GDPR-compliant DPAs:

  • Vercel Inc. (USA) — application hosting (SCC)
  • Neon / PostgreSQL host (EU) — database
  • Stripe Payments Europe Ltd (Ireland) — billing
  • Resend Inc. (USA) — transactional email (SCC)
  • Anthropic PBC (USA) — Claude AI (SCC)
  • OpenAI Ireland Ltd (Ireland) — GPT models
  • Replicate Inc. (USA) — image generation (SCC)
  • Google LLC (USA) — Google Analytics 4 & OAuth (SCC)

5. International transfers

Some sub-processors are located in the USA. Transfers are framed by Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework.

6. Your rights

You have the following rights:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction (Article 18)
  • Right to portability (Article 20)
  • Right to object (Article 21)
  • Right to withdraw consent at any time

To exercise these rights, contact privacy@lemonpage.ai. You may also lodge a complaint with the French CNIL (cnil.fr) or your local DPA.

7. Cookies

We use strictly necessary cookies (session, auth) and, subject to consent, audience-measurement cookies (Google Analytics 4 in anonymized mode). You can manage preferences through the consent banner.

8. Security

Passwords stored hashed (bcrypt, 10 rounds), TLS 1.3 throughout, production access restricted, secrets stored as encrypted environment variables.

9. Retention

Account data is kept for the duration of the account plus 30 days post-deletion (backups). Billing data is kept 10 years (accounting obligation).

10. Contact & DPO

No DPO required at this stage. Any data-related question can be sent to privacy@lemonpage.ai.