Privacy Policy
Last updated: March 27, 2026. This policy describes how this deployment of Lookout handles personal data. Adapt it for your entity, subprocessors, and jurisdictions, and have counsel review it before production use.
1. Introduction
This Privacy Policy explains what personal data we collect, why we use it, how long we keep it, and the choices you have. It applies to visitors, registered users, and organization administrators who use Lookout and related sites or APIs (the “Service”). By using the Service, you acknowledge the practices described here, together with our Terms of Service.
2. Who is responsible for your data
The data controller is the legal entity that operates this instance—for example your company if you self-host, or the vendor named on your subscription. That entity is referred to as “we”, “us”, or “our” in this policy. If you use the Service as part of an organization, your administrator may control certain settings and exports; their instructions may affect how your data is processed.
3. Personal data we process
We may process the following categories, depending on how you use the Service:
- Account and profile: name, email address, password hash or SSO identifiers, avatar, locale and timezone preferences, theme preference, and security settings such as two-factor authentication metadata.
- Organization and collaboration: organization name and slug, your role (owner, admin, member), team membership, invitations, and activity that appears in product audit or activity feeds where enabled.
- Billing: billing address and tax identifiers if you provide them, payment method details as handled by our payment processor (we typically receive tokens and subscription status rather than full card numbers), and records of transactions.
- Error and event data: messages, stack traces, URLs, release and environment tags, breadcrumbs, traces, logs, and other technical context your applications send to the ingest API. This information is often about software behavior, but it can include personal data if your code or users embed it (for example names or emails in messages or request payloads).
- Technical and security data: IP addresses, user agent strings, approximate location derived at a coarse level for security, request metadata, rate-limit counters, and security and audit logs.
- Support and communications: content you send when you contact support or reply to service email, if applicable.
4. Why we use personal data
We use personal data to:
- Provide, operate, and improve the Service (including grouping issues, alerts, dashboards, and integrations you enable).
- Authenticate users, enforce access controls, and protect against abuse, fraud, and security incidents.
- Process payments, issue invoices, and meet tax and accounting obligations.
- Communicate about the Service, including transactional notices, security advisories, and (where permitted) product updates.
- Comply with law, respond to lawful requests, and establish or defend legal claims.
- Analyze aggregated or de-identified usage to understand reliability and performance, where we do not rely on personal data in identifiable form.
5. Legal bases (EEA, UK, and similar regimes)
Where the GDPR, UK GDPR, or similar laws apply, we rely on one or more of the following: performance of a contract with you or your organization; our legitimate interests in running a secure, reliable service (balanced against your rights); consent where we ask for it (for example optional marketing); and legal obligation where the law requires processing.
6. Sharing and subprocessors
We share personal data with service providers who process it on our instructions (for example hosting, email delivery, and payment processing). We may also disclose information if required by law, to protect rights and safety, or in connection with a merger or asset sale subject to appropriate safeguards. A non-exhaustive list for typical configurations is on our Subprocessors page.
7. Cookies and similar technologies
We use cookies and local storage as needed to operate the Service: for example session cookies when you sign in, CSRF tokens, preferences such as theme where stored in the browser, and similar mechanisms. The default product does not include third-party advertising cookies. If you add analytics or marketing tools to this deployment, describe them here and obtain consent where your jurisdiction requires it.
8. Security
We implement technical and organizational measures appropriate to the risk, including encryption in transit where standard for web traffic, access controls, and logging for administrative actions. No method of transmission or storage is completely secure; you are responsible for configuring ingest keys, allowlists, and secrets according to your security policies.
9. Retention
We retain personal data only as long as needed for the purposes above. Error and event payloads are retained according to project-level or plan retention settings and automated pruning. Account and billing records may be kept longer where law or legitimate business needs require (for example tax records). When data is no longer needed, we delete or de-identify it subject to backup and disaster-recovery cycles.
10. Your rights
Depending on where you live, you may have the right to access, correct, delete, or export personal data we hold about you, and to object to or restrict certain processing. You may also have the right to lodge a complaint with a supervisory authority. To exercise these rights, contact the operator of this deployment using the address published for your instance. We may need to verify your identity and, for organization-held data, coordinate with your administrator.
11. International transfers
If we transfer personal data across borders, we use appropriate safeguards required by applicable law (for example Standard Contractual Clauses or adequacy decisions). Details can be provided on request or in a data processing agreement.
12. Automated decision-making
We do not use personal data for solely automated decisions that produce legal or similarly significant effects in the default product configuration. If you enable features that could change this, describe them here.
13. Children
The Service is not directed at children under 16 (or the higher age required in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have, contact us so we can delete it.
14. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version with a new “Last updated” date and, where appropriate, provide additional notice (for example by email or in-product message). Continued use after the effective date means you accept the updated policy, unless applicable law requires a different process.
15. Contact and related documents
For privacy questions or requests, use the contact or support channel published for this deployment. Business customers may use our Data Processing Agreement (template) as a starting point for GDPR-style engagements, subject to legal review.