Privacy Policy

Last Updated: October 25, 2025

1. Introduction

Lemma IAM ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our identity and access management service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, company name, site domain
  • Payment Information: Processed by Stripe (we do not store credit card numbers)
  • API Keys: Generated for your account to access our services

2.2 Information Automatically Collected

  • Usage Data: API calls, verification requests, monthly active users
  • Log Data: IP addresses, user agents, timestamps, request paths
  • Performance Data: Response times, error rates, system metrics
  • Security Events: Authentication attempts, permission grants, access verifications

2.3 Cryptographic Data

  • Credentials: Stored in user's browser (we do not have access)
  • Public Keys: Ed25519 public keys for verification
  • Revocation Data: OPRF-blinded credential identifiers (privacy-preserving)

3. How We Use Your Information

We use collected information to:

  • Provide and maintain the Service
  • Process payments and billing
  • Send service notifications and updates
  • Monitor usage for billing purposes (MAU tracking)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations
  • Improve the Service through analytics

4. Privacy-Preserving Features

Lemma IAM is designed with privacy as a core principle:

  • OPRF Revocation: We cannot determine which credentials are being checked (privacy-preserving blind evaluation)
  • Client-Side Verification: Credentials verified in user's browser, reducing server-side tracking
  • Minimal Data Collection: We collect only what's necessary to provide the Service
  • No Third-Party Tracking: We do not sell or share your data with advertisers

5. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

5.1 Service Providers

  • Stripe: Payment processing (PCI DSS compliant)
  • Heroku/AWS: Hosting infrastructure
  • Sentry: Error monitoring (anonymized error data)
  • Email Service: Mailgun or SendGrid for transactional emails

5.2 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights and safety.

6. Data Security

We implement industry-standard security measures including:

  • Ed25519 cryptographic signatures
  • OPRF privacy-preserving revocation
  • Encrypted credential storage
  • Audit logging of all security events

7. Data Retention

  • Account Data: Retained while your account is active
  • Audit Logs:
    • Free Tier: 30 days
    • Starter: 90 days
    • Professional: 1 year
    • Enterprise: 7 years (compliance requirement)
  • After Account Deletion: Data deleted within 30 days, except where legally required to retain

8. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate or incomplete information
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Export: Download your audit logs in CSV or JSON format
  • Opt-Out: Unsubscribe from marketing emails (service emails may still be sent)

To exercise these rights, contact us at [email protected]

9. GDPR Compliance (EU Users)

If you are in the European Economic Area (EEA), you have additional rights under GDPR:

  • Legal Basis: We process data based on contractual necessity and legitimate business interests
  • Data Protection Officer: Contact [email protected]
  • Right to Lodge Complaint: You may file a complaint with your local data protection authority
  • Data Portability: Export your data in machine-readable format

10. CCPA Compliance (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: What personal information we collect
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do not sell personal information
  • Non-Discrimination: We will not discriminate against you for exercising your rights

11. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect information from children. If we learn we have collected information from a child, we will delete it immediately.

12. Data Breach Notification

In the event of a data breach that may compromise your personal information, we will notify you within 72 hours via email and post a notice on our website.

13. Contact Us

For privacy-related questions or to exercise your rights:

Email: [email protected]
Data Protection Officer: [email protected]
Website: https://lemma.id/privacy

Back to Home Terms of Service