§Privacy

Privacy Policy

How LivingMeta collects and processes personal data under the GDPR. Questions? Email us at info@livingmeta.ai.

Last updated: 29 June 2026

This Privacy Policy explains how LivingMeta processes personal data when you use our websites (including livingmeta.ai and the per-field instance sites at *.livingmeta.ai), the research instances we build and host, The Lab and its AI research assistant, and our related services (together, the "Service"). It is written in plain language; where it uses a defined term such as Customer Data, that term has the meaning given in our Master Service Agreement.

1. Who we are (the controller)

The data controller is LivingMeta, established in Leiden, the Netherlands:

  • KvK (Chamber of Commerce): 42036321
  • Address: Hoge Rijndijk 208, 2314 AJ Leiden, the Netherlands
  • Contact for privacy questions: info@livingmeta.ai

For most personal data we act as a controller. Where we process Customer Data on a customer's behalf and on their instructions (e.g. documents a customer uploads into their instance), we act as a processor for that customer, and a Data Processing Addendum (based on the EU Standard Contractual Clauses) is available on request.

2. The personal data we collect

a. Account & identity data — when you (or your institution) create an account: your name / display name, email address, organisation, your chosen user role, and an authentication credential (a password, which our authentication provider stores only as a secure hash, or — if you sign in with GitHub — your GitHub account identifier and public profile).

b. Lab content & uploads — the research threads, questions, messages and replies you create in The Lab, and any documents you upload (PDFs, datasets, questionnaires, notes). You are responsible for ensuring you have the right to upload this content, and you are asked not to upload special-category personal data (e.g. health or biometric data) unless expressly agreed.

c. Usage & billing data — your subscription and credit-wallet balance, a log of AI-assistant usage for fair-use and abuse prevention, and — where you make a payment — billing details processed by our payment provider (we do not store full card numbers).

d. Technical data — information generated automatically when you use the Service, such as IP address, browser/device information, and server and security logs.

We do not use advertising trackers or third-party analytics profiling.

3. Why we use your data, and our legal basis

PurposeLegal basis (GDPR art. 6)
Create and manage your account; provide the Service, The Lab and the AI assistantPerformance of a contract (6(1)(b))
Process payments and manage subscriptionsPerformance of a contract (6(1)(b)) and legal obligation (6(1)(c))
Keep the Service secure, prevent fraud and abuse, enforce fair-use limitsOur legitimate interests (6(1)(f))
Maintain and improve the Platform using aggregated and anonymised usage dataOur legitimate interests (6(1)(f))
Send service-related messages (e.g. account, billing, security notices)Performance of a contract (6(1)(b)) / legitimate interests (6(1)(f))
Comply with tax, accounting and other legal obligationsLegal obligation (6(1)(c))

Where we ever rely on consent (6(1)(a)) — for example for any optional communication — you may withdraw it at any time.

4. The AI assistant

The Lab's AI assistant answers your questions using the curated corpus of an instance and any documents you provide. Your messages and the relevant content are sent to our AI provider (see §6) solely to generate the response. We have opted out of having this data used to train the provider's models. As stated in our Master Service Agreement, the assistant is a research aid whose output you should independently verify.

5. Who we share data with

We do not sell your personal data. We share it only with the sub-processors that run the Service (§6), with professional advisers (e.g. our accountant) where necessary, and where required by law or to protect our or others' rights. If the business is ever transferred (e.g. reorganisation or sale), data may transfer as part of it, subject to this Policy.

6. Sub-processors

We use the following providers to deliver the Service. Each processes personal data only as needed for its function and under appropriate data-protection terms:

ProviderFunctionPrivacy information
SupabaseDatabase, authentication, file storagesupabase.com/privacy
VercelWebsite hosting and content deliveryvercel.com/legal/privacy-policy
AnthropicAI model inference (the Lab assistant + coaching)anthropic.com/legal/privacy
StripePayment processingstripe.com/privacy
ResendSending transactional/service emailsresend.com/legal/privacy-policy
GitHubOptional sign-in (OAuth) for the public LabGitHub Privacy Statement
CloudflareDNScloudflare.com/privacypolicy

7. International transfers

Some sub-processors are based outside the European Economic Area (e.g. in the United States). Where personal data is transferred outside the EEA, we rely on appropriate safeguards — principally the EU Standard Contractual Clauses — so that your data keeps an equivalent level of protection.

8. How long we keep data

  • Account data: for as long as your account is active, and a limited period afterwards.
  • Lab content & Customer Data: for the duration of your subscription; after termination you have a 30-day window to export it, after which we may delete it (except routine backups or copies the law requires us to keep).
  • Invoices and financial records: 7 years, as required by Dutch tax law.
  • Security and usage logs: for a limited period needed for security and troubleshooting.

9. Your rights

Under the GDPR you have the right to: access your personal data; rectify inaccurate data; request erasure; restrict or object to processing; data portability; and, where processing is based on consent, to withdraw that consent. To exercise any of these, email info@livingmeta.ai. We will respond within the statutory period (normally one month).

You also have the right to lodge a complaint with the Dutch data-protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). If you are in another EU/EEA country, you may contact your local supervisory authority.

10. Cookies

We use essential cookies only — for example to keep you signed in and to secure your session. We do not use advertising or third-party analytics/tracking cookies. Our payment provider (Stripe) may set cookies during checkout for fraud prevention. You can control cookies through your browser settings; disabling essential cookies may stop parts of the Service from working.

11. Security

We apply reasonable technical and organisational measures to protect personal data (including access controls, encryption in transit, and reputable infrastructure providers). No internet service can be guaranteed completely secure; please keep your login credentials confidential and notify us at info@livingmeta.ai if you suspect any unauthorised access.

12. Children

The Service is intended for researchers and professional users and is not directed at children under 16. We do not knowingly collect personal data from children.

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated version here with a new "Last updated" date and, where the change is significant, take reasonable steps to notify you.

14. Contact

Questions about this Policy or your personal data: info@livingmeta.ai — LivingMeta, Hoge Rijndijk 208, 2314 AJ Leiden, the Netherlands · KvK 42036321.