Lot — Privacy Policy

Lot Agent, Inc.
Effective Date: March 18, 2026

1. Information We Collect

1.1 Information You Provide

• Account information: name, email address, and profile data provided through Google OAuth or GitHub OAuth at registration.
• API keys: third-party API keys you submit via the BYOK feature, stored encrypted.
• Payment information: billing details processed directly by Stripe, Inc. Lot does not store full payment card numbers.
• Communications: messages you send to our support team.

1.2 GitHub App Data

Because installation of the Lot Agent GitHub App is required to use the Service, we collect the following data from your connected GitHub account or organization:

• Repository metadata: names, descriptions, topics, visibility, default branches, and star/fork counts of repositories you connect;
• Repository contents: code files, configuration files, and other content in repositories you select, accessed only to complete agent tasks you initiate;
• Commit and event data: commit messages, author names, timestamps, and webhook event payloads for connected repositories;
• Organization metadata: organization name, member list (limited to what GitHub's API exposes at the permission level you grant), and team structure, for organization-level installs;
• Installation metadata: GitHub App installation ID, selected repositories, and permission scopes.

We do not store repository code contents persistently outside of your active sandbox session or /usr directory. We do not use your code or repository data to train AI models.

1.3 Information Collected Automatically

• Usage data: sandbox session metadata (start/end times, resource consumption, compute metrics), feature interactions, and navigation logs.
• Log data: IP addresses, browser type, operating system, referring URLs, and error reports.
• Analytics: behavioral and event data collected via Statsig (feature flags and A/B testing) and Google Analytics (website analytics).
• Cookies and similar technologies: session tokens, preference cookies, and analytics identifiers. See Section 6.

1.4 Content and Data in the Service

• Persistent /usr directory: files and data you store in your personal directory are retained across sessions.
• Ephemeral sandbox data: code, files, and agent state within active sandbox sessions are not persisted after session termination.
• We do not use sandbox session contents or your /usr directory data to train AI models.

1.5 Sensitive Personal Information

Under applicable U.S. privacy laws (including CCPA/CPRA), the following categories of sensitive personal information may be processed in the course of providing the Service:

• Account login credentials (OAuth tokens, encrypted API keys) — used solely to authenticate and provide the Service;
• Payment card information (processed by Stripe; Lot does not access raw card data).

We do not use sensitive personal information for any purpose beyond what is necessary to provide the Service.

1.6 Google API Services Usage Disclosure

Lot's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Service;
• Authenticate your identity and manage your account;
• Execute agent tasks within sandboxes using your connected GitHub repositories;
• Process payments and manage subscription billing;
• Monitor usage to enforce limits, detect abuse, and ensure platform security;
• Send transactional communications (e.g., billing receipts, account alerts, GitHub App installation confirmations);
• Send product updates and marketing communications (you may opt out at any time);
• Conduct analytics and product research to improve user experience;
• Comply with legal obligations and enforce our Terms of Service.

3. Legal Bases for Processing

We process your personal information under the following legal bases:

• Performance of a contract: to provide the Service, process payments, and execute requested agent tasks on connected repositories;
• Legitimate interests: to improve the Service, ensure security, and prevent fraud;
• Consent: for optional marketing communications and analytics cookies;
• Legal obligation: to comply with applicable laws and regulations.

4. How We Share Your Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We share information only in the following circumstances:

4.1 Service Providers (Sub-Processors)

We share data with the following trusted third-party service providers, contractually obligated to process data only on our behalf:

• Google (OAuth + Analytics): identity authentication and website analytics — https://policies.google.com/privacy
• GitHub (OAuth + GitHub App): identity authentication and repository integration — https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement
• Neon (Auth + Database): user authentication and application data storage — https://neon.tech/privacy
• Vercel: application hosting and content delivery — https://vercel.com/legal/privacy-policy
• Amazon Web Services (AWS): cloud infrastructure, compute, and encryption key management (KMS) — https://aws.amazon.com/privacy
• Stripe: payment processing and billing — https://stripe.com/privacy
• Statsig: feature flags and product analytics — https://www.statsig.com/privacy
• E2B (current sandbox infrastructure provider): provisioning and running isolated sandbox environments in which your agent tasks and code execute — https://e2b.dev/privacy. We may substitute or supplement E2B with other infrastructure providers or self-hosted infrastructure in the future; any replacement provider will be subject to equivalent data protection obligations.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Lot, our users, or the public.

4.3 Business Transfers

If Lot is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data is subject to a materially different privacy policy.

5. Data Retention

• Account data is retained while your account is active and for up to 12 months after account termination, after which it is deleted or anonymized.
• /usr directory data is retained while your account is active and deleted within 30 days of account termination.
• Ephemeral sandbox data is deleted at session termination.
• GitHub App installation data and repository metadata are retained while the App is installed and deleted within 30 days of uninstallation or account termination.
• Repository contents accessed during agent tasks are not stored persistently beyond the active session unless you explicitly save them to your /usr directory.
• Payment and billing records are retained for 7 years as required by applicable financial regulations.
• Usage logs are retained for up to 90 days for security and debugging purposes.

6. Cookies and Tracking

• Essential cookies: required for authentication, session management, and core platform functionality. These cannot be disabled.
• Analytics cookies: used by Google Analytics and Statsig to understand usage patterns. You may opt out by adjusting browser settings or using the Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout.
• Preference cookies: store your settings and preferences.

You can control non-essential cookies via your browser settings. Disabling cookies may impact Service functionality.

7. Data Security

• Encryption of data in transit using TLS 1.2+;
• Encryption of data at rest for sensitive fields including BYOK API keys (via AWS KMS);
• GitHub OAuth tokens and App installation tokens stored encrypted;
• Access controls and authentication requirements for all infrastructure;
• Regular security reviews of our systems and sub-processors.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

8. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

8.1 Your Rights

• Right to Know: request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you in the past 12 months.
• Right to Delete: request deletion of your personal information, subject to certain exceptions (e.g., where retention is required to complete a transaction or comply with law).
• Right to Correct: request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale or Sharing: we do not sell personal information and do not share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: you may direct us to limit the use of sensitive personal information (such as account credentials and payment data) to what is necessary to provide the Service.
• Right to Non-Discrimination: we will not deny, charge different prices for, or provide a different level of service because you exercised your privacy rights.

8.2 Shine the Light

California Civil Code Section 1798.83 (Shine the Light) permits California residents to request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.

8.3 How to Submit a Request

To exercise your CCPA/CPRA rights, submit a verifiable consumer request to privacy@lot.dev with the subject line "California Privacy Request." We will respond within 45 days (extendable by an additional 45 days with notice). We may need to verify your identity before fulfilling your request.

You may designate an authorized agent to submit a request on your behalf by providing written authorization signed by you.

9. Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising purposes as defined under the CPRA. While we use Google Analytics for website analytics, we have configured it to limit data sharing and have enabled IP anonymization. If you wish to opt out of Google Analytics tracking, you may use the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout or adjust your cookie preferences.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a minor has provided us with personal data, we will delete it promptly. Contact us at privacy@lot.dev if you believe we have inadvertently collected information from a minor.

11. International Users

The Service is operated from the United States. If you access the Service from outside the United States, your data will be processed and stored in the United States. By using the Service, you consent to the transfer of your data to the United States.

While we primarily serve U.S. users, if you are located in the European Economic Area (EEA) or United Kingdom and believe GDPR may apply to you, please contact us at privacy@lot.dev for information about applicable data protection measures.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will notify you by email or prominent notice within the Service before the changes take effect. The updated policy will be identified by a new Effective Date.

13. Contact Us

For privacy questions, requests, or concerns:

Lot Agent, Inc.

Privacy: privacy@lot.dev

General: legal@lot.dev

Website: https://www.lot.dev