Privacy Policy

Welcome to ELU. This Privacy Policy explains how ELU Labs, Inc. ("Company," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our AI-powered email campaign platform, website, application programming interface (API), software development kit (SDK), and related services (collectively, the "Services").

By using our Services, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

This Privacy Policy is incorporated into and subject to our Terms of Service.

We collect information in several ways when you interact with our Services:

2.1 Information You Provide Directly

• Account Information: Name, email address, company name, phone number, billing address, and payment information when you create an account or make a purchase
• Profile Information: Job title, industry, company size, and preferences you provide in your account settings
• Communications: Messages, feedback, and other communications you send us through support channels or surveys
• Content You Create: Email templates, campaign content, audience lists, and other content you create or upload to the Services

2.2 Information Collected Automatically

• Device Information: IP address, browser type, operating system, device identifiers, and mobile network information
• Usage Data: Pages visited, features used, clicks, time spent on pages, search queries, and other interactions with the Services
• Log Data: Server logs, error reports, API calls, and diagnostic information
• Email Metrics: Delivery status, open rates, click rates, bounce rates, and unsubscribe rates for emails sent through our Services
• Location Information: Approximate location based on IP address

2.3 Information from Third Parties

• Integration Data: Information from third-party services you connect to your account (e.g., CRM systems, analytics tools)
• Social Media: Information from social media platforms if you connect your social accounts
• Business Partners: Information from our business partners, resellers, or referral sources

2.4 Your End Users' Data

When you use our Services to send emails, you may provide us with information about your end users (recipients). This may include email addresses, names, and other data you choose to include in your campaigns. You are the data controller for this information, and we process it on your behalf as a data processor.

We use the information we collect for the following purposes:

3.1 Service Delivery

• Providing, maintaining, and improving our Services
• Processing and delivering email campaigns
• Managing your account and providing customer support
• Processing payments and transactions
• Generating analytics and reports about your campaigns

3.2 AI and Machine Learning

• Training and improving our AI models to generate better email content
• Personalizing AI-generated suggestions based on your usage patterns
• Analyzing campaign performance to optimize recommendations
• Important: We do not use your specific email content to train models that would be shared with other customers. Your content remains confidential.

3.3 Communications

• Sending service-related notices, updates, and security alerts
• Responding to your inquiries and support requests
• Sending marketing communications (with your consent where required)

3.4 Security and Compliance

• Detecting, preventing, and addressing fraud, abuse, and security issues
• Enforcing our Terms of Service and Acceptable Use Policy
• Monitoring for spam and compliance with anti-spam laws
• Complying with legal obligations and responding to legal requests

3.5 Analytics and Improvement

• Understanding how users interact with our Services
• Developing new features and improving existing ones
• Conducting research and analysis to enhance our platform

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Services you requested
• Legitimate Interests: Processing for our legitimate business interests, such as improving our Services, preventing fraud, and marketing (balanced against your rights)
• Consent: Processing based on your explicit consent, which you can withdraw at any time
• Legal Obligation: Processing necessary to comply with applicable laws and regulations

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Cloud hosting and infrastructure providers
• Payment processors
• Email delivery services
• Analytics providers
• Customer support tools

These providers are contractually obligated to use your information only to provide services to us and must maintain appropriate security measures.

5.2 Business Transfers

If we are involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, including:

• Court orders and subpoenas
• Government or regulatory agency requests
• Law enforcement requests
• To protect our rights, privacy, safety, or property

5.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5.5 Aggregated and De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you for any purpose, including research, analytics, and marketing.

We use cookies and similar tracking technologies to collect and store information about your interactions with our Services.

6.1 Types of Cookies We Use

• Essential Cookies: Required for the Services to function properly (e.g., authentication, security)
• Analytics Cookies: Help us understand how users interact with our Services
• Functional Cookies: Remember your preferences and settings
• Marketing Cookies: Used to deliver relevant advertisements and track campaign performance

6.2 Managing Cookies

Most browsers allow you to control cookies through their settings. You can typically choose to block or delete cookies, but this may affect your ability to use certain features of our Services.

6.3 Do Not Track

We currently do not respond to "Do Not Track" signals from browsers. However, you can opt out of certain tracking as described above.

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained while your account is active and for a reasonable period after deletion to comply with legal obligations
• Transaction Data: Retained for seven (7) years for tax and accounting purposes
• Email Campaign Data: Retained for as long as you maintain your account, with logs typically retained for up to two (2) years
• Usage Data: Aggregated data may be retained indefinitely for analytics purposes

After the retention period expires, we will securely delete or anonymize your personal information.

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256)
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Employee training on data protection and security
• Incident response and breach notification procedures
• Physical security measures for our data centers

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we will notify you of any breach affecting your data as required by law.

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from your jurisdiction.

When we transfer personal data from the EEA, UK, or Switzerland, we use appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with our sub-processors
• Adequacy decisions where applicable
• Binding Corporate Rules where appropriate

You may request a copy of the safeguards we use by contacting us at dpo@elu.dev.

Depending on your location, you may have certain rights regarding your personal information:

10.1 Rights for All Users

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to certain exceptions)
• Opt-Out: Unsubscribe from marketing communications

10.2 Additional Rights for EEA/UK/Swiss Residents (GDPR)

• Restriction: Request restriction of processing of your personal information
• Portability: Request a copy of your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests or for direct marketing
• Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Lodge Complaint: File a complaint with a supervisory authority in your country

10.3 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Know: Right to know what personal information we collect, use, and disclose
• Delete: Right to request deletion of your personal information
• Opt-Out of Sale: Right to opt out of the "sale" of personal information (we do not sell personal information)
• Non-Discrimination: Right not to be discriminated against for exercising your privacy rights
• Correct: Right to request correction of inaccurate personal information
• Limit Use of Sensitive Information: Right to limit the use of sensitive personal information

Categories of Personal Information Collected: Identifiers, commercial information, internet activity, geolocation data, professional information, and inferences.

10.4 Virginia, Colorado, Connecticut, and Other State Residents

Residents of states with comprehensive privacy laws (VCDPA, CPA, CTDPA, etc.) have similar rights to access, correct, delete, and opt out of certain processing. We honor all applicable state privacy laws.

10.5 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@elu.dev. We will respond to your request within the timeframe required by applicable law (typically 30-45 days).

We may need to verify your identity before processing your request. We will not charge a fee for legitimate requests, but we reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests.

Our Services are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

If you believe we have collected information from a child under 16, please contact us immediately at privacy@elu.dev.

Our Services may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access.

We are not responsible for the privacy practices or content of third-party services, even if linked from our Services.

When you use our Services to send emails to your end users, you act as the data controller, and we act as the data processor. This means:

• You determine the purposes and means of processing your end users' data
• You are responsible for obtaining proper consent from your end users
• You must provide appropriate privacy notices to your end users
• We process your end users' data only according to your instructions

We offer a Data Processing Agreement (DPA) that governs our processing of personal data on your behalf. Please contact us at dpo@elu.dev to request our standard DPA.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

• Posting the updated policy on our website
• Sending an email to the address associated with your account
• Displaying a notice in the Services

The "Last Updated" date at the top of this policy indicates when the most recent changes were made. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

• Privacy Inquiries: privacy@elu.dev
• Data Protection Officer: dpo@elu.dev
• General Support: support@elu.dev
• Company: ELU Labs, Inc.

For EEA/UK residents, you may also contact your local data protection authority if you have concerns about our privacy practices.