Privacy Policy

ELU Labs, Inc. ("ELU," "Company," "we," "us," or "our") operates an AI-powered product intelligence platform that helps software teams detect user-experience problems, surface insights from product analytics and session recordings, and ship code fixes via automated pull requests. This Privacy Policy explains how we collect, use, share, and protect information when you use our website, web application, browser extension, APIs, MCP (Model Context Protocol) server, SDKs, analytics loader, and related services (collectively, the "Services").

This Policy applies to two different categories of people:

• Customers — individuals and companies that sign up for an ELU account to analyze their own product.
• End Users — visitors and users of websites, apps, or products operated by our Customers, whose behavioral data our Customers send to us through ELU Analytics, a connected third-party analytics provider (such as PostHog), a connected database, or the ELU browser extension. For End Users, our Customer is the data controller and ELU acts as a data processor on their behalf. If you are an End User and want to exercise privacy rights over your data, please contact the Customer operating the product — we will support them in responding to your request.

By using the Services, you consent to the collection, use, and disclosure of information as described here. If you do not agree with this Policy, do not use the Services. This Policy is incorporated into, and subject to, our Terms of Service.

We collect information in several ways when you and your End Users interact with the Services.

2.1 Customer Account Information

• Identity & contact data: name, email address, profile photo, job title, and organization / workspace name provided at sign-up or in account settings.
• Authentication data: Firebase Authentication user IDs, single sign-on identifiers (Google, GitHub), session tokens, and multi-factor authentication state.
• Billing data: company name, billing address, tax identifiers, and payment-method metadata. Card numbers and bank credentials are handled exclusively by our PCI-DSS compliant payment processor and are not stored on ELU servers.
• Integration credentials: API keys, OAuth tokens, webhook secrets, and connection settings for third-party services you connect to your workspace (e.g. PostHog, Supabase, MongoDB, Firebase, GitHub, Slack, Google Chat). Secrets are stored in Google Secret Manager scoped to your organization.
• Communications: messages you send us through email, support tickets, in-app chat, demo bookings, surveys, and feedback forms.

2.2 Workspace & Product Content

• Business context you provide: company description, north-star metric, current focus, target personas, and any custom instructions or internal notes used to steer our AI agents.
• Journeys, watches, and insights: recorded or imported user journeys, saved replay watches, generated insights, recommendations, and any edits, approvals, comments, or annotations you make on them.
• Chat transcripts: conversations with our in-product AI assistant, including prompts, tool calls, and assistant responses.

2.3 Information Collected Automatically

• Device and technical data: IP address, browser type and version, operating system, screen resolution, device identifiers, and referrer URL.
• Usage data: pages and dashboards visited, features used, clicks, queries run, agents triggered, time spent, and other interactions with the Services.
• Log and diagnostic data: server logs, error reports, API request metadata, agent run metadata, and performance telemetry.
• Approximate location: derived from IP address for security and regional routing.

2.4 End-User Data Processed On Behalf of Customers

When a Customer connects an analytics source, database, or other integration, or installs the ELU analytics loader or browser extension on a product they operate, ELU receives data about the Customer's End Users. Depending on what the Customer has configured, this may include:

• Behavioral events: page views, clicks, form interactions, custom events, feature-flag exposures, conversion events, timestamps, and associated properties.
• Session recordings ("replays"): rrweb DOM snapshots and mutation streams, typed input metadata (with password and sensitive-field redaction as configured by the Customer), mouse / touch / keyboard interactions, network request metadata, and console errors. ELU re-renders these recordings into MP4 video files stored in encrypted cloud storage to enable AI video analysis.
• Identifiers and traits: End-User identifiers (user IDs, email addresses, or other traits) that the Customer chooses to pass to ELU through the Identity Bridge, SDK, or analytics provider.
• Database content: rows and schema metadata that our agents query via read-only integrations the Customer connects (e.g. Supabase, MongoDB, Firebase, BigQuery).
• Source code: repository contents that our agents read, and pull requests they create, when the Customer connects a GitHub account and authorizes code access.
• Website content: HTML, screenshots, and DOM structure captured by our website-audit crawler on pages the Customer directs us to audit.
• Journey recordings from the ELU browser extension: the URLs, element selectors, click / input / navigation events, and step metadata captured while a Customer user is explicitly recording a journey. Passwords and other sensitive inputs are redacted locally in the browser before they leave the user's device.

The Customer determines the purposes and means of processing End-User data. ELU processes it only on the Customer's documented instructions under a Data Processing Agreement (DPA). Our standard DPA, incorporating the EU Standard Contractual Clauses and UK International Data Transfer Addendum, is available on request at support@elu.dev.

2.5 Information from Third Parties

• Identity providers: if you sign in with Google, GitHub, or another SSO provider, we receive the profile fields those providers return (typically name, email, avatar, and a stable user identifier).
• Integration partners: data returned by APIs you authorize us to call on your behalf (analytics providers, databases, code hosts, issue trackers, messaging platforms).
• Referrals and business partners: information from partners, resellers, and referral sources that refer you to ELU.

We use the information we collect for the following purposes.

3.1 Service Delivery

• Providing, operating, maintaining, and improving the Services.
• Running our agent pipelines — including event ingestion, schema discovery, journey analysis, funnel and cohort analysis, website audits, session-replay deep audits, root-cause ranking, recommendation generation, and pull-request creation.
• Surfacing dashboards, insights, recommendations, watches, chat responses, and notifications to authorized members of your workspace.
• Managing your account, processing billing and transactions, and providing support.

3.2 AI and Machine Learning

• Sending prompts and relevant context (including your business context, analytics summaries, replay narratives, and code excerpts) to our LLM subprocessors — currently Anthropic (Claude), OpenAI (fallback), and Google (Gemini, used for video replay analysis) — to generate insights, recommendations, narratives, and code patches.
• Storing agent run metadata (token counts, cost, latency, errors, prompt versions) so we can monitor quality, cost, and reliability.
• Computing vector embeddings of replay audits and insight content for semantic search and clustering within your workspace.
• We do not train our AI models, or any third-party general-purpose AI model, on your content or your End Users' data. Our LLM subprocessors operate under zero-retention or short-retention agreements and are contractually prohibited from using your data to train their foundation models. Aggregated, de-identified operational metrics (e.g. "average agent latency") may be used to improve our own pipelines.

3.3 Security, Abuse, and Compliance

• Detecting, investigating, and preventing fraud, abuse, unauthorized access, scraping, and other violations of our Terms of Service.
• Enforcing API rate limits, audit logging, and breach-detection controls.
• Complying with legal, regulatory, tax, and audit obligations.

3.4 Communications

• Sending service, transactional, security, and account notices.
• Responding to inquiries, feedback, and support requests.
• Sending product updates, tips, event invitations, and marketing communications where permitted by law — you can unsubscribe at any time via the link in the email or your account settings.
• Delivering digest notifications to channels you connect (e.g. Slack, Google Chat).

3.5 Analytics & Improvement

• Understanding how Customers use the Services so we can improve them.
• Debugging, benchmarking, and tuning prompts, agent pipelines, and model selections.
• Conducting research and product discovery in aggregated, de-identified form.

For users in the European Economic Area, United Kingdom, and Switzerland, we process personal data under the following legal bases:

• Performance of a contract: processing needed to provide the Services to you under these Terms or a separate order form.
• Legitimate interests: improving the Services, securing our systems, preventing fraud and abuse, measuring product engagement, and marketing our Services to existing Customers (balanced against your rights).
• Consent: certain cookies and analytics on our marketing website, and some email marketing where required by law. You can withdraw consent at any time.
• Legal obligation: compliance with tax, accounting, anti-fraud, and other applicable laws.

We do not sell personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We disclose information in the following limited circumstances:

5.1 Subprocessors & Service Providers

We use vetted subprocessors to host infrastructure, process payments, send emails, and power our AI features. Each is contractually required to process your data only to deliver services to us, to maintain appropriate technical and organizational security measures, and — for AI subprocessors — to not use your data to train their foundation models. See Section 6 (Subprocessors) for the current list.

5.2 Within Your Workspace

Content you create or generate in ELU — insights, recommendations, watches, chat transcripts, agent run metadata, audit records, approvals, and the data feeding them — is visible to other authorized members of your organization in ELU. Workspace administrators can manage members, roles, and access.

5.3 Third-Party Tools You Connect

When you authorize an integration (for example, connecting GitHub so our agents can open pull requests, or connecting Slack so we can post digests), we share the minimum data necessary to perform the action you configured with that third party. Their processing of that data is governed by their own terms and privacy policy.

5.4 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will notify you of any change in control that materially affects how your personal information is processed.

5.5 Legal and Safety Disclosures

We may disclose information when we believe in good faith that disclosure is necessary to: (a) comply with a law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Service, Acceptable Use Policy, or other agreements; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of ELU, our Customers, End Users, or the public. Where permitted by law, we will notify the affected Customer before disclosing their data in response to a government request.

5.6 With Your Consent

We may share information with additional third parties where you direct us to or provide explicit consent (for example, case studies, testimonials, or public product features that surface your content).

5.7 Aggregated and De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify any individual for research, benchmarks, marketing, and product analytics. We do not attempt to re-identify such data.

We engage the following categories of subprocessors. A current, detailed list with entity names and locations is maintained at support@elu.dev and will be provided on request. We will provide reasonable prior notice of new subprocessors that handle Customer personal data so Customers with a DPA may object.

• Cloud infrastructure & hosting: Google Cloud Platform (including Firebase Authentication, Cloud Firestore, Cloud Functions, Cloud Run, Cloud Tasks, Cloud Storage, BigQuery, and Secret Manager).
• Managed analytics & session replay upstream: PostHog, Inc. (for ELU Analytics managed projects and for Customers who connect their own PostHog workspace).
• Large language model & AI providers: Anthropic (primary, Claude family), OpenAI (fallback), and Google (Gemini, used for session-replay video analysis). These providers operate under zero-retention or short-retention terms and do not train foundation models on Customer data.
• Email delivery: transactional-email and lifecycle-email providers for account notices and product updates.
• Payment processing: PCI-DSS compliant payment processors for subscription billing, invoices, tax, and dunning.
• Customer support & scheduling: help-desk, demo-scheduling, and in-product messaging tools used to communicate with you.
• Product analytics & monitoring: tools we use on our own websites and app for usage analytics, error tracking, and uptime monitoring.
• Notification delivery: Slack and Google Chat for digest notifications to channels you connect.

We use cookies, local storage, pixels, and similar technologies on our marketing website and in the web application.

7.1 Categories

• Strictly necessary: authentication sessions, CSRF protection, load balancing, and security features. These cannot be disabled.
• Functional / preference: remember your theme, last-visited workspace, onboarding progress, and other preferences.
• Analytics: help us understand how people use our marketing website and app so we can improve them.
• Marketing: on our marketing pages only, measure the performance of ads and content.

7.2 Your Choices

Most browsers let you control cookies through settings, and you can usually block or delete them — though some features may not function without them. Where required by law we provide a cookie banner or preference center on our marketing website. We honor the Global Privacy Control (GPC) signal as a valid opt-out of sale/share for applicable jurisdictions.

7.3 Customer-Deployed Tracking

When you install the ELU analytics loader on your own product, cookies and local storage set in the End User's browser by that loader are set under your domain and for your purposes as the data controller. You are responsible for the consent banners and preference mechanisms shown to your End Users.

We retain information for as long as is necessary for the purposes described in this Policy, unless a longer retention is required or permitted by law. Typical retention periods:

• Account data: retained while your account is active and for up to 90 days after closure, after which it is deleted or anonymized, subject to legal holds.
• Billing and tax records: retained for up to seven (7) years to meet tax, accounting, and anti-fraud obligations.
• Behavioral events and session replays: retained for the retention window configured on your plan or in the underlying analytics provider (ELU Analytics defaults to 90 days for session replays and 12 months for event data; BYO providers follow your own settings). You may request shorter retention in writing.
• AI agent inputs and outputs: prompts, tool calls, generated narratives, audit documents, and embeddings are retained for the life of the parent record (insight, replay, recommendation) they belong to.
• Logs and security records: retained for up to 13 months for security, abuse, and incident investigation.
• Aggregated / de-identified data: may be retained indefinitely.

On termination or verified deletion request, we will delete or anonymize your data on the schedule above. Backups are overwritten on a rolling basis and isolated from production until overwritten.

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction. These include:

• Encryption in transit (TLS 1.2+) and at rest using industry-standard algorithms.
• Secrets storage in Google Secret Manager with per-organization scoping; API keys are stored only as SHA-256 hashes and compared in constant time.
• Principle-of-least-privilege access controls, SSO and multi-factor authentication for employee access, and role-based authorization within the product.
• Tenant isolation: every Firestore read, storage read, and agent tool call is org-scoped; cross-org reads are blocked at the service layer.
• Audit logging of privileged actions and security events.
• Regular vulnerability scanning and periodic third-party penetration tests.
• Incident-response playbooks with defined escalation, forensics, and notification steps.
• Vendor security reviews before a new subprocessor is onboarded.

No system is perfectly secure. If you believe your account has been compromised or you discover a vulnerability, contact us immediately at support@elu.dev. We will notify affected Customers of a confirmed breach of their personal data without undue delay, consistent with applicable law.

ELU is headquartered in the United States and primarily processes data in U.S. Google Cloud regions. Depending on the subprocessor and your Customer settings, data may also be processed in other countries where our subprocessors operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States and other non-adequate countries, we rely on appropriate safeguards, including:

• The European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, incorporated into our DPA.
• Adequacy decisions where available (including the EU-U.S. Data Privacy Framework and its UK extension where applicable and where the relevant subprocessor is certified).
• Additional supplementary measures (e.g. encryption, access controls).

You may request a copy of the safeguards we use, or the current subprocessor list, by emailing support@elu.dev.

Depending on where you live, you may have some or all of the rights below. We honor these rights for the personal data we hold about Customer account users directly. For End Users of a Customer's product, the Customer is the data controller — please direct requests to the Customer, and we will assist them in responding.

11.1 Rights Available to All Users

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate or incomplete information.
• Deletion: request deletion of your personal information, subject to legal exceptions.
• Opt-out of marketing: unsubscribe from marketing communications at any time.

11.2 EEA / UK / Swiss Residents (GDPR)

• Restriction of processing and objection to processing based on our legitimate interests.
• Data portability: receive your data in a structured, machine-readable format.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local supervisory authority. We would, however, appreciate the chance to address your concerns first.
• Automated decision-making: we do not use solely automated decision making that produces legal or similarly significant effects on you. AI-generated insights and recommendations are intended to assist human decision-making and are reviewed by you before any action is taken.

11.3 California Residents (CCPA / CPRA)

California residents have the right to know, delete, correct, and limit the use of sensitive personal information; the right to opt out of sale or sharing (we do neither); and the right to non-discrimination for exercising these rights. We honor Global Privacy Control (GPC) signals as a valid opt-out where applicable.

Categories of personal information collected in the last 12 months: identifiers, commercial information, internet or other electronic network activity, geolocation data (approximate), professional or employment information, and inferences. Business/commercial purposes: providing and improving the Services, security, billing, support, and communications. Sources: you, your End Users (via integrations you configure), our integration partners, and automatic collection. Disclosures: to service providers, subprocessors, and as described in Section 5.

11.4 Other U.S. State Residents

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other states with comprehensive privacy laws have similar rights to access, correct, delete, port, and opt out of certain processing. We honor these rights as required by the applicable statute.

11.5 How to Exercise Your Rights

Email support@elu.dev or use the in-product privacy controls in your account settings. We respond within the timeframe required by applicable law (typically within 30 or 45 days) and may need to verify your identity before responding. You may designate an authorized agent to submit a request on your behalf. We do not discriminate against users who exercise their rights.

The Services are intended for business use by adults and are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us at support@elu.dev and we will take steps to delete it.

The Services may contain links to third-party sites, applications, and documentation, and they integrate with third-party systems that you authorize. This Policy does not apply to those third parties. Please review their privacy policies to understand how they handle your data.

When you use the Services to analyze your own product — by connecting analytics, databases, code repositories, or by installing our analytics loader or browser extension — you are the data controller (or business) for the End-User data you route to us, and ELU is the data processor (or service provider). Under that arrangement:

• You determine the purposes and means of processing End-User data.
• You are responsible for obtaining all legally required notices and consents from your End Users and for honoring their privacy rights.
• You configure redaction, sampling, and retention settings appropriate for your jurisdiction and use case.
• We process End-User data only on your documented instructions under our DPA, except where law requires otherwise. Our standard DPA incorporates the SCCs and the UK IDTA and is available from support@elu.dev.

The ELU Journey Recorder is an optional Chrome extension that Customer users install to record product journeys for their own workspace. It follows Chrome's Limited Use policy:

• Capture is opt-in and explicit: the extension only records after the user clicks "Start Recording" and only on the tab the user is actively recording.
• Only interaction metadata (URL, element selectors, click / input / submit / navigate events, timestamps, and recorder state) is captured. Password fields and fields marked sensitive are redacted locally in the browser before anything leaves the device.
• Recorded journeys are transmitted to the Customer's ELU workspace over TLS and stored in the Customer's organization scope. They are not used for advertising, sold, or shared outside of the subprocessor chain described in this Policy.
• The extension requests host permissions at runtime (only when a user starts recording) rather than upfront.
• Users can stop recording, undo steps, delete the journey before saving, or uninstall the extension at any time.

Because ELU is an AI-first product, we want to be clear about how AI is involved:

• Providers. Our agents and chat features call Anthropic Claude, OpenAI, and Google Gemini APIs. Requests and responses are processed by those providers to return a completion.
• No model training on your data. Our contracts with these providers prohibit training their foundation models on data we send through the API. We do not train our own production models on Customer or End-User content either.
• Retention at the provider. Where supported, we use zero-retention or short-retention modes for these APIs. Short windows (typically 30 days or less) may be retained by the provider for abuse monitoring, after which the data is deleted.
• Human review. Insights, recommendations, and pull requests generated by the Services are suggestions. You remain responsible for reviewing them before acting, merging code, or communicating with your End Users.
• Prompt history. Your chat transcripts, agent prompts, tool calls, and generated outputs are stored in your workspace so you and authorized teammates can review and audit them. You can delete individual conversations and insights from the UI.

We may update this Privacy Policy from time to time. When we make material changes we will notify you by posting the updated Policy on our website, emailing the address associated with your account, and/or displaying an in-product notice. The "Last Updated" date above reflects the most recent changes. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

If you have questions, concerns, or requests about this Privacy Policy or our privacy practices, please contact us:

• Contact: support@elu.dev
• Company: ELU Labs, Inc., United States

EEA / UK residents may also contact their local supervisory authority.