Privacy Policy

Lovable Labs Incorporated ("Lovable," "we," "us," or "our") is an AI-powered platform dedicated to empowering developers and non-technical users to build, share, and deploy web applications using natural language prompts. Our mission is to simplify software development through innovative tools, seamless integrations, and collaborative features, while prioritizing the privacy and security of your data. We are committed to fostering a vibrant developer community and ensuring compliance with applicable privacy laws in the United States (including all applicable state privacy statutes), European Economic Area, United Kingdom, Switzerland, and Canada.

This Privacy Policy ("Policy"), available online at https://www.lovable.dev/privacy, outlines how Lovable collects, uses, shares, and otherwise processes personal information from users, including developers, entrepreneurs, and visitors ("User," "you," or "your") of our website, platform, and services (collectively, our "Services"). By using our Services, you acknowledge this Policy; our legal basis for processing may include contract performance, legitimate interests, or legal obligations, as set out in Section 3. This Policy incorporates our Terms of Service and any applicable Data Processing Agreement (DPA) by reference. You may view our Data Processing Agreement at www.lovable.dev/data-processing-agreement. If you do not agree with the terms of this Policy, please discontinue your use of our Services. Existing users with contractual obligations should contact us to discuss applicable terms. In the event of any conflict between this Policy and a signed DPA, the DPA will control with respect to Customer Personal Data

Personal Data

For purposes of this Policy, "personal data" (also called "personal information" under the California Consumer Privacy Act/Privacy Rights Act and similar U.S. state laws) means any information that relates to an identified or identifiable natural person or is reasonably capable of being linked to a particular consumer or household, as set out in the EU GDPR, UK GDPR, Canada's PIPEDA, the revised Swiss Federal Act on Data Protection, and all applicable U.S. federal or state privacy statutes. Personal data may include, for example, your name, business email address, postal address, telephone number, username, unique device or browser identifiers, Internet-protocol (IP) address, authentication tokens, usage and telemetry logs, or other information generated through your use of our Services. Personal data also includes biometric, genetic, and special category data as defined under GDPR and international equivalents. Operational metrics and telemetry that Lovable processes independently for security, billing, analytics, or product-improvement purposes ("Service Data") are handled separately as described in Section 8 and are not treated as Customer Personal Data.

Lovable does not intentionally collect special-category or sensitive personal data, such as biometric identifiers, health information, or precise geolocation, and instructs customers not to upload such information. This definition will be interpreted to include any equivalent term under other privacy laws that come into force during the life of this Policy.

Collection and Use of Information

Information You Provide Directly: When you create an account, purchase a subscription, open a support ticket, or otherwise use our Services, you may supply personal data such as your name, business-email address, phone number, payment information (processed via Stripe; see Stripe's privacy policy at stripe.com/privacy for details on how they handle your card details and transaction data). For usage-based services like Lovable Cloud and AI Gateway, we collect and process Usage Data (e.g., API calls, storage usage, prompt volumes) to meter consumption against your Credits (prepaid balances). These Credits are tracked in separate balances per service, with metering reliant on Stripe and third-party providers. We do not store full payment card details; Stripe serves as the source of truth for billing records, which may include anonymized usage metrics shared with us for invoicing, and project artefacts (for example, natural-language prompts, code snippets, or deployment configurations). These artifacts are used only to serve your workspace and, once anonymized or aggregated, to improve our models; they are never used to train general-purpose AI models that benefit other customers without your permission.

Information Collected Automatically: When you interact with the Services, we automatically collect technical data such as IP address, browser type, operating system, device identifiers, pages visited, timestamps, and error logs. Certain operational metrics and telemetry ("Service Data") are processed by Lovable as an independent controller for security, billing, analytics, and product-improvement purposes (see Section 10). Billing and Metering Data: Telemetry on service usage (e.g., compute hours in Lovable Cloud, API requests via AI Gateway) is collected to generate monthly invoices showing consumption by service. This data is anonymized where possible and shared with Stripe for payment processing and revenue recognition.

Usage and Analytics Data: We record how you engage with key features (e.g., prompts submitted, code generated, build and deployment events, clicks on the GitHub or Supabase integrations). If you authorize a third-party integration, Lovable accesses only the minimum data required to provide that integration and processes it under the same terms as other Customer Personal Data.

Data Handling in Lovable Cloud and AI Gateway: Lovable Cloud provides cloud hosting and back-end services (e.g., database, authentication, storage), where your Customer Data (as defined in our Terms of Service), including hosted applications, files, and generated outputs, is stored and processed on Supabase infrastructure. By using Lovable Cloud, you consent to the transfer, storage, and processing of your Customer Data by Supabase under their privacy policy (available at supabase.com/privacy). The AI Gateway acts as a proxy to connect your applications to third-party AI providers, including OpenAI, Google Gemini, and models via OpenRouter. When using the AI Gateway, your inputs (e.g., prompts, queries) and related Customer Data are transmitted to these providers for processing and response generation. These transmissions occur on a pass-through basis; we do not store the raw prompts or responses unless you explicitly save them in your workspace. By using the AI Gateway, you consent to such transfers under the privacy policies of OpenRouter (openrouter.ai/privacy), OpenAI (openai.com/policies/privacy-policy), and Google (policies.google.com/privacy). We do not control these providers' data practices, and you are responsible for reviewing their policies.

Children's Data: Lovable's Services are not intended for individuals under the age of eighteen (18), and we do not knowingly collect or solicit personal data from anyone under this age. By using our Services, you represent that you are at least 18 years old or the age of majority in your jurisdiction. If we discover that we have collected personal data from a minor without verifiable parental consent, we will promptly delete that information. If you believe we may have collected such data, please contact us at privacy@lovable.dev.

We process this information on the legal basis of contract performance, legitimate interests, compliance with legal obligations, and your consent, for the following purposes:

• to provide, operate, and maintain the Services, including storing code, generating suggestions, and deploying applications;
• To personalize your experience and tune AI-driven features for your workspace;
• to analyze usage patterns and improve performance, functionality, and reliability;
• to detect, prevent, and investigate fraud, abuse, or security incidents;
• to deliver product updates and measure the effectiveness of our own marketing;
• to communicate with you and provide customer support, as permitted by your account settings;
• to process payments and other transactions you authorize;
• to comply with legal, regulatory, export-control, and sanctions obligations in the jurisdictions where we operate; and
• to meet record-keeping, accounting, and audit requirements.

Lovable does not engage in automated decision-making that produces legal or similarly significant effects on individuals (GDPR Art 22). We collect only the personal data necessary for these purposes and retain it in line with the schedule in Section 11. You can exercise your opt-out or objection rights to certain processing activities as described in Section 9 ("Your Privacy Choices").

Legal Bases for Processing Your Data

Lovable processes personal data only where a valid legal ground applies under each privacy regime that governs our Services.

Applicable privacy frameworks

• United States: CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), UCPA (Utah), CTDPA (Connecticut), and any other U.S. state privacy laws in force during your use of the Services.
• International: GDPR (EEA), UK GDPR, and the revised Swiss Federal Act on Data Protection (rev-FADP) for residents of the EEA, United Kingdom, or Switzerland.
• Canada – Personal Information Protection and Electronic Documents Act (PIPEDA).

Legal bases we rely on

• Performance of a Contract: We process your data to provide, maintain, and support the Services you have requested under our Terms of Service or other agreement with you.
• Legitimate Interests: We use personal data to secure the platform, detect fraud, generate aggregate analytics, and improve AI features where these interests are not outweighed by your privacy rights.
• Consent: We rely on your opt-in consent for non-essential cookies, marketing e-mails, and any other processing that requires consent under applicable law. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligations: We retain and disclose information as necessary to comply with bookkeeping rules, export-control and sanctions regulations, court orders, or other legal duties.
• Protection of Vital Interests: In rare cases, we may process data to protect an individual's vital interests, such as preventing serious harm or responding to an emergency.

Purposes of Use and Processing

We use personal information for the following business and commercial purposes:

• Service Delivery and Support: Providing and maintaining our AI-driven platform, including code generation, debugging, and deployment.
• Service Integrity: Ensuring the security and integrity of our Services, including preventing fraud or unauthorized access.
• Service Improvement and Research: Analyzing prompts, usage data, and generated code to refine algorithms, enhance AI performance, and develop new features; where feasible, such analysis is performed on de-identified or aggregated data.
• Personalization: Tailoring our Services to your preferences, such as optimizing code generation based on your prompts.
• Product Updates and Limited Marketing: Sending product announcements, event invitations, and other communications you have opted to receive, and measuring their effectiveness. For promotional credits (e.g., free AI Gateway access), we may use your email and usage data to communicate offers. These are non-transferable and revocable; opt out of marketing via account settings.
• Business Continuity and Security: Safeguarding our business operations and proprietary data.
• Legal and Regulatory Compliance: Complying with export-control and sanctions regulations, court orders, and privacy laws in the United States, European Economic Area, United Kingdom, Switzerland, Canada, and other applicable jurisdictions.
• Auditing, Accounting, and Corporate Governance: Conducting audits, reporting, and corporate governance to ensure compliance and efficiency.
• Dispute Resolution and Legal Defense: Meeting legal and regulatory obligations in the United States, Canada, and other jurisdictions.

Data Processing and Sub-Processors

As a data processor, Lovable processes personal information on behalf of our customers in accordance with their instructions and applicable DPAs. We engage third-party sub-processors to support our Services, such as:

• Hosting and maintaining our platform, website, and databases.
• Processing payments through secure third-party payment processors.
• Providing technical support, customer service, and analytics.
• Storing and securing data, including integrations with Supabase and GitHub.

All sub-processors are bound by contractual obligations equivalent to those in our DPAs, ensuring compliance with applicable data protection laws. We provide notice of sub-processor changes, allowing customers to object within ten (10) business days. The current list of authorized sub-processors is always available at https://trust.lovable.dev and includes the sub-processor's name, location, and processing purpose (e.g., Stripe for billing, Supabase for cloud hosting, OpenAI/Google/OpenRouter for AI Gateway integrations).

International Data Transfers

For customers in the EEA, UK, or Switzerland, we may transfer personal information to the United States or other jurisdictions whose privacy laws have not been deemed "adequate" by European or Swiss authorities. Lovable safeguards these transfers through the following legally recognized mechanisms:

• EU–US Data Privacy Framework (DPF): When eligible, Lovable relies first on its DPF certification (and the UK and Swiss Extensions) for transfers from the EEA, UK, and Switzerland to the United States.
• EU Standard Contractual Clauses (SCCs): Module 2 (Controller-to-Processor) per Commission Decision 2021/914, incorporated into our DPAs.
• UK International Data Transfer Addendum: Version B1.0, issued by the UK ICO under s119A DPA 2018.
• Swiss Addendum: Adapts the SCCs to the revised Swiss FADP, naming the Swiss Federal Data Protection and Information Commissioner (FDPIC) as the competent authority.

Investigations

Lovable may investigate and disclose information, as permitted by law, if we believe in good faith that such action is:

• Necessary to comply with a valid legal process or governmental request (e.g., subpoena, court order, or law-enforcement demand) and, unless legally prohibited, Lovable will notify the affected customer before producing data, consistent with our SCC and DPA obligations.
• Helpful to prevent, investigate, or identify fraud, security incidents, or other wrongdoing in connection with our Services.
• Necessary to protect our rights, reputation, property, or those of our users, affiliates, or the public.

Disclosures will comply with applicable privacy laws and be limited to what is necessary.

Log Data

When you use our Services, Lovable automatically collects operational telemetry ("Log Data") that helps us secure and improve the platform. Log Data may include:

• Your device's IP address and approximate location
• Browser type and version.
• Pages, APIs, or features you access within the Services.
• Timestamps and time spent on specific screens or functions.
• Unique session or device identifiers and error/debugging codes.
• Other usage statistics.

Log data is retained for up to ninety (90) days, unless required by law, to monitor performance, troubleshoot issues, and improve user experience.

Cookies and Other Tracking

Lovable and selected third-party partners use cookies, pixels, and similar technologies ("Cookies") to operate, secure, and analyze our Services. We deploy four types of Cookies:

• Strictly Necessary Cookies support core functions such as sign-in, session routing, fraud prevention, and consent storage. These are set on the basis of legitimate interests / contract performance and do not require consent.
• Analytics & Performance Cookies measure feature adoption, diagnose errors, track user interactions, and improve service performance. We use first-party analytics (PostHog) and third-party services (Google Analytics, TikTok) for these purposes. We obtain prior consent for these Cookies in the EEA/UK/CH and honor CPRA "opt-out" signals (e.g., Global Privacy Control) in the United States.
• Functional Cookies remember your preferences (language, theme, layout) and are configurable in the in-product "Cookie Settings" panel.
• Marketing Cookies enable conversion tracking and campaign measurement through third-party services including Tiktok, Facebook/Meta, and Google Ads. While we use these cookies to measure the effectiveness of our marketing efforts, we do not "sell" or "share" Customer Personal Data for cross-context behavioral advertising as defined under applicable privacy laws. These cookies require consent in the EEA/UK/CH and respect opt-out preferences in other jurisdictions.

You can manage or withdraw your Cookie preferences at any time by (i) clicking the Cookie Preferences button in our Cookie Policy, (ii) changing your browser controls, or (iii) enabling an authorized browser signal such as the Global Privacy Control. Disabling non-essential Cookies will not affect core functionality but may limit analytics-based improvements. Cookie-derived identifiers are retained only for the period necessary to fulfil the purposes above and never longer than thirteen (13) months for analytics cookies after which they are deleted or irreversibly anonymized.

Information Security and Accuracy

Lovable is committed to protecting your personal information and maintaining its accuracy. We implement reasonable industry standard safeguards, including:

• Data in Transit: All traffic between your browser or API client and our servers is protected with industry standard end-to-end encryption.
• Data Storage: Database encryption with secure key management and pseudonymize or anonymize data, where feasible.
• Access Controls: Role-based access, multi-factor authentication, and regular reviews to ensure only authorized staff can view your data.
• System Resilience: Continuous backups with industry-standard recovery objectives designed to minimize downtime and data loss.
• Security Monitoring: Real-time monitoring, centralized logging with one-year retention, and annual SOC 2 Type II audits.
• Physical Security: Data is hosted in SOC 2- and ISO 27001-certified data centers with 24/7 guards, biometric access, CCTV, and environmental safeguards.
• Staff & Vendor Oversight : All employees pass background checks, sign confidentiality agreements, and receive yearly security training; sub-processors are vetted and contractually bound to equivalent protections.
• Incident Response: We maintain a 24/7 incident-response team and will notify affected customers within 72 hours of confirming any notifiable breach.

Your Role: Please keep your account credentials confidential, enable multi-factor authentication, and let us know if any of your information is incorrect so we can update it.

Lovable keeps a record of processing activities in line with GDPR Article 30(2) and performs regular risk assessments to adapt these measures as threats evolve. If you believe your account information is inaccurate, contact us as set out in Section 16 and we will correct it promptly. We implement reasonable security measures (e.g., encryption in transit/rest, access controls) to protect your personal data, but our Services rely on third-party providers like Supabase (for Lovable Cloud), OpenAI, Google, and OpenRouter (for AI Gateway). We cannot guarantee uninterrupted availability, security, or performance of these providers, and data interruptions, delays, or losses may occur due to their actions or events beyond our control (including force majeure). For Lovable Cloud, certain provisioned resources may not be immediately terminable via API; you remain responsible for any data hosted there until fully decommissioned. In cases of misuse or abuse (e.g., excessive data uploads causing cost spikes), you agree to indemnify us for related privacy or security claims arising from third-party provider interactions, as detailed in our Terms of Service. We use commercially reasonable efforts to notify you of material security incidents involving your data but disclaim liability for third-party failures.

Retention of Your Information

We retain personal information only as long as necessary to fulfill the purposes outlined in this Policy or as required by applicable law, including:

• Providing and improving our Services.
• Complying with legal and regulatory obligations.
• Resolving disputes or enforcing agreements. Customer data is retained for up to ninety (90) days, unless required by law, after which it is deleted or isolated. To cancel your account or request data deletion, contact us as outlined in Section 16. Upon account termination or expiration (including forfeiture of unused Credits as per the Terms), we will delete your Personal Data within 30 days, except for data required for fraud prevention, legal compliance, or legal defense purposes. Backups may retain data for up to 90 days. To request deletion, contact us at privacy@lovable.dev; we comply with applicable laws (e.g., GDPR erasure rights). We retain Customer Data only as needed to provide the Services, with deletion available upon request (subject to backups and legal holds).

Links to Other Sites

Our Services may include links or integrations (for example, GitHub, Supabase, CI/CD tools, or payment providers) that are not controlled by Lovable. Your interactions with those third-party services are governed by their own privacy policies and terms. We encourage you to review those policies before providing personal data, as Lovable is not responsible for the privacy or security practices of external sites.

Notice and Communications

By using the Services, you consent to receive transactional or administrative electronic communications from Lovable—such as account alerts, security notifications, and billing messages. You may opt out of non-essential marketing e-mails at any time via the "unsubscribe" link or your account settings; this will not affect core service communications. To send formal privacy notices to Lovable, e-mail privacy@lovable.dev or post to the address in Section 16. Lovable may provide legal or privacy notices to you via e-mail, in-product banners, or any other method allowed by law.

Governing Law & Venue

This Policy is governed by and construed in accordance with the laws of the State of Delaware, USA, without regard to its conflict-of-law principles. However, if you are located in a jurisdiction that grants you mandatory consumer protection or data protection rights under local law, those provisions will take precedence to the extent they conflict with this Policy. For residents of the European Economic Area (EEA), United Kingdom (UK), or Switzerland, international data transfers are subject to the EU Standard Contractual Clauses governed by Irish law with the courts of Dublin as the chosen forum, the UK International Data Transfer Addendum governed by the laws of England and Wales with the courts of London as forum, and the Swiss Addendum governed by Swiss law with the FDPIC as the competent authority. Any other disputes arising under this Policy shall be exclusively resolved in the state or federal courts located in Wilmington, Delaware, unless otherwise required by applicable mandatory law. We disclaim warranties on data accuracy/security in AI outputs or third-party services. See Terms for IP ownership (you own Customer Data/AI Output; we own Usage Data).

No Coding Advice

Our Services provide AI-assisted tools that can generate or suggest code, but they are not a substitute for professional software engineering judgment. You remain responsible for reviewing, testing, and validating any code or configuration produced by the platform. Reliance on generated output is at your own risk. Intellectual-property ownership, license terms, and usage restrictions are detailed in the "Intellectual Property Rights" section of our Terms of Service ( https://www.lovable.dev/terms).

Contact Details

If you have questions, concerns, or wish to exercise your privacy rights, please contact us:

• Email: privacy@lovable.dev
• Mail: Lovable Labs Incorporated, Attn: Privacy, 1111b South Governors Avenue, Dover, DE 19904, USA
• EU Mail: Lovable Labs Sweden AB, Tunnelgatan 5, 11137 Stockholm, Sweden
• Data Protection Officer: dpo@lovable.dev

We aim to respond to verified data-subject requests within thirty (30) days, or longer where permitted under applicable law, in which case we will notify you of the delay and reason. If you believe your inquiry has not been satisfactorily resolved, you may lodge a complaint with your local supervisory authority, the Irish Data Protection Commission, the UK Information Commissioner's Office, or the Swiss FDPIC, as appropriate.

Residents of the United States, Canada, EEA, United Kingdom, and Switzerland

This section supplements the rest of the Policy and applies to individuals located in the United States—including California, Colorado, Connecticut, Virginia, Utah, Florida, Nebraska, and any other state with an active consumer-privacy statute, as well as Canada, the EEA, the United Kingdom, and Switzerland. Lovable collects the personal data categories below when you use the Services:

• Identifiers such as name, business-e-mail, phone number, user ID, and IP address (city-level location only).
• Commercial information such as subscription tier and purchase history; full payment-card numbers are processed solely by our PCI-compliant provider and are never stored by Lovable.
• Internet / network activity such as log-in events, feature usage, prompts submitted, code generated, and telemetry.
• Inferences drawn to personalize the platform.
• Project information you upload (e.g., repositories and configuration files).

Sensitive Personal Information is not intentionally collected, and customers are instructed not to upload sensitive data (for example, Social-Security numbers or precise geolocation). No sensitive data (e.g., HIPAA-protected health info, financial accounts) should be uploaded; our Services are not designed for it, and we disclaim responsibility if submitted.

Depending on where you live, you may have some or all of the rights listed below (subject to legal limits). You can exercise them by e-mailing privacy@lovable.dev; Lovable will verify your identity and respond within 30 days or the period required by your local law.

• Right of Access/Portability: Request disclosure of personal information collected, used, or disclosed.
• Right of Deletion: Request deletion of personal information, subject to exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Withdraw Consent: Withdraw consent for certain processing activities.
• Opt-out of sales, sharing, or targeted advertising: Opt out of the sale or sharing of personal information. Lovable does not sell or share personal information as defined under U.S. privacy laws.

Lovable will not discriminate against you for exercising your privacy rights. If you believe a request has been wrongly denied, U.S. residents may file an appeal by replying to our decision within sixty days; EEA, UK, or Swiss residents may contact their supervisory authority (the Irish DPC, the UK ICO, or the FDPIC).

Rights in Customer Data

As detailed in our Terms of Service, you grant us a perpetual, royalty-free license to use your Customer Data (excluding Personal Data) for business purposes, including operating/improving Services, training AI models, and analytics. We do not use raw or identifiable Personal Data for training but may anonymize/aggregate it for any lawful purpose. To opt out of using your Customer Data for model training, contact us at privacy@lovable.dev or upgrade to a Business plan with enhanced controls.

Sharing with Third Parties

We share Customer Data with Infrastructure Providers (e.g., Supabase for hosting) and Third-Party AI Providers (e.g., OpenAI, Google Gemini, OpenRouter for prompt processing) as necessary to provide Services. These shares are governed by their privacy policies (linked above). We do not sell your personal data. For billing, anonymized usage data is shared with Stripe.

Changes to This Policy

Lovable reserves the right to update or revise this Privacy Policy to reflect changes in our practices, legal requirements, or the Services themselves. We will post any revised Policy at https://www.lovable.dev/privacyand indicate the "Effective" date at the top of the document. For material changes that reduce your rights or expand our processing purposes, we will provide at least thirty (30) days' advance notice by e-mail or in-product banner. Your continued use of the Services after the new Policy takes effect constitutes acceptance of the revised terms.

Severability

If any provision of this Policy is found to be unlawful, void, or unenforceable under applicable law, that provision will be interpreted to achieve its intent as closely as possible, or, if impossible, deemed severed, and the remaining provisions will remain in full force and effect.

Entire Agreement

This Policy, together with the Terms of Service, the applicable Data-Processing Agreement (DPA), and any supplemental product terms, constitutes the entire agreement between you and Lovable regarding privacy and data protection in connection with the Services. In the event of a conflict, the DPA will control with respect to Customer Personal Data, followed by this Privacy Policy, then the Terms of Service.

View our Cookie Policy and opt-out of non-essential cookies here: www.lovable.dev/cookie-policy

View our Data Processing Agreement here: www.lovable.dev/data-processing-agreement