laup.ailaup.ai wordmark: "laup" in flowing calligraphic script with connected letterforms, followed by ".ai" in clean sans-serif.
Log inSign up

Legal

Privacy Policy

Last updated: April 2026 · DRAFT - subject to legal review

1. Who we are

Laup is operated from Norway. For questions about your data, contact us at hello@laup.ai

2. What data we collect

  • Account data: email address, hashed password (argon2 - we never store your password in plain text), display name and phone number (optional).
  • Scan results: AI readiness scores, schema analysis, sitemap analysis, robots.txt analysis, content visibility results, and AI-generated assessments - all tied to the domain you scanned, not to you personally.
  • Product analytics: anonymous page views and event data (e.g. scans started, exports, sign-up clicks) captured cookielessly via PostHog. Inside the Laup app, events are linked to your account ID so we can debug issues and improve the service. No cookies or device identifiers are stored on your device, no fingerprinting, no advertising tracking. Approximate country and region are derived from your IP address at ingest by PostHog; the raw IP is not stored on events.
  • Error reports: when an unexpected error occurs in your browser while using Laup, we capture the error message, stack trace, and the page URL via PostHog to debug and fix the bug. No form contents, no request bodies, no personal identifiers beyond your account ID.
  • Usage data: IP addresses in server logs, login timestamps, scan timestamps.
  • Acceptance record: timestamp of when you accepted these terms.

3. Why we collect it

  • To provide the service: we need your email to authenticate you and your domain to run scans.
  • To secure the service: IP logging helps detect abuse and unauthorized access.
  • To improve the service: aggregate, anonymized scan patterns help us improve our analysis accuracy.

4. Legal basis (GDPR)

Different processing activities rely on different legal bases. Accepting our Terms of Service at signup is acceptance of the contract — it is not blanket GDPR consent.

  • Contract (Art. 6(1)(b)): processing your account data, authenticating you, running scans you initiate, and storing scan results — all necessary to deliver the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): security logging, abuse prevention, error reports, and aggregate product analytics to operate, secure, and improve the service. You can object at any time — see §8.
  • Legal obligation (Art. 6(1)(c)): retaining records where required by law (e.g. tax, audit).
  • Consent (Art. 6(1)(a)): reserved for processing that is optional and not necessary to deliver the service (e.g. future opt-in features like session replay). We will ask separately and clearly when this applies.

5. Where your data is stored

All data is stored in Azure Norway East (Oslo region), within the EU/EEA. Your data does not leave the EEA for storage purposes.

6. Third-party processors

  • Microsoft Azure (hosting, database) - EU data center (Norway East).
  • Microsoft Azure OpenAI (LLM analysis) - scan data (publicly accessible website content) is sent to Azure OpenAI for analysis. Hosted in Sweden Central, within the EU/EEA. No personal user data (email, password) is sent to Azure OpenAI. Subject to Microsoft's data processing terms.
  • PostHog (product analytics) - PostHog Inc. (US-incorporated). All event data is processed and stored in PostHog Cloud EU (Frankfurt, Germany); transfer of the controller relationship to a US-incorporated entity is covered by the EU Standard Contractual Clauses (SCCs) in PostHog's DPA. Used in cookieless mode for anonymous traffic and identified-only mode for signed-in users; no third-party advertising trackers, no cross-site tracking. Full DPA, sub-processor list, and SCCs at posthog.com/dpa.

7. Data retention

  • Account data: kept until you delete your account.
  • Scan results: kept as long as your account exists.
  • Server logs: retained for up to 90 days for security purposes.

8. Your rights

Under GDPR, you have the right to:

  • Access: request a copy of your personal data.
  • Correction: update inaccurate data via your profile page.
  • Deletion: delete your account and all personal data via your profile page. This immediately anonymizes your data.
  • Data portability: request your data in a machine-readable format.
  • Withdraw consent: you can withdraw consent at any time by deleting your account.
  • Object to analytics: you can opt out of PostHog product analytics at any time by emailing us at hello@laup.ai. Analytics runs on legitimate interest and is not required to deliver the service.

To exercise any of these rights, use the self-service options in your profile or contact us at hello@laup.ai

9. Cookies

Strictly necessary cookies. When you sign in, we set a single httpOnly authentication cookie (JWT) that is strictly necessary for the service to function. JavaScript cannot access it.

No tracking cookies. Our analytics provider (PostHog, see §6) runs in cookieless mode - no identifiers are stored on your device, no advertising or cross-site tracking cookies are used. Because no information is stored on or read from your device, the Norwegian Electronic Communications Act does not require a cookie consent banner.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the email address associated with your account. The "last updated" date at the top will always reflect the most recent version.

11. Contact

For data protection inquiries, contact us at hello@laup.ai

Privacy Policy - Laup