Privacy Policy

Effective date: April 1, 2026

1. Data Controller

The data controller responsible for processing your personal data is:

Company: LeMans Labs OÜ
Registry code: 16872044
Address: Valukoja 8/1, 11415 Tallinn, Estonia
Product: ewpire (ewpire.com) – AI employee marketplace
Contact: [email protected]

LeMans Labs OÜ is incorporated in the Republic of Estonia and is subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus). We are not required to appoint a Data Protection Officer under Article 37 GDPR; however, for all privacy-related inquiries, please contact us at [email protected].

2. What Data We Collect

2.1 Payment Data (via Stripe)

When you subscribe to ewpire, payment is processed by Stripe, Inc. Through the Stripe checkout process, we receive and store your:

Name – as provided during checkout.
Email address – used for invoicing, account recovery, and essential communications.
Billing address – required for tax calculation and invoicing.
VAT identification number – if provided by EU business customers for reverse charge purposes.

We do not store credit card numbers, CVVs, or full payment card details on our own servers. All payment card data is handled exclusively by Stripe in accordance with PCI DSS standards.

2.2 Messenger Data

When you interact with your AI Employees via a supported messenger (Telegram, WhatsApp, Slack, or Discord), we process:

Messenger user ID – your unique identifier on the messaging platform, used to link your messenger account to your ewpire subscription.
Messages – messages you send to and receive from your AI Employees, including commands, instructions, and conversation content.
Voice messages – if you send a voice message, it is automatically transcribed to text using a third-party transcription service (Groq). The audio is processed in real-time for transcription only and is not stored after processing. Only the resulting text is retained as part of your conversation.

2.3 Usage Data

IP address – used for geographic detection (via the Cloudflare CF-IPCountry header) to determine currency display (EUR/USD/GBP). IP addresses are not stored persistently for website visitors.
Browser and device information – standard HTTP metadata (user agent, screen resolution, operating system) collected automatically when you visit ewpire.com.

2.4 Form Data

Custom Agent request form – information you submit via the form at ewpire.com/custom, including your name, email, company, and description of your desired AI agent.
Quiz responses – answers you provide when using the AI Employee Quiz tool at ewpire.com/tools/quiz. Responses are used to generate personalised recommendations and are not linked to your identity unless you voluntarily provide contact details.

2.5 Cookie Data

Currency preference – a “currency” cookie (functional, 30-day duration) that stores your EUR/USD/GBP preference based on geo-detection.
Cookie consent preference – stored in localStorage to remember whether you have accepted or rejected non-essential cookies.

For full details, see our Cookie Policy.

2.6 Blog Interaction Data

When you visit the ewpire blog, we may collect information about which pages you view. This data is collected in aggregate form to understand content performance and improve our editorial content. No personally identifiable information is collected from blog visitors beyond standard usage data described in Section 2.3.

2.7 Referral Programme Data

If you participate in the ewpire Referral Programme, we collect and process:

Referrer identity – your name, email address, and unique referral code, used to track referrals and attribute commissions.
Referral records – information about which referred users subscribed using your code, their subscription plan, and payment date (excluding their personal details beyond what is necessary for attribution).
Payout information – your Stripe Connect Express account details, required to process commission payouts. Stripe stores your bank account or debit card information; ewpire does not store financial account details on its own servers.

2.8 Content Output Data

When you use content-producing AI Employees (Growth Agent, Sales Agent), we collect and process:

Content briefs and prompts – your instructions, brand voice settings, target audience descriptions, and campaign goals used to generate content output.
Generated content drafts – SEO articles, landing page copy, email sequences, ad creatives, and brand monitoring reports delivered to your messenger or dashboard for your review and approval.
Activity logs – records of content generation requests and outputs, used for reporting and usage limit compliance.

ewpire AI Employees do not access, log into, or take automated actions on your social media accounts. All output is delivered as drafts for your review. You publish content using your own accounts and tools.

2.9 Team Member Data

If you are invited as a Team Member by an Admin, we collect:

Your email address – provided by the Admin when sending the invite.
Your messenger identity – linked when you accept the invite and connect your messenger account.
Your preferred language – selected during onboarding, stored to personalise your experience.

Team Member data is associated with the Admin's Subscription and is deleted when the Subscription is cancelled (after the 90-day retention period) or when the Admin revokes your access.

3. Legal Basis for Processing

Under Article 6 of the GDPR, we process personal data on the following legal bases:

3.1 Performance of a Contract (Art. 6(1)(b))

Processing payment data (name, email, billing address) to create and manage your subscription.
Processing messenger user IDs and messages to deliver AI Employee services.
Processing account recovery requests to restore access to your subscription.
Processing referral programme data (referrer identity, referral records, payout information) to operate the Referral Programme and pay commissions.
Processing content briefs, brand settings, and generation logs to operate AI Employees and deliver content output drafts.
Processing Team Member data (email, messenger identity) to facilitate team-based agent management.

3.2 Legitimate Interest (Art. 6(1)(f))

Using IP addresses for geographic detection to display the correct currency (EUR/USD/GBP).
Collecting aggregate blog interaction data to improve content and service quality.
Processing usage data (browser, device) for website functionality, security monitoring, and fraud prevention.
Maintaining server logs for debugging and security purposes.

Where we rely on legitimate interest, we have conducted a balancing test to ensure that your rights and freedoms are not overridden by our interests. You may object to processing based on legitimate interest at any time (see Section 8).

3.3 Consent (Art. 6(1)(a))

Analytics cookies (if implemented in the future) – only activated after you provide explicit consent via our cookie banner.
Any future marketing communications – only with your explicit opt-in consent.

You may withdraw consent at any time via the cookie banner or by contacting us, without affecting the lawfulness of processing carried out before withdrawal.

3.4 Legal Obligation (Art. 6(1)(c))

Retaining payment, invoicing, and VAT records for 7 years as required by Estonian tax law (Raamatupidamise seadus).
Responding to lawful requests from law enforcement or supervisory authorities.

4. How We Use Data

We use the personal data we collect for the following purposes:

Service delivery – to provide, operate, and maintain AI Employee services, including messenger-based interactions and agent automation.
Billing and payments – to process subscription payments, issue invoices, calculate VAT, and manage your billing account via Stripe.
Support and communication – to respond to your inquiries, provide technical support, and send essential service notifications via messenger or email.
Service improvement – to analyse aggregate usage patterns and improve the quality, reliability, and features of the Service.
Legal compliance – to comply with applicable laws, regulations, and legal processes, including tax record-keeping and responding to lawful data requests.
Security – to detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.

5. Data Sharing

We share personal data only with the following categories of recipients, under appropriate data processing agreements:

5.1 Stripe (Payment Processing)

Stripe, Inc. processes all payment transactions, stores payment card data, and manages subscription billing. Stripe is certified under PCI DSS Level 1. Stripe's privacy policy is available at stripe.com/privacy.

5.2 AI Model Providers

To power AI Employees, we send relevant data (messenger messages, task instructions, business context) to AI model providers for inference. Our primary AI model provider is Alibaba Cloud Model Studio (Qwen family of models), hosted on Alibaba Cloud's international infrastructure. AI model providers do not persistently store your data after processing and do not use your data to train or improve their models. Data is transmitted via encrypted connections (TLS 1.3) and processed solely for the purpose of generating responses for your AI Employees. Alibaba Cloud's privacy policy is available at alibabacloud.com/privacy-policy.

5.3 Groq (Voice Transcription)

When you send a voice message, the audio is transmitted to Groq for transcription using the Whisper speech recognition model. Groq processes the audio in real-time to convert speech to text and does not retain the audio data after processing. Only the resulting text transcript is stored as part of your conversation. Groq's privacy policy is available at groq.com/privacy-policy.

5.4 Cloudflare (CDN and Security)

Cloudflare provides content delivery, DDoS protection, and security services for ewpire.com. Cloudflare processes traffic data (including IP addresses) and provides the geo-detection header (CF-IPCountry) used for currency display. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.

5.5 Alibaba Cloud (Image Generation)

When the Growth Agent generates images as part of ad creative packages, text prompts describing the desired image are sent to Alibaba Cloud's AI image generation service (Qwen Image). Only the text prompt is transmitted – no personal data, client identifiers, or conversation history is included. Generated images are delivered to your AI Employee and are not retained by the provider after generation. Alibaba Cloud's privacy policy is available at alibabacloud.com/privacy-policy.

5.6 Stripe Connect (Referral Payouts)

If you participate in the Referral Programme, commission payouts are processed via Stripe Connect Express. Stripe collects and processes your identity verification and financial account details to facilitate payouts. ewpire receives confirmation of payout status but does not access or store your bank account details. Stripe Connect is subject to the Stripe Connected Account Agreement.

5.8 Third-Party Monitoring APIs

The Growth Agent's Brand Monitor module uses public-access APIs (Brand24, Google Alerts RSS, Reddit, Hacker News) to retrieve mentions of your brand from publicly available web content. Only your brand name and competitor names are transmitted to these services. We do not access, log in to, or scrape private social media accounts or profiles.

5.9 No Selling of Data

We do not sell, rent, or trade your personal data to any third party, ever. Data is shared only to the extent strictly necessary to provide and secure the Service.

6. International Data Transfers

Our primary infrastructure is hosted on European servers. However, some of our processors operate in the United States or other jurisdictions outside the European Economic Area (EEA).

We ensure adequate safeguards for all international data transfers through:

Standard Contractual Clauses (SCCs) – adopted pursuant to the European Commission's adequacy decisions, for transfers to processors in jurisdictions without an adequacy finding. This applies to Stripe and AI model providers operating in the United States.
Adequacy decisions – where the European Commission has determined that a third country provides an adequate level of data protection.

Copies of the relevant transfer mechanisms are available on request by contacting [email protected].

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

Active subscription data (email, name, messenger ID, messages, agent configurations) – retained for the duration of your subscription plus 90 days after cancellation or termination.
Cancelled subscription data – deleted within 90 days of cancellation, except where retention is required by law.
Payment and invoicing records – retained for 7 years from the date of the transaction, as required by Estonian accounting law (Raamatupidamise seadus, § 12).
VAT records – retained for 7 years in accordance with Estonian tax obligations.
Form submissions (Custom Agent requests, Quiz responses) – retained for up to 12 months, then deleted unless you have become a subscriber.
Server logs – retained for 90 days for security and debugging purposes, then automatically deleted.
Referral programme data – referral records and commission history are retained for as long as your Stripe Connect account is active, plus 7 years for tax compliance. You may close your Stripe Connect account at any time by contacting us.
Social media credentials and session data – retained for the duration of your subscription. Credentials are deleted within 7 days of agent deactivation or subscription cancellation. Session data (cookies) is deleted immediately upon agent deactivation.

8. Your Rights Under the GDPR

Under Articles 15–22 of the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15) – you may request a copy of all personal data we hold about you, together with information about how it is processed.
Right to Rectification (Art. 16) – you may request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17) – you may request deletion of your personal data, subject to legal retention obligations (e.g., tax records).
Right to Restriction of Processing (Art. 18) – you may request that we limit how we process your data in certain circumstances.
Right to Data Portability (Art. 20) – you may request your data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
Right to Object (Art. 21) – you may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
Rights Related to Automated Decision-Making (Art. 22) – you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. Our AI Employees are tools that assist human decision-making; they do not make decisions with legal effects without human oversight.
Right to Withdraw Consent (Art. 7(3)) – where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

How to exercise your rights: Send a request to [email protected]. We will respond within 30 days of receipt. If the request is complex, we may extend this period by a further 60 days, in which case we will inform you of the extension within the initial 30-day period. We may need to verify your identity before processing your request.

9. Account Recovery

If you lose access to your messenger account, you may recover access to your ewpire subscription by visiting ewpire.com/recover. The recovery process works by sending a magic link to the email address associated with your Stripe subscription. Clicking the magic link verifies your identity and allows you to reconnect a new messenger account to your existing subscription. Magic links expire after a limited time and can only be used once.

10. Children's Privacy

ewpire is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have collected personal data from a minor, we will take immediate steps to delete such data. If you believe we may have collected data from a person under 18, please contact us at [email protected].

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you via your connected messenger and/or the email address associated with your Stripe subscription at least 30 days before the changes take effect. The updated policy will also be posted on this page with a revised effective date. We encourage you to review this page periodically.

12. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us:

Company: LeMans Labs OÜ
Address: Valukoja 8/1, 11415 Tallinn, Estonia
Email: [email protected]

13. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: www.aki.ee
Email: [email protected]

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.