Legal

Privacy Policy

Last updated 28 June 2026

1. Data Controller

LeMans Labs OÜ · Estonian Commercial Registry 16872044 · Valukoja 8/1, 11415 Tallinn, Estonia · operating the ewpire platform (ewpire.com) · Contact: [email protected]. We operate under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus). A statutory Data Protection Officer is not required; data-protection queries reach us at the contact address above.

What ewpire is. ewpire is a full-cycle platform for founders – "from idea to empire" – built on one shared engine: best model per task plus consensus verification. It comprises three products that form a single funnel:

  • Ideation – a consensus of frontier large language models analyses a startup idea (niche, competitors, demand, market sizing TAM/SAM/SOM) and returns a single structured report with a confidence score and a dissent map.
  • Validation – turns a saved idea into a working MVP via a white-label open-source builder (OpenHands) combined with our model routing and consensus-as-QA; it builds in a sandboxed runtime, offers a live preview, and can deploy the result to Cloudflare.
  • Traffic – generates AI-readable presence (AEO/GEO) and runs a consensus brand-truth audit of how AI systems describe the brand.

Nature of the output (important for your rights). ewpire delivers structured deliberation and estimates, not advice, and gives no guarantees. Ideation and Traffic outputs are estimates accompanied by a confidence score and a dissent map – which themselves serve as the disclaimer of certainty. Traffic is designed to increase the probability of an accurate, consistent description of a brand by AI systems; it never promises guaranteed visibility. This characterisation also governs how automated processing is described in Section 8 (Article 22).

AI interaction and AI-generated content (EU AI Act transparency). ewpire uses artificial intelligence throughout the Service. Under Article 50 of the EU AI Act (Regulation (EU) 2024/1689), whose transparency obligations apply from 2 August 2026 (and as informed by the AI Act Code of Practice published 10 June 2026): we disclose that, when you use the Ideation chat and interview, you are interacting with an AI system (Art. 50(1)); AI-generated outputs – including Validation source code and Traffic presence content – are marked as artificially generated in a machine-readable form where technically feasible (Art. 50(2)); and any AI-generated or AI-manipulated image, audio, video, or text that could be taken for authentic is disclosed as such (Art. 50(4)). In this arrangement, ewpire generally acts as the provider of the AI system and you, as the user deploying our outputs in your own business, generally act as the deployer; both roles carry their own transparency duties under Article 50, and you are responsible for the deployer-side disclosures when you publish or distribute outputs you generate with the Service.

2. What Data We Collect

  • 2.1 Account Data: email address and name (and, where supplied, a display name or organisation name). Authentication is by one-time code (OTP); we do not store passwords.
  • 2.2 Payment and Billing Data (via Stripe): name, email, billing address, country, and VAT ID where provided. Card numbers and CVV are never stored by ewpire – they are handled by Stripe (PCI DSS Level 1).
  • 2.3 Idea, Interview and Project Input Data: the idea text you submit to Ideation, your answers to the AI interview, and any business context you provide. For Validation: the project brief and instructions you give the builder. For Traffic: the brand name, website URL, site content, and competitor or positioning inputs you supply. This is the core content you entrust to the Service and may be commercially sensitive; see Section 5 on how it is processed by model providers.
  • 2.4 Generated Output Data: consensus reports (including confidence scores and dissent maps), generated MVP source code and build artefacts, the live preview, AEO/GEO presence assets, and brand-audit results. These are stored in your project workspace.
  • 2.5 Credits Ledger Data: your credit balance, the source of credits (subscription, pack, or referral), per-action credit debits (for example, an Ideation run, a Traffic generation, or a brand audit), and expiry timestamps (subscription credits expire monthly; packs within 90 days). We also store your current subscription plan tier and its expiry, used to apply your plan's benefits (such as build-queue priority and early access to features).
  • 2.6 Usage Data: IP address (used for geo and currency detection via the Cloudflare CF-IPCountry header; not persistently stored for unauthenticated visitors), browser and device information, and basic interaction logs needed for functionality, security, and fraud prevention.
  • 2.7 Cookie Data: a consent-preference record (browser storage) and, where you opt in, first-party referral-attribution and first-touch cookies (see 2.8 and Section 5). Display currency is derived from network/geo signals and not stored on your device. Product and funnel analytics (PostHog, EU Cloud) load only after you accept the Analytics category; PostHog then stores an anonymous identifier in your browser's local storage (no advertising cookie). We set no advertising or cross-site tracking cookies. See the Cookie Policy.
  • 2.8 Referral Programme Data: the referrer's identity (name, email, referral code), referral attribution records (which referred user made a qualifying first deposit, on which plan or pack, and when), and payout information. Payouts run over Stripe Connect Express, which stores the referrer's bank or debit details – ewpire does not. Attribution uses a 30-day click window via a consent-gated, first-party referral cookie. See Section 5.6 and Section 14.
  • 2.9 Communications Data: transactional emails we send (via Resend) and any support correspondence you initiate (general support: [email protected]). We do not operate any messenger, voice, or Telegram channel for the Service.

3. Legal Basis for Processing

  • 3.1 Performance of a Contract (Art. 6(1)(b)): account data; payment and billing data; idea/interview/project inputs and generated outputs (delivering the Service you purchased); the credits ledger; referral records for participants; transactional communications; account recovery.
  • 3.2 Legitimate Interest (Art. 6(1)(f)): IP for currency and geo detection; usage and server logs for functionality, security, abuse and fraud prevention; application error and performance monitoring (Sentry); and privacy-preserving, cookieless website measurement (Cloudflare Web Analytics, which sets no cookie and stores nothing on your device). A balancing test has been conducted; you may object (Section 8). Product and funnel analytics (PostHog) do not run on this legitimate-interest basis - they run only on your consent (Section 3.3); see Section 2.7.
  • 3.3 Consent (Art. 6(1)(a)): the referral-attribution and first-touch cookies; opt-in marketing communications; and product/funnel analytics (PostHog, EU Cloud), which loads only after you accept the Analytics category and stores an anonymous identifier in local storage (see Sections 2.7 and 5.9). Withdrawable at any time without affecting prior lawful processing.
  • 3.4 Legal Obligation (Art. 6(1)(c)): payment, invoicing and VAT records (7-year retention under Estonian accounting law, Raamatupidamise seadus); tax-onboarding and any tax-reporting obligations arising for referral payouts (note: we do not treat the referral programme as DAC7-reportable – see Section 14); responses to lawful authority requests.

4. How We Use Data

Service delivery (running Ideation, Validation and Traffic; storing your projects, reports, code and credits ledger); billing and payments (subscriptions, credit packs, invoices, VAT); referral attribution and payout; support and communication; legal and tax compliance; and security (fraud, abuse and incident response). Product and funnel analytics (PostHog, EU Cloud) load only after you accept the Analytics category; see Sections 2.7 and 5.9. We do not use your idea, interview, brand or generated-code content to train our own or any third party's models, and we contract our model providers on no-training commercial terms (Section 5).

5. Data Sharing

We share personal data only with the sub-processors listed below, each engaged under a GDPR Article 28 data-processing agreement and bound to act on our documented instructions. We do not operate on a "bring your own key" basis at launch: the model providers below are our direct sub-processors and we sell our own model usage to you.

  • 5.1 Consensus Large Language Model Providers (idea, interview, brand and code text sent for inference). To produce a consensus, your idea text, interview answers, brand/site content, and – for Validation – generated source code are transmitted over TLS to multiple frontier model providers simultaneously, which run inference and return results. We use these providers on their commercial / API tiers rather than consumer tiers. On those tiers, providers generally do not use API content to train their models; whether that no-training position holds for a given provider depends on the specific tier and contract in force with that provider at the time. Retention is likewise tier-dependent: several providers retain inputs and outputs for up to approximately 30 days for abuse-monitoring and safety purposes and then delete them, unless a zero-retention arrangement is contractually agreed, in which case content is not retained beyond what is needed to return the response. We do not retain your inference content as a store of record (Section 7).The providers are:

    • Anthropic (United States) – anthropic.com/legal/privacy
    • OpenAI (United States) – openai.com/policies/privacy-policy
    • Google (United States) – cloud.google.com/terms/cloud-privacy-notice
    • DeepSeek (China) – see transfer note in Section 6
    • Alibaba Cloud / Qwen (Singapore) – alibabacloud.com
    • Mistral AI (France, EU)
    • Zhipu AI / GLM (China) – see transfer note in Section 6
    • OpenRouter (United States) – universal fallback and routing layer; openrouter.ai/privacy

    Because a single deliberation may fan out to several of these providers, your idea, brand and code text may be sent to more than one provider for the same task. We select and route among them per task to obtain the best model for the job. We contract for no-training, limited-retention terms across these providers as described above; the precise commitment in force varies by provider and tier (see the [VERIFY] note in this section).

  • 5.2 Daytona (sandboxed build runtime for Validation). Receives your project brief, builder instructions and generated code in order to execute the build in an isolated environment. Build artefacts are returned to your workspace.

  • 5.3 Cloudflare (user-site hosting via Pages and Workers; CDN; edge security and DDoS protection for ewpire.com and for sites you deploy). Processes traffic data including IP addresses and provides the geo-detection header. When you deploy a Validation MVP, the deployed app and its content are hosted on Cloudflare.

  • 5.4 Stripe Payments Europe Limited and/or other Stripe entities as applicable (billing and payments; Connect Express for referral payouts). Stores card data (PCI DSS Level 1) and, for referral participants, the financial-account and identity-verification details needed for payouts; ewpire receives payout status only. stripe.com/privacy

  • 5.5 Resend (transactional email delivery – one-time codes, receipts, account and service notices). Receives the recipient email address and message content. resend.com/legal/privacy-policy

  • 5.6 Referral Payouts (Stripe Connect Express). As in 5.4: for referrers who reach the payout threshold, Stripe collects identity and financial-account details directly; we receive only the payout status. See Section 14.

  • 5.7 Infrastructure note. Our own consensus engine and Python worker run on a Hetzner VPS located in the EU (Germany). User-deployed apps are not co-located on Hetzner – they run on Cloudflare. Persistent personal data is stored on EEA infrastructure (Cloudflare EU and Hetzner Germany); the model providers in 5.1 process transient inference data only and do not serve as our store of record.

  • 5.8 Sentry (Functional Software, Inc.). Application error and performance monitoring for reliability and security. Receives error and exception events, which may include IP address and technical request context. Events are stored in Sentry's EU region (Frankfurt). No analytics cookie is set; this processing rests on our legitimate interest in a secure, reliable Service (Section 3). sentry.io/privacy/

  • 5.9 PostHog (PostHog, Inc., EU Cloud). Product and funnel analytics (page views and product events), processed only after you accept the Analytics cookie category (Art. 6(1)(a) consent). Data is stored on PostHog's EU Cloud (Frankfurt); an anonymous identifier is stored in your browser's local storage (no advertising cookie). We disable session recording and autocapture. posthog.com/privacy

  • 5.9 No Selling of Data. We do not sell, rent, or trade your personal data to any third party, ever.

6. International Data Transfers

Persistent personal data is stored on EEA infrastructure (Cloudflare EU and Hetzner Germany). Certain sub-processors process data outside the EEA: the United States (Anthropic, OpenAI, Google, OpenRouter, Stripe, Resend, Cloudflare's global edge), Singapore (Alibaba Cloud / Qwen), and China (DeepSeek, Zhipu / GLM).

For transfers to US recipients that are certified under the EU-US Data Privacy Framework (DPF), we rely primarily on the European Commission's adequacy decision for the DPF (Commission Implementing Decision of 10 July 2023) as the transfer mechanism for data falling within that recipient's active certification. For US recipients that are not DPF-certified, and for all transfers to Singapore (Alibaba Cloud / Qwen) and China (DeepSeek, Zhipu / GLM), we rely on the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor) together with a transfer-impact assessment and supplementary technical and organisational measures (encryption in transit via TLS, data minimisation, no-training and limited-retention contractual terms). The SCCs also serve as our fallback for DPF-certified recipients to the extent any transfer falls outside the scope of their certification.

China-based providers (DeepSeek, Zhipu / GLM) – specific note. China is not the subject of a European Commission adequacy decision, and its legal regime may permit state access to data in ways that are difficult to challenge. We therefore subject these providers to a heightened transfer-impact assessment, restrict the categories of personal data that may reach them, rely on the SCCs (Module 2) plus supplementary measures, and route to alternative providers where the assessment so requires. Where we cannot satisfy ourselves that an adequate level of protection is maintained for a given workload, we will not route that workload to a China-based provider. A copy of the relevant transfer mechanism and assessment is available on request.

Copies of the safeguards relied upon for any transfer are available at [email protected].

7. Data Retention

  • Account and project data (idea/interview inputs, generated reports, MVP code, brand-audit results): for the life of your account. On account termination, this data is deleted from live systems within 30 days, except where longer retention is legally required (see the billing/tax and referral carve-outs below). We will certify completion of live-system deletion within that 30-day period on request.
  • Backups: residual copies of your data may persist in encrypted backups after live deletion. These backups are overwritten on a rolling cycle of at most 90 days, are not restored except for disaster-recovery purposes, and are kept encrypted in the interim.
  • Credits ledger: for the life of your account. On erasure, operational usage rows (the credits you spent on Ideation, Validation and Traffic actions) are deleted; rows that evidence a payment (subscription and pack purchases) are retained for the 7-year accounting period with your identity removed (anonymised).
  • Payment, invoicing and VAT records: 7 years (Estonian accounting law, Raamatupidamise seadus).
  • Referral programme and related financial records: for as long as the Stripe Connect account is active, plus 7 years (Estonian accounting law, Raamatupidamise seadus) to the extent the records form part of bookkeeping or invoicing. This bookkeeping retention is a carve-out from the 30-day live-deletion rule above.
  • Cookie and consent records: per the durations in Section 2.7 and the Cookie Policy. On account erasure, proof of your consent choices is retained in minimised form, decoupled from your identity, for approximately 3 years (to evidence consent and to defend potential legal claims, Art. 7(1) and Art. 17(3)(e)), then deleted.
  • Server and security logs: 90 days.
  • Transient inference data sent to model providers (Section 5.1): not retained by ewpire as a store of record; provider-side retention is governed by the no-training, limited-retention terms in Section 5.1.

8. Your Rights Under GDPR (Art. 15–22)

You have the rights of: Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17, subject to the retention obligations in Section 7), Restriction (Art. 18), Data Portability (Art. 20), Objection (Art. 21), and rights concerning automated individual decision-making (Art. 22). You may also withdraw consent at any time (Art. 7(3)).

Automated decision-making (Art. 22). ewpire's outputs are structured deliberation and estimates, not advice, and they do not produce a decision that has legal or similarly significant effects on you. A consensus report, a generated MVP, or a brand audit is delivered to you as an input to your own judgement, accompanied by a confidence score and a dissent map; you remain the decision-maker. We do not carry out solely-automated decisions producing legal or similarly significant effects within the meaning of Article 22.

Deleting your account in-app. You can erase your account yourself at any time from Settings -> Account -> Delete account. Because you are already signed in and we require a fresh one-time code at the moment of deletion, this satisfies our identity check (Art. 12(6)) and we act on it near-immediately: we revoke your sessions on every device, delete your profile, projects, idea reports, builds and operational history, take down the MVP sites we host for you (unless you choose to keep them running), and email you a durable confirmation of what was deleted and what we must retain (billing/VAT records and consent proof, as in Section 7). You can download your data first from the same screen (Art. 20).

How to exercise your rights (DSAR flow).

  1. Submit a request. Email [email protected] from the address associated with your account, stating which right(s) you wish to exercise (for example, access, erasure, portability). Requests on behalf of another person must include evidence of authority.
  2. Identity verification. To protect your data we must be reasonably satisfied of your identity before we act. We may ask you to confirm details we already hold or to verify control of your account email (for example, via a one-time code). We collect only what is necessary to verify you and do not use it for other purposes. If we cannot verify your identity, we may decline to act and will tell you why.
  3. Timing. We respond without undue delay and within one month (30 days) of receiving a verifiable request. This clock starts only once identity verification is complete. Where a request is complex or you have made a number of requests, we may extend by up to two further months; if we do, we will inform you of the extension and the reasons within the first month.
  4. No fee, with limited exceptions. We do not charge for handling a request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, and will explain our reasoning.

You also have the right to lodge a complaint with a supervisory authority (Section 17).

9. California (CCPA / CPRA)

Categories of personal information collected in the preceding 12 months: identifiers (name, email, IP); commercial information (subscriptions, credit purchases and ledger); internet and network activity; professional, employment or business information you include in idea/brand inputs; and inferences drawn within reports. We do not knowingly collect information from individuals under 16. Sources: directly from you, your interactions with the Service, Stripe, Cloudflare, and the model providers' returned outputs.

We do not sell personal information (§1798.140(ad)). We do not share personal information for cross-context behavioural advertising (§1798.140(ah)).

California rights: to know, delete, correct, opt out of sale/sharing (the default for us), limit the use of sensitive personal information, and non-retaliation. To exercise: [email protected], subject line "California Privacy Request – [access | delete | correct]"; response within 45 days (extendable by a further 45 days). An authorised agent may submit a request on your behalf. Shine the Light (§1798.83): we do not share personal information with third parties for their direct-marketing purposes.

10. Client-Side Registration Obligations

Some jurisdictions may require a controller to register with a supervisory authority or pay a data-protection fee (for example, the UK ICO data-protection fee, Poland's UODO, Bulgaria's CPDP). For data you process through the Service in your own business, you act as the controller and ewpire acts as your processor; any such registration on your side is your responsibility. ewpire does not file, pay, or advise on these registrations.

11. Account Recovery

Access to your account is via one-time code (OTP) sent to your account email (delivered through Resend). If you lose access to that email, contact [email protected] so we can verify your identity and assist. Recovery links and codes are time-limited and single-use.

12. Children's Privacy

The Service is intended for founders and businesses and is not directed at anyone under 18. We do not knowingly collect personal data from minors and will delete any such data promptly on becoming aware of it.

13. Changes

We will notify material changes by email (via Resend) and/or an in-product notice at least 30 days before they take effect, and will post the updated effective date.

14. Referral Programme – Tax and Disclosure Framework

The referral programme pays a referrer 20% of the referred user's first deposit (their first paid credit purchase or first subscription payment), as a one-time reward, while the referrer's own subscription is active. The reward is held for about 30 days (until the refund window has closed) and then paid via Stripe Connect Express, subject to clawback if the referred user obtains a refund or cancels before payout. Attribution uses a 30-day click window via a consent-gated, first-party referral cookie. There is no minimum payout.

  • Tax responsibility. Referral rewards may be taxable income to the referrer. The referrer is solely responsible for declaring and paying any tax due in their jurisdiction. ewpire does not provide tax advice.
  • Nature of the reward / DAC7. The referral reward is a marketing commission paid for introducing a customer; it is not consideration for a "relevant activity" within the scope of EU Council Directive (EU) 2021/514 (DAC7), which covers the rental of immovable property, personal services, the sale of goods, and the rental of transport. Accordingly, we do not consider ewpire to act as a reporting platform operator under DAC7 in respect of the referral programme and we do not undertake a DAC7 reporting role for referral rewards. We collect tax-onboarding information through Stripe (for example, W-8 / W-9 forms – see below) for payout and ordinary tax-compliance purposes, not for DAC7 reporting.
  • Tax forms. Stripe may require the referrer to complete the appropriate tax documentation (for example, IRS Form W-9 for US persons, or Form W-8BEN / W-8BEN-E for non-US persons) before payout.
  • No withholding. ewpire does not withhold tax from referral payouts; gross amounts are remitted via Stripe Connect, subject to any deduction Stripe is itself legally required to make.
  • VAT / place of supply. Where a referrer acts in a business capacity, the reward may be treated as consideration for a service, with VAT and place-of-supply rules applying according to the referrer's status and location; the referrer is responsible for any VAT obligations arising on their side.
  • Disclosure obligation (FTC / EU / UK / DSA). Referrers must clearly and conspicuously disclose their material connection to ewpire whenever they promote the Service, in line with the US FTC Endorsement Guides, EU and UK consumer-protection law, and the EU Digital Services Act transparency requirements. Undisclosed or deceptive promotion is prohibited and may result in removal from the programme and clawback of rewards.

15. EU Consumer Right of Withdrawal – Waiver for Immediately Performed Digital Services

The Service supplies digital content and digital services that are performed immediately – a consensus report is generated, a build is executed, or credits are made available at once. To lose the 14-day right of withdrawal under Article 16(m) of Directive 2011/83/EU (Consumer Rights Directive) for such content, three conditions must all be met, and we implement each:

  1. Prior express consent. Before performance begins, you tick a dedicated checkbox giving your prior express consent to begin performance immediately.
  2. Acknowledgment. In the same step, you acknowledge that, by giving that consent, you will lose your right of withdrawal once performance has begun.
  3. Durable-medium confirmation (Art. 8(7)). We provide you with confirmation of the contract on a durable medium within a reasonable time and at the latest at the time performance begins, including confirmation of the consent and acknowledgment above. In practice, we send a post-purchase confirmation email recording these.

This waiver does not affect any non-waivable statutory rights you may have, including under EU and Estonian consumer-protection law for non-conforming digital content.

Online withdrawal function. Where you retain a right of withdrawal, you may exercise it using the online withdrawal function ("withdrawal button") we make available, in addition to any other clear statement. We provide this function as required by Directive (EU) 2023/2673, which mandates it from 19 June 2026.

16. Contact

LeMans Labs OÜ · Valukoja 8/1, 11415 Tallinn, Estonia.

17. Supervisory Authority

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), www.aki.ee. You may also lodge a complaint with the supervisory authority in your EU Member State of residence, place of work, or place of the alleged infringement.