Account information
We collect the email address and authentication information needed to create and secure your account.
Legal
Privacy Policy
Last updated: May 17, 2026
Privacy and Content Safety Commitment
Leku is designed to preserve your team's knowledge, not to harvest it.
We do not sell, rent, or share your personal data or workspace content with third parties for advertising, brokerage, resale, or cross-context behavioral targeting. This includes raw, aggregated, de-identified, and anonymized data.
We do not use your workspace content, personal data, transcripts, notes, files, embeddings, or queries to train AI models, improve third-party AI models, or improve unrelated services.
We may use limited operational diagnostics to provide, secure, debug, and support the Leku service.
Security and Compliance Posture
Customer content stays customer content. We use it only to provide, secure, support, and improve the Leku service for that customer.
Analytics are consent-based and are not used for advertising profiles, data brokerage, or AI model training.
Access controls, row-level database policies, audit logging, security headers, rate limits, and provider-managed encryption protect production systems.
We do not claim SOC 2 Type II, ISO 27001, HIPAA, FedRAMP, or other certification status until an applicable independent review or written agreement is complete.
The current security posture and enterprise readiness roadmap are summarized on the Security page.
Data We Collect
Workspace content
This includes notes, transcripts, tasks, questions, decisions, wiki pages, embeddings, and other content you choose to store or process in Leku.
Operational diagnostics
We collect limited request, error, audit, and security event data so we can keep the service secure, reliable, and supportable.
Consent-based analytics
If you consent, we collect limited product analytics. These analytics are not used to train AI models, build advertising profiles, or commercialize your activity.
How We Use Data
- To provide the Leku service you request.
- To authenticate users and protect accounts.
- To generate embeddings, search results, and knowledge organization features.
- To troubleshoot, secure, monitor, rate-limit, audit, and support the service.
- To comply with legal obligations and respond to valid rights requests.
AI Processing Disclosure
Leku uses artificial intelligence to power semantic search and knowledge organization. Workspace content may be sent to third-party AI processors to generate embeddings or produce requested AI outputs.
AI processors handle this data under applicable API data usage policies and data processing terms. Customer content is used for requested processing only and is not used to train AI models or improve unrelated services.
Generated embeddings are stored with managed database providers and associated with your account or workspace so Leku can return source-grounded results.
Third-Party Processors
We use service providers that process data on our behalf. They are not permitted to sell your data, use customer content for advertising, or use customer content to train their own models outside the contracted service.
| Processor category | Purpose | Data processed |
|---|---|---|
| AI processing providers | Embedding generation and requested AI processing | Workspace content submitted for requested AI features |
| Database and authentication providers | Account authentication, database storage, and access control | Account data and workspace content |
| Hosting and infrastructure providers | Frontend hosting, backend hosting, routing, and deployment | Request metadata and operational logs |
| Analytics providers | Consent-based product analytics | Consented usage events and request metadata |
| Error monitoring providers | Error reporting and diagnostic troubleshooting | Error reports and diagnostic metadata |
Retention and Deletion
- Workspace content is retained for the lifetime of your account and deleted from active systems within 30 days of account deletion unless a legal obligation requires otherwise.
- Provider backups and logs follow each provider's standard deletion cycle.
- Security audit logs follow a 12-month target retention policy; until automated cleanup is implemented, retention may be longer.
- Consented usage analytics are retained for 90 days.
- Authentication sessions expire after 90 days of inactivity.
Your Rights
Depending on your jurisdiction, you may have rights to access, correct, export, delete, restrict, or object to processing of your personal data. You may also withdraw analytics consent at any time.
California residents have the right to know, delete, correct, opt out of sale or sharing, and exercise privacy rights without discrimination. Leku does not sell or share personal data as those terms are commonly used for advertising and brokerage.
Business Customer Requests
If your organization needs a Data Processing Agreement, security questionnaire, or subprocessor review before using Leku, contact us before uploading regulated data. Business associate agreements, government workloads, and regional data residency are not currently available by default and remain roadmap items unless explicitly confirmed in a separate written agreement after readiness review.
International Data Transfers
Your data may be processed in the United States through our service providers. For users in the EEA, United Kingdom, or other jurisdictions with transfer restrictions, we rely on appropriate safeguards such as Standard Contractual Clauses and provider compliance frameworks.
Children's Privacy
Leku is not intended for individuals under 16. If we learn that a child under 16 has provided personal data, we will take steps to delete that information promptly.
Contact
Questions or rights requests can be sent to privacy@leku.app.