Privacy Policy

Overview

Levlr ("we", "our", "us") operates the AI procurement analysis platform available at levlr.io and its subdomains. This Privacy Policy explains how we collect, use, and protect information when you use our services.

By using Levlr, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the service.

What We Collect

Account information

When you create an account, we collect your email address and a password (stored as a one-way hash). You may optionally provide your name and company. We do not collect payment card details directly — all billing is handled by Stripe, which is PCI-DSS Level 1 certified.

Usage data

We collect anonymised usage telemetry: which analysis engines you use, how many analyses you run, general session duration, and error rates. This data does not include the contents of your documents. It is used to improve product reliability and prioritise features.

Communications

If you contact us by email or submit a free analysis request, we store the email address and message content to respond to your enquiry and deliver your results. Free analysis result emails are sent via our transactional email provider (Resend) and are retained for 30 days for deliverability purposes.

Technical data

We collect standard server logs including IP address, browser type, referring URL, and timestamps. These are retained for up to 90 days for security and abuse prevention purposes.

Your Documents

Document content is transmitted to Google's Gemini API for AI analysis. This transmission is covered by Google's API data processing terms, which prohibit Google from using API-submitted data to train its models. You can review Google's API data usage policies at ai.google.dev/gemini-api/terms.

We never use your procurement documents, bid data, or contract contents to train our own models or any third-party model.

How We Use Your Data

We use the data we collect for the following purposes:

• Service delivery — to run analyses, deliver results by email, and maintain your account history
• Product improvement — anonymised usage patterns to fix bugs, improve accuracy, and prioritise features
• Security — to detect and prevent abuse, fraud, and unauthorised access
• Communications — to send you your analysis results, account notices, and (with your consent) product updates
• Legal compliance — to comply with applicable law, regulations, and lawful requests from authorities

We do not use your data for advertising. We do not sell your data to any third party. We do not use your documents or analysis results for any purpose other than delivering the service to you.

Data Sharing

We share data only with the following categories of service providers, under contractual obligations that restrict their use of the data:

• Supabase — database and authentication (account data, session history). Hosted on AWS US-East.
• Google Gemini API — AI analysis processing (document content, in transit only, not stored)
• Vercel — hosting and edge compute infrastructure
• Stripe — payment processing (billing data only; we never see raw card numbers)
• Resend — transactional email delivery (email address and analysis result content, 30-day retention)

We do not share your data with advertisers, data brokers, or analytics resellers. We do not sell personal data under any circumstances.

In the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity, subject to the same privacy protections described here. We will notify affected users by email prior to any such transfer.

Data Retention

• Documents: Never stored — discarded immediately after analysis
• Analysis results (saved sessions): Retained until you delete them or close your account
• Account data: Retained for the life of your account, plus 30 days after deletion
• Email addresses (free analysis): Retained for 90 days, then deleted unless you create an account
• Server logs: 90 days
• Billing records: 7 years (legal requirement)

Security

We take the security of construction procurement data seriously. Our security measures include:

• TLS 1.3 encryption for all data in transit
• In-memory-only document processing — no documents written to persistent storage
• Supabase row-level security — users can only access their own data
• Server-side API key management — your AI analysis requests are proxied server-side; API keys are never exposed to the browser
• SOC 2 Type II certification in progress — enterprise security controls currently being audited by an independent third party

No system is perfectly secure. If you discover a security vulnerability, please report it to [email protected]. We aim to respond to security reports within 24 hours.

GDPR Rights (EEA & UK Users)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

• Access — you can request a copy of the personal data we hold about you
• Rectification — you can correct inaccurate data via your account settings or by contacting us
• Erasure — you can request deletion of your account and associated data
• Portability — you can request your data in a machine-readable format
• Restriction — you can ask us to restrict processing of your data in certain circumstances
• Objection — you can object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, you may withdraw it at any time

Our lawful basis for processing is: contract performance (to deliver the service you signed up for), legitimate interests (security, fraud prevention, product improvement), and consent (marketing communications).

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

CCPA Rights (California Residents)

Under the California Consumer Privacy Act (CCPA), California residents have the right to:

• Know what personal information we collect and how it is used
• Request deletion of personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising CCPA rights

To submit a CCPA request, email [email protected] with the subject line "CCPA Request." We will verify your identity and respond within 45 days.

Cookies & Tracking

We use a minimal set of cookies necessary to operate the service:

• Session cookies — to keep you logged in (Supabase authentication token, first-party, session-scoped)
• Preference cookies — to remember your UI preferences such as currency selection (first-party, 1-year expiry)

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics, Facebook Pixel, or similar advertising-network trackers. If we add analytics in the future, we will update this policy and provide an opt-out mechanism.

Children's Privacy

Levlr is a business-to-business software service. It is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the service after a policy update constitutes acceptance of the revised terms.

Contact Us

For privacy-related questions, data requests, or to exercise your rights:

• Email: [email protected]
• Security issues: [email protected]
• General: [email protected]

Levlr · levlr.io · Privacy Policy · Effective March 1, 2026