Privacy Policy

Last updated: April 2026

1. Who we are

Lunar Dinos ("we", "us", "our") is operated by Lunar Dinos UG (haftungsbeschränkt), registered at Görlitzer Strasse 39, 22045 Hamburg, Germany. We are the data controller responsible for processing your personal data.

For questions about this policy or your data, contact us at: privacy@lunardinos.com

1a. Data Protection Officer

The appointment of a Data Protection Officer is not required for our company under Art. 37 GDPR. For all data protection inquiries, please contact us at privacy@lunardinos.com.

2. What data we collect

2.1 Website visitors

When you visit our website, we may collect:

  • Technical data: browser type, operating system, screen resolution, referring URL
  • Usage data: pages visited, time on site, interactions

By default, we use cookieless analytics based on a daily-rotating, non-reversible hash of your IP address and user agent. No personal data is stored. If you consent to analytics cookies, we may set session cookies for enhanced analytics. See our Cookie Policy for details.

2.2 Account registration

When you create a Lunar Dinos account, we collect:

  • Name
  • Email address
  • Password (stored as a secure hash, never in plain text)
  • Organization name

2.3 Product usage (you as a customer)

When you use Lunar Dinos as a customer, we collect:

  • Your interactions with the Lunar Dinos application (pages visited, features used)
  • Project and configuration settings
  • Integration credentials (encrypted at rest) for services you connect, such as Google Search Console, HubSpot, or Slack

2.4 Session recordings and end-user data (data processing)

Lunar Dinos records user sessions on your website or application to help you understand how your users interact with your product. When your end users visit your site with our recorder installed, we collect the following data on your behalf as a data processor:

  • DOM snapshots and mutations (visual replay of the page)
  • Click events, page navigations, and form interactions
  • Error logs and console messages
  • Page URL, title, referrer, and UTM parameters
  • Browser type, operating system, and screen resolution
  • Account and user identifiers you provide via our SDK

Automatic PII redaction: We automatically detect and redact common personal data patterns in recorded text, including email addresses, phone numbers, credit card numbers, and similar identifiers. Redacted values are replaced before storage and cannot be recovered.

Cookieless by default: Our recorder operates without cookies by default. Session identity is determined server-side using a daily-rotating, non-reversible hash. No personal data is stored on the end user's device unless your configuration explicitly enables cookies.

As our customer, you are the data controller for your end users' data. You are responsible for informing your end users about the use of session recording and obtaining any required consent. We process this data solely on your instructions under a Data Processing Agreement (Art. 28 GDPR).

2.5 Third-party integrations

When you connect third-party services to Lunar Dinos, we collect and store:

  • Google Search Console: OAuth2 tokens (encrypted) and search analytics data (queries, pages, clicks, impressions, CTR, position). Access is read-only.
  • HubSpot: OAuth2 tokens (encrypted) and CRM data you choose to sync (contacts, companies, deals). Used to enrich product analytics with customer context.
  • Slack: OAuth2 tokens (encrypted) and workspace metadata. Used to deliver notifications and alerts to your chosen channels. We do not read or store Slack message history.

You can disconnect any integration at any time, which revokes our access and deletes stored credentials.

3. Why we process your data (legal basis)

Under the GDPR, we process your personal data based on:

  • Contract performance (Art. 6(1)(b) GDPR) — for providing the Lunar Dinos service, managing your account, and processing your end users' data on your behalf
  • Consent (Art. 6(1)(a) GDPR) — for marketing emails and optional analytics cookies
  • Legitimate interest (Art. 6(1)(f) GDPR) — for cookieless website analytics (anonymized), security, and fraud prevention

4. How we use your data

We use the data we collect to:

  • Provide, maintain, and improve the Lunar Dinos service
  • Process session recordings and generate product insights on your behalf
  • Power AI-driven features such as automated analysis, pattern detection, and natural language queries
  • Send transactional emails (account verification, password reset, team invitations)
  • Communicate product updates (with your consent)
  • Comply with legal obligations

We do not sell your personal data. We do not share your data with third parties for their own marketing purposes.

5. Where your data is stored

All data is stored on servers located in the European Union (Germany). We use EU-based infrastructure providers. We do not transfer personal data outside of the EU/EEA unless explicitly stated and covered by appropriate safeguards (e.g., EU Standard Contractual Clauses).

6. How long we keep your data

  • Account data: for the duration of your account, plus any legally required retention period
  • Session recordings: according to your organization's configured retention period (default 90 days), after which recordings are automatically deleted
  • Integration data: until you disconnect the integration or delete your account
  • Website analytics: aggregated and anonymized, retained indefinitely

7. Your rights

Under the GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Restriction — restrict how we process your data
  • Data portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, email us at privacy@lunardinos.com. We will respond within 30 days.

8. Third-party services

We use the following third-party services that may process personal data:

  • Hetzner (hosting) — EU-based, data stays in Germany
  • Scaleway (email delivery) — EU-based, data stays in the EU
  • Mistral AI (AI features) — EU-based LLM provider
  • Google Cloud Vertex AI (AI features) — data is processed in the EU (europe-west region). Subject to Google Cloud's Data Processing Addendum and EU Standard Contractual Clauses

We will update this list as we integrate additional services.

8a. Use of artificial intelligence

Lunar Dinos uses AI/LLM services (Mistral AI and Google Cloud Vertex AI) to power product intelligence features such as automated insights, pattern detection, and natural language queries. When processing data on behalf of our customers, the following applies:

  • AI processing is performed based on the customer's instructions under a Data Processing Agreement (Art. 28 GDPR)
  • Data sent to AI providers is limited to what is necessary for the specific feature
  • Mistral AI processes data within the EU. Google Vertex AI processes data in the EU (europe-west region)
  • No personal data from AI processing is used for model training by the providers
  • The legal basis for AI processing is contract performance (Art. 6(1)(b) GDPR) for product users and legitimate interest (Art. 6(1)(f) GDPR) for product improvement

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS), encryption of stored credentials, automatic PII redaction in session recordings, tenant-level data isolation, and access controls. Despite our efforts, no method of transmission or storage is 100% secure.

10. Children

Lunar Dinos is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of our website or service after changes constitutes acceptance.

12. Supervisory authority

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

The supervisory authority responsible for us is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 20459 Hamburg
datenschutz-hamburg.de