Privacy Policy

ProductLobster is operated by ProductLobster, Inc. ("ProductLobster", "we", "us"). References in this policy to "the Service" cover our marketing website at productlobster.ai, the authenticated application at app.productlobster.ai, and any APIs we publish for builders.

This policy applies to people who visit our marketing site, request beta access, sign up for an account, or upload content into a ProductLobster workspace.

Account information. When you create an account through Clerk, we receive your email address, your display name, and a Clerk-provided user ID. We do not receive or store your password.

Workspace content. The product ideas, descriptions, chat messages, and documents you submit to your workspace are stored so we can run analyses and persist your product context across sessions. This content is used only to power the Service for your account; we do not use it to train third-party foundation models.

Usage telemetry. We collect privacy-respecting product analytics through PostHog (event counts, pipeline stage durations, feature usage). These events include internal IDs but never your raw product text, chat messages, or document contents.

Operational logs and error monitoring. We log HTTP request metadata, server errors, and security events (rate limits, authentication failures, prompt-injection signals) for reliability and abuse prevention. These logs exclude product content and chat bodies.

Billing information. When paid plans are available, billing is handled by Stripe. ProductLobster receives a Stripe customer ID, subscription status, and last-four card metadata — never full card numbers.

We use the information we collect to:

• Run the AI analyses, prototypes, and chat features that the Service promises.
• Maintain a per-workspace knowledge graph so your context compounds over time.
• Protect the Service from abuse, fraud, and prompt-injection attacks.
• Diagnose errors, monitor uptime, and improve performance and quality.
• Communicate with you about your account, billing, and material product changes.

We do not sell personal information, and we do not share workspace content with third parties except as described in the next section.

We rely on a small set of vetted subprocessors to operate the Service. Today these include Clerk (authentication), Stripe (billing), Railway (hosting and Postgres), Inngest (durable workflow execution), OpenRouter and our underlying model providers (Anthropic and OpenAI for LLM calls), Bunny.net (document and asset CDN), Resend (transactional email), Arcjet (bot and abuse protection), Sentry (error monitoring), PostHog (product analytics), and Arize Phoenix (LLM observability). We update this list as the Service evolves; contact us if you need the current list in writing.

Account and workspace data are retained for the life of your account. You may delete a workspace from inside the app at any time; deletion removes the workspace's documents, knowledge graph entries, chat history, and prototypes. We retain operational logs and security events for up to 90 days, and billing records as required by tax and accounting law.

You can request deletion of your account by emailing us at the address in section 9; we'll process the request within a reasonable time consistent with applicable law.

Depending on where you live, you may have rights to access, correct, export, or delete the personal information we hold about you, and to object to or restrict certain processing. You can exercise these rights by contacting us at the address in section 9. We will respond within the timelines required by applicable law.

You can opt out of non-essential cookies and analytics by changing your browser settings; the Service may still set cookies necessary for authentication and session management.

We process and store data in the United States. If you access the Service from another region, you understand that the information you provide will be transferred to and processed in the United States, and you consent to that transfer.

We use industry-standard safeguards — encryption in transit, scoped database access, hardened authentication via Clerk, layered prompt- injection defenses on LLM inputs, and continuous error monitoring — to protect personal information. No system is perfectly secure; if we ever experience a breach that affects your data, we will notify you in accordance with applicable law.

Questions about this policy, your data, or a deletion request? Reach out to zhello example ai.

We may update this policy from time to time. The "Last updated" date at the top of the page always reflects the most recent revision. Material changes will be communicated by email or in-app notice before they take effect.