Privacy policy
v1.0.0
3 June 2025
This Privacy Policy explains how Lunar Metrics Ltd ("we," "us," or "our") collects, uses, shares, and protects personal data in connection with our SaaS analytics tool (the "Service"). We are committed to protecting your privacy and handling your personal data in a transparent and secure manner, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Lunar Metrics Ltd is a company registered in England and Wales with company number [Your Company Number], and our registered office is at [Your Registered Address].
1. Introduction
Our Service allows businesses to track their brand mentions on Large Language Models (LLMs) such as ChatGPT, Gemini, and others. Customers can compare their brand's mention frequency for key prompts against competitors and identify potential growth areas. This is a paid-for service, and customers create accounts through our website.
2. What Personal Data Do We Collect?
We collect personal data from you in various ways when you interact with our Service:
A. Information you provide to us directly:
Account Information: When you create an account, we collect your name, email address, company name, job title, and password.
Billing and Payment Information: If you subscribe to our paid service, we collect billing details such as your billing address, payment card information (processed securely by our third-party payment processor, who is PCI DSS compliant), and transaction history. We do not store full payment card details on our servers.
Communications: When you contact us for support, send us emails, or communicate with us through other channels, we collect the content of those communications and your contact details.
Marketing Preferences: We collect your preferences regarding receiving marketing communications from us.
B. Information we collect automatically:
Usage Data: We collect information about how you use our Service, such as the features you access, the searches you perform, the reports you generate, the time and duration of your activity, and other performance metrics.
Technical Data: We collect technical information about your device and browser, including your IP address, browser type and version, operating system, device identifiers, and referrer URLs.
Cookie Data: We use cookies and similar tracking technologies to track activity on our Service and hold certain information. Please see our separate Cookie Policy for more details.
C. Information derived from LLM analysis (non-personal data in the context of the Service):
It is important to clarify that the brand mention data we process from LLMs is not personal data in the context of our Service. Our Service focuses on tracking brand mentions, competitor mentions, and associated topics, trends, and sentiment. This data is aggregated and anonymised or pseudonymised where possible, and it does not directly identify any individual. We do not aim to collect or process personal data of individuals from the LLM outputs.
3. How Do We Use Your Personal Data?
We use the personal data we collect for the following purposes, based on the legal bases outlined below:
To provide and maintain our Service (Contractual Necessity): We use your account information to create and manage your user account, provide you with access to the Service, process your subscriptions, and deliver the core functionality of our tool.
To process payments (Contractual Necessity): We use your billing information to process payments for the Service.
To communicate with you (Contractual Necessity & Legitimate Interests): We use your contact details to send you service-related communications (e.g., account updates, security alerts, technical notices), respond to your enquiries, and provide customer support. We may also send you marketing communications if you have consented to receive them, or where we have a legitimate interest to do so (e.g., informing you about new features relevant to your use of the Service).
To improve and optimise our Service (Legitimate Interests): We analyse usage and technical data to understand how our Service is used, identify areas for improvement, troubleshoot issues, develop new features, and enhance user experience. This analysis is typically performed on an aggregated and anonymised basis.
To ensure the security of our Service (Legal Obligation & Legitimate Interests): We use technical data to monitor for and prevent fraudulent activity, unauthorized access, and other security incidents.
To comply with legal obligations (Legal Obligation): We may process your personal data to comply with applicable laws, regulations, legal processes, or governmental requests (e.g., tax, accounting, or regulatory requirements).
For business transfers (Legitimate Interests): In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will ensure appropriate safeguards are in place to protect your privacy.
4. Our Lawful Bases for Processing Personal Data
Under UK GDPR, we must have a lawful basis to process your personal data. The lawful bases we rely on are:
Contractual Necessity: Processing is necessary for the performance of a contract with you (e.g., to provide the Service you have subscribed to, manage your account, and process payments).
Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include:
Improving and optimising our Service.
Ensuring the security and integrity of our systems.
Communicating with you about relevant service updates or related offerings.
Conducting business transfers.
Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject (e.g., tax laws, fraud prevention).
Consent: Where required, we will obtain your explicit consent for specific processing activities (e.g., for certain marketing communications). You have the right to withdraw your consent at any time.
5. How We Share Your Personal Data
We may share your personal data with the following categories of recipients:
Service Providers: We engage trusted third-party service providers who perform functions on our behalf, such as hosting, payment processing, customer support, email delivery, and analytics. These providers are obligated to protect your personal data and use it only for the purposes for which we disclose it to them.
LLM Providers (Anonymised Data Only): When our Service interacts with LLMs to track brand mentions, we do not share any personal data from our users with the LLM providers. The queries we send to LLMs are designed to extract brand-related information, not personal data. Any data we receive from LLMs is anonymised or pseudonymised before being processed and presented to our customers.
Business Transfers: In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
Legal and Regulatory Authorities: We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency).
Professional Advisors: We may share your personal data with our professional advisors (e.g., lawyers, accountants) for the purposes of obtaining professional advice.
We will always ensure that any sharing of your personal data is conducted in accordance with UK GDPR and other applicable data protection laws.
6. International Data Transfers
As a UK business, we strive to keep personal data within the UK or European Economic Area (EEA) where possible. However, some of our third-party service providers may operate or store data outside the UK/EEA.
When we transfer your personal data outside the UK/EEA, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
Adequacy Decision: We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government or the European Commission.
Standard Contractual Clauses (SCCs): We will use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
Binding Corporate Rules (BCRs): For transfers within a group of companies, we may rely on BCRs approved by the Information Commissioner's Office (ICO).
By using our Service, you acknowledge that your information may be transferred to and processed in countries outside the UK/EEA.
7. Data Security
We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include:
Encryption: Data is encrypted both in transit and at rest where appropriate.
Access Controls: Strict access controls are in place to limit access to personal data only to those employees, agents, contractors, and other third parties who have a business need to know.
Regular Security Audits: We conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
Employee Training: Our employees receive regular training on data protection and security best practices.
Data Minimisation: We only collect and store personal data that is strictly necessary for the purposes outlined in this policy.
Despite these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
8. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Upon expiry of the retention period, your personal data will be securely deleted or anonymised.
9. Your Data Protection Rights
Under UK GDPR, you have the following rights regarding your personal data:
The Right to be Informed: To be informed about how your personal data is collected and used (which is the purpose of this Privacy Policy).
The Right of Access: To request access to the personal data we hold about you.
The Right to Rectification: To request that inaccurate or incomplete personal data about you is corrected.
The Right to Erasure ("Right to be Forgotten"): To request the deletion of your personal data in certain circumstances.
The Right to Restrict Processing: To request the restriction of processing of your personal data in certain circumstances.
The Right to Data Portability: To receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
The Right to Object: To object to the processing of your personal data in certain circumstances (e.g., for direct marketing purposes).
Rights in relation to Automated Decision-Making and Profiling: To object to decisions being made about you that are based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you. Our Service does not currently use automated decision-making or profiling that would have such legal or significant effects on individuals.
To exercise any of these rights, please contact us using the details provided in Section 11. We will respond to your request within one month, unless the request is complex or numerous, in which case we may extend this period by a further two months. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
10. Complaints
If you have any concerns about our use of your personal data, you can make a complaint to us directly using the contact details below.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. You can find more information on their website: https://ico.org.uk/.
11. Contact Us
If you have any questions about this Privacy Policy or our data protection practices, please contact us:
By email: hello@lunarmetrics.co
Changes to this Privacy Policy