Privacy Policy
Last updated: 2026-05-22
Who we are
Lacuna provides PDF redaction software. The service is operated by Lacuna ("we", "us"). You can reach us at privacy@lacunapdf.com.
What this notice covers
This explains what personal data we collect when you use the Lacuna website (lacunapdf.com) and dashboard, why we collect it, who we share it with, how long we keep it, and what rights you have over it.
Data we collect
- Account data — when you sign up: your email and name. Handled by Clerk on our behalf.
- Payment data — when you subscribe: billing email, payment method, billing address. Handled by Stripe; we never see your card number.
- File data — when you redact a PDF: the PDF bytes, a SHA-256 hash, file size, page count, and the engine you chose. While a job is awaiting your review, we also store the detected sensitive text and up to ~30 characters of surrounding context so you can decide what to redact. These snippets are deleted from our database before the job moves to a terminal state.
- Usage data — request logs (HTTP method, route, status, latency, request ID, your tier). We strip personal data (emails, phone numbers, names, account numbers, filenames) from log lines before they are written. Error reports go to Sentry with the same scrubbing.
- Cookies / session storage — Clerk sets a session cookie when you sign in. The hero demo writes a small
lacuna:hipaa-attested-v1flag in your session storage to remember you've seen the attestation. We don't use marketing or analytics cookies.
Why we use it (legal basis)
- To provide the service (contract, GDPR Art. 6(1)(b)): everything required to redact your PDF and deliver the result back to you.
- To bill you (contract): subscription management via Stripe.
- To keep the service running and abuse-free (legitimate interest, Art. 6(1)(f)): error monitoring, rate limiting, fraud signals, audit-log integrity.
- To meet legal obligations (Art. 6(1)(c)): tax records, responding to lawful requests.
We don't run ads. We don't sell your data. We don't train AI models on your data.
Who we share it with
We use a small set of sub-processors to run the service. The full list — including what each one sees and where it's processed — is at /legal/subprocessors. In short: Cloudflare R2 stores your PDFs; Supabase runs the database; Fly.io runs the API and workers; Stripe handles payments; Clerk handles authentication; Resend sends transactional email; Sentry captures errors (with PII scrubbed). Detection — including the AI pass — runs on our own Fly.io workers; page text is not sent to any third-party AI service.
We don't share your data with anyone else except when a court compels us, or when you tell us to.
Where your data is processed
Our infrastructure runs in the United States (Cloudflare R2, Supabase, Fly.io us-east). If you're outside the US, your data is transferred to and processed in the US. We rely on the EU Standard Contractual Clauses with each sub-processor as the transfer safeguard.
How long we keep it
- Source PDF: deleted from primary storage when the job reaches a terminal state (completed, cancelled, or failed).
- Redacted PDF: kept for the retention window of your tier — Free 1 hour, Solo 7 days, Team 30 days. API and Enterprise retention is set by individual contract.
- Detected text snippets in our database: nulled before the job's status flips to a terminal state.
- Account data: kept while your account is active.
- Billing records: kept for 7 years after your last invoice (US tax retention).
- Audit log: kept for the life of the account, then 90 days after deletion. The audit log records what happened (job submitted, redacted, downloaded) but never the PDF content itself.
- Saved redaction glossaries (Solo and above): term lists you curate to pre-redact across jobs. Stored in our database alongside other account data; kept while your account is active. Term contents are JSONB on the
org_glossariestable — they live in the same backup window as account data (below) and are scrubbed in audit-log projections (counts only). - Database backups: roll off within the sub-processor's recovery window (typically ~7 days at Supabase). This includes account data and saved glossary terms (which may contain client names or internal codes your firm chose to curate). Original PDF content is never in backup — it's deleted from primary storage on completion and was never persisted long enough to land in a backup snapshot.
Your rights
You can:
- Access the data we hold about you. Use "Download my data" in Settings → Privacy or email privacy@lacunapdf.com.
- Correct anything that's wrong. Update your profile in the dashboard or email us.
- Delete your account and data. Use "Request account deletion" in Settings → Privacy. The workflow and SLA are at /security/deletion.
- Export your data in a portable format (JSON) — same surface as the access right.
- Object to processing based on legitimate interest, or restrict processing while a dispute is open — email privacy@lacunapdf.com with the specific processing and your reason.
- Withdraw any consent you gave — for example, turning off the AI detection pass in your organisation settings.
- Complain to your local data-protection authority. EU residents can find the right one at edpb.europa.eu.
We respond to data-subject requests within 30 days. There's no charge for the first request in any 12-month period.
Automated decisions
Our detection engines (a deterministic pattern engine plus an AI model, both running on our own infrastructure) flag spans of text that may be sensitive. You always review and approve what gets redacted before the operation is committed. We don't make any decision about you based solely on automated processing — every redaction is human-confirmed.
Children
Lacuna is a business product. It isn't directed at children and we don't knowingly collect data from anyone under 16.
Security
We encrypt data in transit (TLS) and at rest (provider-managed). The redaction pipeline removes text from the PDF object stream and strips embedded files, scripts, attachments, and metadata in a sanitization pass before the file is written back. The broader security and deletion model is at /security/deletion; vulnerability reporting is at /legal/security.
Changes to this notice
We'll post material changes here and email registered users when a change affects them. The "Last updated" date at the top of this page moves on every change.
Contact
- Privacy questions: privacy@lacunapdf.com
- General support: support@lacunapdf.com
- Security reports: security@lacunapdf.com