Privacy Policy
This Privacy Policy describes how the operator of Living Śāstra ("we", "us") collects and uses your personal data when you use Living Śāstra (the "Service"). The legal entity acting as data controller will be named here once formally incorporated.
We act as data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR). For any privacy question or to exercise your rights, email hello@livingshastra.org.
1. What data we collect and why
1.1 Account data
When you sign up: email address, optional first name, hashed password (or OAuth identifier if you sign in with Google). Lawful basis: contract (necessary to give you an account).
1.2 Usage data
The questions ("Inputs") you submit to the agents, the responses ("Outputs") the agents produce, timestamps, the agent used, and basic counters (questions per day) for quota enforcement. Lawful basis: contract (necessary to operate the Service) and legitimate interests (debugging, abuse prevention, quality improvement).
1.3 Billing data
If you subscribe to a paid tier, Lemon Squeezy processes your payment information (card details, billing address, country) and shares with us only the subset needed to maintain the subscription: customer email, plan, status, country band. We never see your card number. Lawful basis: contract.
1.4 Technical data
IP address (used for geo-band detection on the pricing page and rate limiting), browser user agent, and request logs (retained briefly for debugging and security). Lawful basis: legitimate interests (security, fraud and abuse prevention, service operation).
1.5 Communications
If you email us, we keep the email content and your address for as long as needed to handle the request and a reasonable follow-up period. Lawful basis: legitimate interests.
2. Sub-processors
We share data with the following third-party providers strictly for the purposes listed. Each is bound by a written data processing agreement that meets UK / EU GDPR requirements.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting (compute, database, storage) | All data at rest and in transit through our servers | Finland (EU) |
| Anthropic, PBC | Large language model inference | The text of your Inputs and the Service's responses | USA (Standard Contractual Clauses) |
| Brevo (Sendinblue SAS) | Transactional email (verify, reset password, receipts) | Email address, message content | France (EU) |
| Sold through Link, LLC (Lemon Squeezy) | Payment processing, billing, tax remittance | Card details, billing address, country, transaction history | USA (Merchant of Record; Standard Contractual Clauses) |
| api.country.is | IP-based country detection on the marketing pricing page only | IP address (request-level, not stored by us) | Operated by Christopher Stoll; CDN-fronted |
We do not sell your personal data to third parties. We do not use your Inputs to train large language models for any third party, and we do not allow Anthropic to do so either — we use their API under their commercial terms which exclude training on customer data by default.
3. International transfers
Where data is transferred outside the UK or EEA (notably to Anthropic and Lemon Squeezy in the USA), we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK addenda to provide adequate safeguards.
4. How long we keep your data
- Account and usage data: while your account is active, and up to 30 days after deletion (to allow recovery from accidental deletion).
- Billing records: 7 years from the date of the transaction (UK tax and accounting requirements).
- Email logs (Brevo): 30 days for transactional email metadata.
- Server access logs: 14 days (security / debugging).
5. Your rights
Under UK and EU GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data ("right to be forgotten"). Subject to legal retention obligations (e.g. billing records).
- Portability — receive your data in a structured, machine-readable format. We provide a JSON export from your account settings.
- Restriction — ask us to limit how we process your data while a dispute is resolved.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where we rely on consent, you can withdraw it at any time.
To exercise any of these rights, email hello@livingshastra.org. We will respond within 30 days. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk) or your local EU data protection authority.
6. Cookies and tracking
The marketing site (livingshastra.org) and app (app.livingshastra.org) use cookies and local storage only for essential and functional purposes — session management, your theme preference, your accepted Terms version. We do not use advertising cookies, third-party tracking pixels, or cross-site analytics. If we add privacy-respecting analytics in future (e.g. Plausible Analytics, which is cookie-less and aggregates only), this page will be updated.
7. Security
We use HTTPS everywhere, hash passwords with industry-standard algorithms, store secrets in encrypted form, and apply least-privilege access to production systems. No system is perfectly secure; if we become aware of a breach affecting your data we will notify you and the relevant regulator within 72 hours as required by GDPR.
8. Children
The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has registered, contact us and we will delete the account.
9. Changes to this policy
The version and date at the top of this page reflect the current version. We will notify registered users by email of material changes at least 14 days before they take effect.
10. Contact
Email: hello@livingshastra.org
Postal address: available on request via the email above.