Privacy Policy
Last updated:
This policy explains what personal data LitmusLayer collects, why we collect it, how we use and protect it, and the rights you have over it. It is written to meet the requirements of the UK General Data Protection Regulation and the Data Protection Act 2018 (United Kingdom), Regulation (EU) 2016/679 (the EU GDPR), the Privacy and Electronic Communications Regulations 2003 (PECR), and India's Digital Personal Data Protection Act, 2023 (DPDP Act).
1. Who we are and what this policy covers
LitmusLayer ("LitmusLayer", "we", "us") operates litmuslayer.com and the LitmusLayer application: a business-to-business service that monitors what AI models say about our customers' brands, verifies those statements against customer-provided facts, and produces correction and compliance records.
This policy covers our public website, the LitmusLayer application, and emails we send in connection with the service. For questions about this policy or our data practices, contact privacy@litmuslayer.com.
2. Our role: controller and processor
We act in two distinct capacities:
- As a controller for the personal data of people who create accounts, visit our website, or correspond with us — for example your name, email address and login activity. This policy describes that processing.
- As a processor for content our business customers upload or generate inside their workspace (brand facts, evidence documents, monitoring results, verification records). Our customers decide what goes into their workspace; we process it only to provide the service. If your personal data appears in a customer's workspace (for example, you are named in a document a customer uploaded), the customer is the controller and you should direct requests to them; we will assist them in responding.
3. Personal data we collect
| Category | Data | Source |
|---|---|---|
| Account data | Full name, email address, company/organisation name, role within your organisation | Provided by you at registration or by a teammate who invites you |
| Authentication data | Email address used for sign-in links; if you sign in with Google, your Google account email and basic profile (name, avatar) as shared by Google | You / Google OAuth |
| Customer content | Brand facts, uploaded evidence documents, monitoring prompts, AI model responses, verification and correction records. This is business content but may incidentally contain personal data (e.g. names of company executives) | Provided by your organisation or generated by the service |
| Usage and technical data | Server logs including IP address, browser user-agent, requested pages and timestamps, kept by our hosting provider for security and reliability | Automatically collected |
| Approval and audit records | The identity of the team member who approved, reviewed or deployed an action, with a timestamp, recorded in a tamper-evident audit ledger | Generated when you use the service |
| Payment data | When paid plans are enabled, billing is handled by Stripe. We store your plan and Stripe customer reference only — we never receive or store card numbers | You, via Stripe |
| Correspondence | Emails you send us and our replies | You |
We do not use advertising trackers, third-party analytics scripts, or social media pixels anywhere on our website or application, and we do not buy or sell personal data.
4. How we use personal data and our legal bases
Under the UK and EU GDPR we must have a legal basis for each use of personal data. These are the purposes and the corresponding bases:
| Purpose | Data used | Legal basis |
|---|---|---|
| Creating and operating your account; providing the service | Account, authentication and customer content data | Performance of a contract (Art. 6(1)(b)) |
| Sending service emails: sign-in links, team invitations, weekly reports, critical risk alerts | Name, email address | Performance of a contract (Art. 6(1)(b)) |
| Maintaining the tamper-evident audit ledger required for our customers’ regulatory evidence | Approval and audit records | Legitimate interests (Art. 6(1)(f)) — ours and our customers’ interest in verifiable compliance records |
| Securing the service: abuse prevention, access control, incident investigation | Usage and technical data | Legitimate interests (Art. 6(1)(f)) — keeping the service and its data safe |
| Billing and account administration (when paid plans are enabled) | Account and payment data | Performance of a contract; legal obligation (Art. 6(1)(c)) for tax and accounting records |
| Responding to your enquiries | Correspondence | Legitimate interests (Art. 6(1)(f)) |
| Complying with law, regulators and courts | Any of the above, as required | Legal obligation (Art. 6(1)(c)) |
We do not send marketing email. If we ever introduce it, it will be opt-in with a working unsubscribe link in every message, as required by PECR and the ePrivacy Directive.
We do not make any decision producing legal or similarly significant effects about individuals by solely automated means. AI-generated classifications inside the service relate to statements about brands, are subject to confidence thresholds, and material actions require explicit human approval by your team before anything is deployed.
5. How AI models are used in the service
LitmusLayer's purpose is to check what AI models say about brands. To do this, the service sends limited content to AI model providers via their business APIs:
- Monitoring queries — synthetic, buyer-style questions about a customer's brand are sent to Google (Gemini) and Groq (Llama) to capture what those models say. These queries contain brand names and product questions, not your account credentials or profile data.
- Verification — AI responses and the customer's brand facts are sent to Anthropic (Claude) to extract and verify factual claims, and to Jina AI to compute text embeddings for matching.
We use these providers under their API terms for business customers. Anthropic and Groq do not use API content to train their models. Content sent to model APIs is the minimum needed to perform the check, and results are stored in your workspace, not the provider's consumer products.
Where content shown to you was generated by an AI model (for example, draft correction text or report summaries), the interface identifies it as AI-generated and it requires human review before use, consistent with the transparency principles of Article 50 of the EU AI Act.
6. Where data is stored and international transfers
Your account data and customer content are stored in our database hosted by Supabase in the European Union (AWS eu-central-2, Zurich region infrastructure). Transactional email is sent from Resend's EU region (eu-west-1, Ireland).
Some of our providers process data in the United States (see section 7) — for example when content is sent to an AI model API or when our hosting provider serves requests. Where personal data is transferred outside the UK, EEA or India, we rely on:
- the EU–US Data Privacy Framework, where the provider is certified;
- European Commission Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Addendum; and
- the providers' data processing agreements incorporating those safeguards.
8. How long we keep data
| Data | Retention period |
|---|---|
| Account data | While your account is active, then deleted within 30 days of a verified deletion request or account closure |
| Customer content (brand facts, monitoring results, verification records) | While your organisation’s workspace is active; deleted on workspace deletion, subject to the audit ledger exception below |
| Audit ledger entries | Up to 6 years, reflecting statutory limitation periods for the legal and regulatory claims the ledger exists to evidence. Entries reference user IDs and actions, are cryptographically chained, and cannot be edited — see section 10 on how erasure requests interact with this |
| Server logs | Retained by our hosting provider for a short rolling window (typically 30 days or less) for security and diagnostics |
| Billing records | As required by tax and accounting law (typically 6–7 years) |
| Correspondence | Up to 2 years after resolution of the enquiry |
9. How we protect data
- All traffic is encrypted in transit (TLS/HTTPS with HSTS); data is encrypted at rest by our database provider.
- Every organisation's data is isolated by database row-level security — one customer can never query another customer's records.
- Passwordless authentication (email sign-in links / Google OAuth) — we never store passwords.
- Compliance records are written to an append-only, SHA-256 hash-chained audit ledger, making tampering detectable.
- Uploaded documents are validated, size-limited and screened before ingestion; server-side keys are never exposed to the browser.
- Access to production systems is restricted to authorised personnel.
10. Your rights (UK and EU)
If you are in the UK or EEA, you have the right to:
- Access — obtain a copy of the personal data we hold about you;
- Rectification — have inaccurate data corrected;
- Erasure — have your data deleted where no legal ground requires its retention;
- Restriction — limit how we process your data while a dispute is resolved;
- Portability — receive your data in a structured, machine-readable format;
- Objection — object to processing based on legitimate interests; and
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any right, email privacy@litmuslayer.com from the address associated with your account. We respond within one month, extendable by two further months for complex requests (we will tell you if so). We may ask for information to verify your identity before acting.
A note on the audit ledger: ledger entries are legally required to be tamper-evident and are retained under our legitimate interest in defending legal claims and evidencing regulatory compliance (Art. 17(3)(e) GDPR). Where you request erasure, we delete or anonymise your account data everywhere else; ledger entries retain only the minimal reference needed to preserve the integrity of the compliance chain.
11. Additional information for India (DPDP Act 2023)
Where we process the digital personal data of individuals in India, we act as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 and you are a Data Principal. In addition to the practices described above:
- We process your personal data only for the lawful purposes described in section 4, with your consent given at sign-up or for legitimate uses recognised by the Act (such as voluntary provision of data for a service you request).
- You have the right to access a summary of your personal data and the processing activities applied to it, the right to correction, completion and updating, the right to erasure once the purpose of processing is served and no legal retention applies, and the right to nominate another individual to exercise your rights in the event of death or incapacity.
- You may withdraw consent at any time by emailing us; withdrawal is as easy as giving consent and does not affect processing already carried out.
- Grievance redressal: contact our Grievance Officer at privacy@litmuslayer.com with the subject line "DPDP Grievance". We acknowledge grievances promptly and aim to resolve them within the timelines prescribed under the Act and its Rules. If you are not satisfied with our response, you may complain to the Data Protection Board of India.
- We do not process the personal data of children or undertake tracking or behavioural monitoring of, or targeted advertising directed at, children.
13. Children
LitmusLayer is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under 18 (India) or under 16 (UK/EEA). If you believe a child has provided us personal data, contact us and we will delete it.
14. Data breaches
If a personal data breach occurs that is likely to result in a risk to your rights, we will notify the relevant supervisory authority without undue delay (and within 72 hours where the UK/EU GDPR applies), notify the Data Protection Board of India and affected Data Principals where the DPDP Act applies, and inform affected users directly where the risk is high.
15. Changes to this policy
We may update this policy as the service or the law changes. The "Last updated" date at the top always reflects the current version. For material changes, we will notify account holders by email or an in-app notice before the changes take effect.
16. Contact and complaints
Privacy questions, rights requests and grievances: privacy@litmuslayer.com
You also have the right to lodge a complaint with a supervisory authority:
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
- European Union: the data protection authority in your member state (list at edpb.europa.eu)
- India: the Data Protection Board of India
© 2026 LitmusLayer
Back to home