Privacy Policy

Effective date: May 27, 2026  ·  Last updated: May 29, 2026  ·  Clearwater Digital LLC (operating as Lasair)

This Privacy Policy describes how Clearwater Digital LLC, a Nevis limited liability company operating as Lasair ("Lasair," "we," "us," or "our"), collects, uses, discloses, and protects information when you use our software, website, and related services (collectively, the "Services"). By using the Services, you agree to the collection and use of information as described in this policy.

1. Information We Collect

We deliberately collect as little as possible. The complete inventory of personal information we collect is:

Account information. When you create an account we collect your email address, a protected password credential, the timestamp of account creation, and an internal account identifier. We do not collect your legal name, postal address, date of birth, phone number, social-media identifiers, or payment card details.

Email-verification token. When you sign up, we generate a single-use verification token and email it to you. The token expires within seven (7) days. If used, the token is invalidated immediately.

Device registration data. To enforce our one-device-per-account policy, the Lasair desktop software creates a device profile used only for pairing, account security, and credential-sharing prevention. We do not store a readable inventory of your device hardware. We also store a human-readable device label, which is set to your computer's name.

Session and authentication state. We issue limited-duration login and device tokens to authenticate your client. These tokens are stored securely on your device and are used only to keep you signed in and protect your account.

Transaction records. When you purchase Credits or a Subscription Plan, our payment processor sends us: the transaction amount, the date, the product purchased, an anonymized transaction reference, and (for subscriptions) the recurring billing identifier. We do not see or store your payment card number, expiration date, CVV, or billing address — those remain with our payment processor.

Aggregate usage counts. We track the running count of Credits consumed by your account for billing purposes. We do not log the contents of individual queries.

Webhook records. We retain raw webhook payloads received from our payment processor in order to reconcile billing events and resolve disputes. These payloads contain our payment processor's internal customer and subscription identifiers, transaction metadata, and event timestamps.

Support communications. If you contact us, we retain the content of those communications to resolve your inquiry.

Service-operational data. We log technical events necessary to operate the Services securely — error rates, IP address (transiently, for rate limiting and security), timestamps. We do not log query contents or screen captures in these logs.

2. Screen Content and Query Data

Screen captures and query content are the most sensitive data processed by the Services. Our commitments are concrete:

• Screen content is not persistently stored. When you invoke an AI feature, a screen capture is taken on your device, transmitted over an encrypted connection to our processing infrastructure, forwarded to the third-party AI inference provider that generates a response, and then discarded. No screen capture is written to durable storage at any stage of this pipeline. The screen capture exists only in transient memory.
• Query responses are not logged. The text of AI responses is streamed to your device. We do not store the text of responses in any form associated with your account, your device, or any user identifier. We retain only the running credit count used for billing.
• We do not use your Customer Data to train AI models. Lasair does not use your screen captures, query inputs, or query responses to train, fine-tune, or improve any AI or machine-learning model — our own or any third party's. Our agreements with our AI inference providers contractually require that they likewise do not retain or use your Customer Data for training, model improvement, or any purpose other than producing the response we requested for you. We do not maintain an "opt-in" model-training path; there is nothing to opt out of.

3. Overlay and Screen Capture Visibility

Lasair is designed to keep your session private during ordinary screen-sharing, screen-recording, and video-conferencing workflows. This means:

• Your Lasair session is not broadcast to common video calls, screen-sharing sessions, or screen-recording software you have not consented to share it with.
• A visible system-tray indicator is always displayed while Lasair is running, so you can confirm the software is active.
• We do not design Lasair to defeat lawful oversight by parents, employers, or administrators with legitimate authority over a device.

4. Age Eligibility

The Services are intended for users thirteen (13) years of age or older. We do not knowingly collect personal information from any individual under the age of 13. We do not offer a verifiable-parental-consent flow and the Services may not be used by anyone under 13 under any circumstances.

If we become aware that we have collected personal information from a child under 13, we will delete the account and associated data promptly. If you believe a child under 13 has created an account, please contact privacy@lasair.ai.

The Services are a general AI overlay for personal and professional workflows. They are not designed to process protected health information, government-classified information, payment-card data, or other highly regulated data unless we have expressly agreed in writing that the Services are configured for that data category.

5. How We Use Your Information

We use the information we collect only to:

• Provide, operate, and maintain the Services;
• Authenticate your account and issue session credentials;
• Enforce our one-device-per-account policy and rate limits;
• Process Credit purchases and subscription billing;
• Send transactional emails (email-address verification, password reset, billing receipts);
• Respond to support requests;
• Detect, investigate, and prevent fraud, credential sharing, and security incidents;
• Reconcile billing and resolve payment disputes;
• Comply with applicable legal obligations.

We do not use your information for advertising, behavioral profiling, data brokering, or model training.

6. Subprocessors and Information Sharing

We do not sell, rent, or trade your personal information. We share information only with the following third-party subprocessors who help us deliver the Services, each bound by a data-processing agreement requiring confidentiality, security, and prohibition on independent use of your data. The current list is published at lasair.ai/subprocessors and includes:

• Microsoft Azure (Microsoft Corporation) — cloud hosting, compute, database, data storage, and content delivery for both the marketing website and account dashboard (Azure Static Web Apps) and the Services backend (accounts, credits, device registration, session state, and transient query processing).
• Dodo Payments — payment processing, subscription billing, and webhook event delivery.
• OpenRouter — third-party API gateway used to access AI inference services.
• AI inference providers — at present these may include Anthropic, Google, OpenAI, or other model operators. Each provider is contractually prohibited from retaining your query content or using it to train any model.
• Resend — transactional email delivery (verification emails, password reset emails, billing receipts).

The subprocessors page lists each vendor, their function, the categories of data they process, and their primary processing location. We will provide thirty (30) days' notice before adding a new subprocessor with material access to your data.

We may also disclose information without your consent only when:

• Legal compliance: required by law, subpoena, court order, or to protect the rights, property, or safety of Lasair, our users, or the public;
• Business transfers: in connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to equivalent privacy protections; or
• With your prior explicit consent.

7. Data Retention

• Account data is retained for as long as your account is active, plus ninety (90) days after account deletion to allow for dispute resolution.
• Device registration data is retained until you revoke the device or delete your account.
• Session tokens expire automatically twenty-four (24) hours after issuance and are then purged from our cache.
• Email-verification tokens expire seven (7) days after issuance and are then purged.
• Payment and transaction records are retained for seven (7) years for financial-compliance and tax-recordkeeping purposes.
• Webhook records are retained for two (2) years for billing-reconciliation purposes, then deleted.
• Screen captures and query content are never persistently stored (see Section 2). They exist only in transient memory during processing and are discarded as soon as the response is delivered.
• Anonymized aggregate usage counts (e.g., total queries per day, total users active) are retained indefinitely in fully de-identified form. These cannot be re-associated with any user, device, or account.
• Support communications are retained for two (2) years following resolution of the inquiry.
• Operational logs containing transient IP addresses are retained for thirty (30) days then automatically purged.

8. Security

We implement commercially reasonable technical and organizational safeguards to protect your information, including encryption in transit and at rest, protected password storage, secure device registration, strict access controls on production systems, and network-level security controls. No security measure is perfect or impenetrable. If you believe your account has been compromised, contact us immediately at support@lasair.ai.

9. Your Privacy Rights

Depending on your jurisdiction, you have the following rights with respect to personal information we hold about you. We honor these rights for every user, regardless of jurisdiction.

• Right to know / access: request a copy of the personal information we hold about you.
• Right to correct: request correction of inaccurate personal information.
• Right to delete: request deletion of your account and associated personal information, subject to retention requirements imposed by law (e.g., the seven-year tax-records retention noted in Section 7).
• Right to export / portability: request a machine-readable export of your personal information.
• Right to object / restrict processing: object to or request restriction of certain processing activities.
• Right to non-discrimination: we will not deny, charge a different price for, or provide a different level of service in response to your exercise of any privacy right.
• Right to withdraw consent: where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, email privacy@lasair.ai with "Privacy Request" in the subject line and the email address associated with your account. We will respond within thirty (30) days. We do not require account credentials to validate a privacy request — verification is performed by email round-trip.

For California residents (CCPA / CPRA)

California residents have the rights listed above. Specifically:

• Categories of personal information collected in the preceding 12 months: identifiers (email, account identifier, internal session and device tokens, transient IP address); commercial information (Credit purchase history, subscription status); internet/electronic activity information (device registration data, technical session metadata); financial information (transaction metadata from payment processor); transient inferences derived from screen content for the purpose of generating a single response.
• Categories of sources: directly from you (account info), from your device via the Lasair desktop software (device registration data, technical session metadata, screen captures), from our payment processor (transaction metadata).
• Business purposes for which information is collected: providing the Services, authentication, fraud prevention, billing, customer support, legal compliance. See Section 5.
• Categories of personal information disclosed to subprocessors are described in Section 6.
• "Do Not Sell or Share My Personal Information." We do not sell or share personal information for cross-context behavioral advertising. There is no opt-out required because there is nothing being sold or shared in this sense.
• Authorized agent. You may designate an authorized agent to exercise privacy rights on your behalf. We will require proof of the agent's authority and verification of your identity before honoring the request.

For residents of the European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent local laws apply to our processing of your personal data.

• Identity and contact details of the controller: Clearwater Digital LLC, a Nevis limited liability company. Registered office: [REGISTERED ADDRESS — UPDATE BEFORE LAUNCH]. Contact: privacy@lasair.ai.
• Lawful bases for processing:
  • Provision of the Services and account management: performance of a contract (Article 6(1)(b));
  • Payment processing and billing: performance of a contract (Article 6(1)(b)) and legal obligation for tax-records retention (Article 6(1)(c));
  • Fraud prevention, rate-limiting, security: legitimate interests (Article 6(1)(f)) — our interest in operating the Services securely and our users' interest in a secure platform;
  • Transactional emails (verification, billing, support): performance of a contract (Article 6(1)(b)).
• International data transfers: our infrastructure is operated primarily in the United States. Where personal data is transferred outside the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) as updated in 2021 (Commission Decision 2021/914), supplemented by additional technical and organizational measures, including encryption in transit and at rest. For UK transfers, we rely on the UK International Data Transfer Addendum.
• Right to lodge a complaint: you have the right to lodge a complaint with your local data-protection supervisory authority. A list of EU/EEA authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en; the UK authority is the Information Commissioner's Office at ico.org.uk.
• EU representative: if and when required under Article 27, we will designate an EU representative and publish their contact details on this page. At present we may not meet the Article 27 threshold; please contact privacy@lasair.ai with any EU-specific inquiry.
• Automated decision-making: we do not engage in solely automated decision-making producing legal or similarly significant effects on you.

10. Cookies and Tracking

The Lasair website does not use cookies. Session authentication is implemented using the browser's localStorage API, scoped to the app.lasair.ai origin for authenticated web sessions. We do not use third-party analytics cookies, advertising pixels, fingerprinting scripts, or cross-site tracking technologies. We do not embed any third-party social-media widgets or sharing buttons that would set cookies. The Lasair desktop software does not use cookies.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be posted on this page with an updated effective date. Where practicable, we will provide additional notice of material changes by email or through the Lasair desktop software. Continued use of the Services following notice of an update constitutes acceptance of the revised policy.

12. Contact