1. About Lurni
Lurni is operated by LURNI AI LIMITED, a private limited company registered in England and Wales (company number 16483590, incorporated 29 May 2025). The Lurni name and mark are registered with the UK Intellectual Property Office under trade mark UK00004211235 (effective 29 May 2025, registered 22 August 2025). Contact: hello@lurni.ai. Hosting: Vercel, edge-served in the EU.
2. When you browse the site
We use Vercel Analytics and Vercel Speed Insights to gather aggregated, anonymous metrics: total visitors, page views, country (not city or IP), referrer, time on page, and Web Vitals (LCP / INP / CLS). We do NOT see your IP address, identifiers, or browsing history outside Lurni. No cookies are set. This is permitted under the strictly-necessary / aggregated statistics exemption in UK PECR and EU ePrivacy.
We also fire anonymous custom events when you interact with the site — clicks on the “Get Started” / “Get Early Access” buttons, scroll depth, career card “View More” clicks, and waitlist form interactions. No personal identifiers are attached. These events feed the same Vercel dashboard as the metrics above.
3. When you submit the waitlist form
We collect the email address you enter, the date of submission, and whether you ticked the optional “career interest” checkbox. Legal basis: your consent (you submitted the form). Purpose: to notify you when Lurni launches and to send relevant product updates. Retention: until you ask us to delete it, or 3 years from your last interaction with us, whichever is earlier.
4. When you sign up or sign in with Google
When you choose Google as your sign-in method, Lurni receives a limited set of data from Google to create or recognise your Lurni account.
- Your verified email address — used to create or identify your Lurni account.
- Your basic profile (your name and, when available, profile picture) — displayed inside the app so you can recognise your own account.
- A stable Google account identifier (Google’s ‘sub’ value) — stored so we can recognise you on future sign-ins; treated as sensitive credential material, never displayed publicly, and never shared with third parties.
We request only the minimum Google OAuth scopes needed for sign-in (openid, email, profile).
We do NOT request access to your Google Drive, Calendar, Gmail, Contacts, or any other Google service. Google user data is used solely for authentication, account management, and account security purposes.
We do NOT use Google user data for advertising, profiling, analytics resale, or AI model training.
Data received from Google is stored encrypted at rest (AES-256-GCM) in our EU-resident database (Frankfurt, Germany); your name and email are encrypted with envelope encryption, and the Google identifier is stored in a form that cannot be reversed without our encryption keys.
Access to stored account data is restricted to authorised internal systems and personnel strictly when operationally required.
We do NOT sell or share Google user data with advertisers or unrelated third parties. Our only sub-processor for Google-related data is Resend (EU), used solely for transactional emails such as welcome messages, sign-in alerts, and security notifications.
Google user data is deleted within 30 days of you deleting your Lurni account.
Disconnecting Google from your Lurni account stops future Google-based authentication but does not delete your Lurni account unless you separately request account deletion.
Lurni’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
5. What we do not collect
- We do NOT use cookies for tracking.
- We do NOT share your data with advertising platforms (Meta, Google, etc.) at present. We will update this policy AND request your explicit consent via a cookie banner BEFORE any advertising tracking is enabled.
- We do NOT sell your data.
- We do NOT use your email for marketing other companies' products.
6. Your rights (GDPR + UK GDPR)
You may at any time:
- Access the data we hold about you.
- Correct inaccurate data.
- Delete your data (right to be forgotten).
- Object to processing or restrict processing.
- Port your data to another service in a machine-readable format.
- Withdraw consent at any time (where consent is the legal basis).
- Complain to your local data protection authority (ICO in the UK; the relevant DPA in your EU member state).
To exercise any of these rights, email hello@lurni.ai. We will respond within 30 days.
7. International transfers
Vercel processes data primarily in the EU but may route through US infrastructure for global edge delivery. This transfer is covered by Vercel's Data Processing Addendum and Standard Contractual Clauses. No data leaves the EU / UK for any other processor at present.
8. Children
Lurni is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If you believe someone under 16 has submitted personal data to us, email hello@lurni.ai and we will take appropriate steps to delete it.
9. Security
All data is transmitted over HTTPS. Submitted emails are held on the Lurni backend in encrypted database storage with PII envelope encryption (AES-GCM at the field level, key separated from data store). We follow industry-standard security practices including HSTS preload, Content Security Policy with per-request nonce, strict referrer policy, modern HTTP security headers (Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Permissions-Policy), and refuse server-side optimisation of SVG uploads to mitigate XSS vectors.
10. Changes to this policy
We may update this policy as Lurni evolves. We will post the new effective date at the top of the page. For material changes (new processors, new data categories, new sharing partners) we will notify waitlist subscribers by email at least 14 days before the changes take effect.
11. Contact
Questions, complaints, data requests: hello@lurni.ai.