Privacy Policy

Last updated: 2/18/2025

1. Introduction

This Privacy Policy explains how Lilikoi ("we", "our", or "us") collects, uses, and protects your personal information when you use our platform. We are committed to protecting your privacy and handling your data in an open and transparent manner.

2. Legal Basis for Processing

We process your personal data on the following legal grounds:

• To provide our services to you
• To comply with applicable laws
• To improve our services and ensure security
• With your consent for marketing communications and optional features

3. Information We Collect

3.1 Information You Provide

• Account information (name, email address)
• Profile information (user name, avatar)
• Workspace and site configuration data
• Content you create and post on the platform
• Marketing preferences and communication settings
• Two-factor authentication settings
• Images and media files you upload
• Workspace invitation and collaboration data
• Social login information (when using social authentication)

3.2 Automatically Collected Information

• Usage data and analytics
• Device and browser information
• Log data and performance metrics
• Cookies and similar tracking technologies
• IP address and location information
• Image metadata and processing information

4. How We Use Your Information

We use your information for the following purposes:

• Providing and maintaining our services
• Processing your transactions and managing your account
• Sending you important service updates and notifications
• Analyzing and improving our platform performance
• Marketing communications (with your consent)
• Security and fraud prevention
• Managing email preferences and subscriptions
• Processing workspace invitations and collaborations
• Image processing and optimization

5. Media Storage and Processing

We handle media files (images, avatars, etc.) in the following ways:

• Images are stored securely using Vercel Blob Storage
• We process and optimize images for performance (including generating blur hashes and thumbnails)
• We support various image formats (JPEG, PNG, GIF, WebP, SVG) with a maximum file size of 50MB
• Avatar images may be processed through third-party services like DiceBear
• Images may be served through content delivery networks (CDNs) for improved performance

6. Third-Party Services

We use the following third-party services to provide our platform:

• Vercel for hosting and analytics
• Google Analytics for user behavior analysis
• Vercel Blob Storage for media storage
• Resend for email communications
• Stripe for payment processing
• Google Places API for location services
• DiceBear for avatar generation
• Cloudinary for image optimization (when applicable)
• Google OAuth for social authentication

Each of these services has their own privacy policy and may collect and process your data according to their terms.

7. Email Communications and Marketing

We send different types of emails:

• Security and account-related emails (required)
• Platform updates and feature announcements (optional)
• Marketing communications (opt-in required)
• Workspace collaboration and invitation emails

You can manage your email preferences through your account settings. While you can opt out of marketing emails, we will still send essential security and account-related communications.

8. Analytics and Tracking

We use various analytics tools to improve our services:

• Vercel Analytics for performance monitoring
• Google Analytics for user behavior analysis
• Error tracking and monitoring tools
• Speed Insights for performance optimization

9. Cookies and Local Storage

We use cookies and local storage for:

• Authentication and session management
• Remembering your preferences
• Marketing preferences
• Analytics and performance monitoring
• Invitation tracking and workspace access

10. Authentication and Account Security

We provide multiple secure authentication methods and account security features:

• Email and password authentication with strong password requirements
• Social login options (Google authentication)
• Two-factor authentication (2FA)
• Secure password reset procedures
• Email verification for new accounts
• Session management and secure cookie handling
• Account linking capabilities for trusted providers

11. Workspace Access and Collaboration

Our platform includes workspace collaboration features with the following privacy considerations:

• Role-based access control (owner, admin, member)
• Secure invitation system with expiring links (14-day validity)
• Email verification for workspace invitations
• Workspace-specific data isolation
• Member activity logging and audit trails
• Granular permission controls for workspace resources

12. Account Settings and Controls

We provide various settings and controls for your account:

• Profile settings (name, email, avatar)
• Security settings (2FA, password management)
• Communication preferences
• Workspace access controls
• Notification settings
• Marketing email preferences
• Account deletion options

13. Data Deletion and Retention

We implement a soft deletion policy for data protection and recovery. We retain your data for as long as necessary to provide our services and comply with legal obligations:

• Sites, workspaces, and workflows use soft deletion for data recovery
• Deleted items are marked with a timestamp but not immediately removed
• Audit logs are maintained for security and compliance
• Backup and recovery systems are in place to protect your data
• Data can be permanently deleted upon explicit request

Some information may be retained for legal or administrative purposes, including:

• Account information and activity logs
• Uploaded media and content
• Workspace collaboration data
• Transaction records
• Invitation and access logs
• Security and authentication records

14. Data Sharing and Third Parties

We may share your information with:

• Service providers and analytics partners
• Third-party integrations you enable
• Legal authorities when required by law
• Email service providers for communication delivery
• Team members within your workspace (limited to workspace data)
• Content delivery networks for media delivery

15. Security

We implement appropriate security measures to protect your data, including:

• Encryption of sensitive data
• Secure session management
• Regular security audits
• Access controls and authentication
• Two-factor authentication options
• IP-based security monitoring
• Secure media storage and processing

16. Your Rights Under CCPA

If you are a California resident, you have specific rights regarding your personal information under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect about you
• Right to know whether your personal information is sold or shared
• Right to opt-out of the sale or sharing of your personal information
• Right to request deletion of your personal information
• Right to access your personal information
• Right to non-discrimination for exercising your rights

To exercise any of these rights, please contact us using the information provided in the Contact Us section. We will respond to your request within 45 days.

17. Children's Privacy

Our services are not intended for children under 13. We do not knowingly collect or maintain information from children under 13.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes through our platform or via email.

19. Contact Us

For privacy-related inquiries or to exercise your rights:

• Primary Contact: privacy@lilikoi.io
• California Privacy Rights: privacy-requests@lilikoi.io

For the fastest response, please use our online privacy request form. We aim to respond to privacy requests within 45 days.

20. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of California, United States, without regard to its conflict of law provisions. Any disputes relating to this policy shall be subject to the exclusive jurisdiction of the courts of California.

21. Limitation of Liability

While we take reasonable measures to protect your personal data, we cannot guarantee absolute security. To the fullest extent permitted by law, we shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues.

22. Cookie Policy

For detailed information about how we use cookies and similar technologies, please visit our Cookie Policy. You can adjust your cookie preferences through our cookie consent manager.