Legal

Privacy Policy

Last updated: April 21, 2026

1. Who we are

HYPERWORKS S.r.l. (“we”, “us”), based in Italy, is the data controller for personal data you provide while using the Lorenz AI workspace (the “Service”). When you connect a third-party account, we act as processor on your instructions for the data we import on your behalf.

2. What we collect

  • Account data: name, email, organisation, authentication tokens, profile preferences.
  • Content you submit: prompts, documents, conversations, uploaded files, voice recordings (only if you enable voice).
  • Integration data: emails, calendar events, contacts and similar data fetched from third-party accounts you connect (Microsoft, Google, IMAP).
  • Usage data: session logs, IP, device and browser metadata, feature usage and error telemetry.
  • Billing data: plan, invoices, payment status (card details are handled by our payment processor, not stored by us).

3. How we use data

  • Provide, operate and secure the Service.
  • Personalise the assistant’s responses using the content and preferences you authorise.
  • Execute actions you instruct (send emails, schedule tasks, search, etc.).
  • Process payments and manage subscriptions.
  • Detect and mitigate abuse, fraud, security incidents and violations of our Terms.
  • Comply with legal obligations.

We do not sell personal data and we do not use Customer Content to train foundation models shared across tenants.

4. Lawful bases (GDPR)

  • Contract performance — to deliver the Service you signed up for.
  • Legitimate interests — security, fraud prevention, product improvement, in balance with your rights.
  • Consent — for voice cloning features, optional analytics, and marketing communications; you can withdraw consent at any time.
  • Legal obligation — accounting, tax and regulatory compliance.

5. Sub-processors

We rely on a limited set of sub-processors to run the Service, including cloud infrastructure providers, AI model providers (Anthropic, OpenAI, Groq, OpenRouter), email delivery, error monitoring (Sentry) and payment processing. The current list is available on request. All sub-processors are bound by written agreements that require GDPR-compliant safeguards.

6. Data location and transfers

By default your data is processed in the European Union. AI inference may occur on EU infrastructure or, for specific models, in the United States under Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Self-hosted or in-country deployments can restrict processing further on request.

7. Retention

We keep account data for the life of your account plus a short grace period for backups and compliance (typically 30–90 days). Conversation and integration content is retained as long as your workspace remains active; you can delete individual items at any time. Audit logs are kept for up to 12 months to support security investigations.

8. Your rights

Subject to applicable law, you have the right to access, rectify, erase, export, restrict or object to the processing of your personal data, and to withdraw consent at any time. You can exercise these rights from within the app or by contacting privacy@bibop.com.

9. Security

We apply technical and organisational safeguards including encryption in transit and at rest, tenant isolation, least-privilege access, audit logging, vulnerability management and incident response. No system is ever 100% secure; we will notify affected users of material breaches without undue delay.

10. Cookies

We use strictly necessary cookies to keep you signed in and protect the Service (CSRF, session). Optional analytics cookies are only used if you opt in. Consult the cookie banner in the app for the current list.

11. Changes

We will announce material changes to this policy at least 30 days before they take effect. The current version is always published at this URL.

12. Contact

Data protection queries: privacy@bibop.com. Legal queries: legal@bibop.com.