Privacy Policy

Last updated: January 24, 2026

This Privacy Policy explains how maxly LLC ("maxly LLC," "Company," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use lmcanvas.ai and related services (the “Services”). By using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

1. Who We Are & How To Contact Us

Data Controller: maxly LLC
Email: max@lmcanvas.ai

We are based in the United States. If you reside outside the U.S., you acknowledge your data will be transferred to and processed in the U.S. (see Section 13).

2. What We Collect

2.1 Information You Provide

• Account Data: email, password or login method, profile settings.
• User Content (“Contributions”): prompts, messages, nodes, conversation history, and (if enabled in the future) file uploads you choose to provide.
• Billing Data: email, payment method, subscription status, and transaction details (processed by Stripe; we do not store full card numbers).
• Support & Communications: emails, bug reports, feature requests, feedback.

2.2 Information Collected Automatically

• Usage Data: pages viewed, actions taken, timestamps, referral URLs.
• Device/Network Data: IP address, browser type/version, OS, device identifiers, language, time zone.
• Logs & Telemetry: error logs, performance metrics, API request metadata, request/response sizes.
• Usage Cost Tracking: for rate limiting and billing purposes, we track token usage (input/output tokens), model types, request costs, and cumulative monthly usage costs. This data is used to enforce free tier limits (daily request quotas and monthly cost caps) and paid tier limits (monthly cost caps only) and calculate pay-as-you-go charges for subscribers who enable usage-based billing.

2.3 Cookies & Similar Technologies

We use cookies/local storage to operate, secure, and improve the Services (e.g., authentication, preferences, analytics). You can control cookies via your browser; essential cookies are required for core features.

3. How We Use Personal Information (Purposes & Legal Bases)

We process personal data for:

1. Provide and Maintain the Services (create accounts, host content, authenticate, troubleshoot)
   Legal basis: Contract (GDPR Art. 6(1)(b)); Legitimate interests (6(1)(f)).

2. Product Improvement & Analytics (feature usage, performance, quality, A/B tests)
   Legal basis: Legitimate interests (6(1)(f)); Consent where required (6(1)(a)).

3. Security, Abuse Detection & Fraud Prevention (rate limiting, suspicious activity, misuse detection)
   Legal basis: Legitimate interests (6(1)(f)); Legal obligation (6(1)(c)).

4. Payments & Subscriptions (billing via Stripe, invoicing, receipts, usage-based billing calculations)
   Legal basis: Contract (6(1)(b)); Legal obligation (6(1)(c)).

5. Usage Limits & Rate Limiting (tracking daily request quotas for free tier and monthly cost caps for all tiers, enforcing usage limits)
   Legal basis: Contract (6(1)(b)); Legitimate interests (6(1)(f)).

6. Customer Support & Communications (respond to requests, send service notices)
   Legal basis: Contract (6(1)(b)); Legitimate interests (6(1)(f)).

7. Compliance & Enforcement (terms enforcement, legal requests)
   Legal basis: Legal obligation (6(1)(c)); Legitimate interests (6(1)(f)).

4. AI Disclosures

• The Services may send your prompts and context to AI model providers for processing.
• Depending on the provider and plan, prompts/outputs may be processed or logged for abuse prevention, debugging, or service reliability.
• We will maintain an up-to-date list of AI/infra processors in this Policy (see Section 10). If you later add or change providers, we will update this list and the “Last updated” date.

If you require no-log processing for regulated data, do not input such data into the Services.

5. Your Choices

• Account Settings: manage profile and subscription in-app.
• Email Preferences: you may opt out of non-transactional emails via unsubscribe links.
• Cookies: control via browser settings; essential cookies are required for login and security.
• Export & Deletion: request export or deletion of your account and Contributions (see Section 11).
• Do Not Track: we do not respond to DNT signals due to industry variance (see Section 14).

6. How We Share Information

We do not sell or rent personal information. We share limited data with:

• Service Providers/Processors who help operate the Services (hosting, billing, analytics, logging, email).
• AI & Infrastructure Providers (for inference, logging, or performance).
• Legal/Compliance: to comply with valid legal process or prevent harm.
• Business Transfers: in a merger, acquisition, or asset sale, with reasonable notice where possible.

All processors are contractually bound to protect personal data and use it only to provide services to us.

7. Data Retention

We retain personal data only as long as needed for the purposes above:

• Account data: retained while your account is active; deleted within 30 days after deletion request or account closure, subject to legal holds.
• Conversation history (Contributions): retained while your account is active; deleted within 30 days of account closure or specific deletion request.
• Telemetry & logs: typically 30–90 days unless needed for security, debugging, or legal purposes.
• Backups: encrypted backups may persist for up to 90 days before rolling off.
• Aggregated/De-identified data: may be retained indefinitely.

If legal obligations require longer retention (e.g., tax/transaction records), we keep only what is necessary.

8. Your Rights

8.1 GDPR / UK GDPR (EU/EEA/UK Residents)

You may have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase data (“right to be forgotten”)
• Restrict or Object to processing
• Port data to another service
• Withdraw consent where processing is based on consent

To exercise rights, email max@lmcanvas.ai. We may request information to verify your identity. You also have the right to lodge a complaint with your local supervisory authority.

8.2 California Residents (CCPA/CPRA)

You have the right to:

• Know categories of personal information collected, sources, purposes, and disclosures
• Access and Port your data
• Delete personal information (subject to exceptions)
• Correct inaccurate personal information
• Opt-out of Sale/Share: We do not sell or “share” personal information for cross-context behavioral advertising.
• Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes requiring a limitation right under CPRA.

You may make requests at max@lmcanvas.ai. If you use an authorized agent, we may require proof of authorization and verification.

California “Notice at Collection”: We collect identifiers (e.g., email, IP), internet activity (usage data), and geolocation (approximate IP-based). Purposes include authentication, service delivery, security, analytics, and support. We retain information as described in Section 7.

9. Security

We use reasonable technical and organizational safeguards, including HTTPS/TLS, access controls, encryption at rest for sensitive stores where applicable, and vendor security reviews. No online service can guarantee 100% security. If we learn of a breach affecting your data, we will notify you and relevant authorities without undue delay and in accordance with law.

10. Third-Party Processors & Sub-Processors

We use trusted vendors to operate the Services:

• Stripe — payments & subscription billing (billing contact, payment method, transaction metadata).
• Helicone — AI request logging/monitoring (request metadata, performance metrics; may include prompt text if enabled).
• PostHog — product analytics (usage events, device data, approximate IP; self-hosted or cloud).
• Supabase — database and storage services (account data, user content, encrypted API key storage for BYOK features).
• AI Model Providers (as configured by us) — inference services; may process prompts and outputs transiently for quality, safety, and reliability.

We will update this list as vendors change. We require contractual commitments (DPAs or equivalent) from processors consistent with applicable data-protection laws.

11. Data Export & Deletion

• Export: You may request an export of your Contributions and account data; we will provide a standard machine-readable format where feasible.
• Deletion: You may request deletion of your account and Contributions. We will delete active records within 30 days, and backups within 90 days, unless retention is required by law.
• Verification: We may verify identity (e.g., email confirmation) before fulfilling requests.
• Appeal: If we deny your request, you may appeal by replying to the decision email; we will review and respond.

BYOK: For Pro subscriptions using Bring Your Own Key (BYOK), provider API keys are stored in encrypted form and are accessible only to authorized service systems necessary for routing requests. Administrative access to decrypted keys is restricted to essential operational systems and personnel, subject to standard access controls and procedures.

12. Children’s Privacy

The Services are not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child provided us data, contact max@lmcanvas.ai and we will delete it.

13. International Data Transfers

We process data primarily in the United States. If you access the Services from another country, you consent to the transfer of your data to the U.S., which may have different data-protection laws. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses for EEA/UK transfers).

14. Do Not Track

Because there is no industry consensus, we do not respond to browser “Do Not Track” signals. You can manage cookie preferences via your browser or in-product settings (where available).

15. User-Generated Content, Copyright & DMCA

You are responsible for your Contributions and must have the rights to upload them. If you believe content on the Services infringes your copyright, send a DMCA Notice to:

DMCA Agent
Email: max@lmcanvas.ai
Subject: “DMCA Notice”

Include all elements required by 17 U.S.C. § 512(c)(3). We may remove or disable content and terminate repeat infringers.

16. AI Output Caution (No Professional Advice)

AI-generated content may be inaccurate, offensive, or incomplete. Do not rely on outputs for legal, medical, financial, or other professional decisions. You are responsible for evaluating and verifying outputs before use.

17. De-identified & Aggregated Data

We may create and use de-identified or aggregated data (which cannot reasonably be used to identify you) for analytics, research, and improving the Services. We will not attempt to re-identify such data.

18. Changes To This Policy

We may update this Privacy Policy from time to time. The “Last updated” date will indicate changes. If we make material changes, we will provide reasonable notice (e.g., in-app or email). Your continued use after changes become effective constitutes acceptance.

19. Contact

If you have questions or want to exercise your privacy rights, contact:
max@lmcanvas.ai