Privacy Policy
Last updated: 2026-06-29 · v0.1 (draft)
⚠ Draft. Not legally reviewed. Have counsel adapt this for the laws you operate under — India's DPDP Act, 2023, and GDPR/CCPA if you serve those regions — before launch.
This policy explains what Lull collects, why, and your rights. Lull's design principle is to collect as little as possible to run an honest ad marketplace.
What we never collect. The Lull client is status-bar/spinner only. It does not read, store, or transmit your prompts, your code, your files, your diffs, your commits, or your terminal output. This is enforced in the open-source client, which you can audit. We do not have access to the contents of your work.
What we collect
- Account data: your email address and password (stored only as a salted scrypt hash — we never see your password).
- Device identity: a per-install device id and its public key. The private key stays on your machine; we never receive it.
- Impression/click events: device id, creative id, dwell time, a nonce, a timestamp, and a cryptographic signature. For clicks, the destination campaign.
- Technical/security data: IP address and user-agent at sign-in and on ad requests, used for fraud prevention and to show you your active sessions.
- Payout data (when you withdraw): handled by our payment partners (Razorpay for India, Stripe elsewhere); they collect what they need to pay you and verify identity.
How we use it
- To serve sponsor messages and measure qualified impressions and clicks.
- To prevent and investigate fraud (rate limits, IP analysis, deduplication, anomaly detection).
- To calculate and pay your earnings, and to operate the advertiser marketplace.
- To secure your account (sessions, login alerts, email verification).
What we share
- Advertisers see aggregate delivery (impressions, clicks, CTR) — never your identity or personal data.
- Payment partners (Razorpay, Stripe) to process payouts and advertiser charges.
- We do not sell your personal data.
- We may disclose data if required by law.
Cookies
We use a single httpOnly session cookie to keep you signed in. No third-party advertising or tracking cookies.
Retention & security
We keep data only as long as needed to run the service, meet legal/tax obligations, and resolve disputes. Passwords are scrypt-hashed; impression beacons are signed; device private keys are stored in your OS keychain. We maintain a double-entry ledger of earnings.
Your rights
You can access, correct, export, or delete your account data, and withdraw consent (which means uninstalling and closing your account). To exercise these, contact the address below. Under India's DPDP Act you may also nominate a representative and lodge grievances with our Grievance Officer.
Children
Lull is not for anyone under 18, and we don't knowingly collect their data.
Contact / Grievance Officer
Privacy requests and grievances: getlulldev@gmail.com (placeholder). A named Grievance Officer and address will be published before launch as required by the DPDP Act.