Privacy Policy

Last Updated: April 2026

1. Introduction

Loki Labs ("Loki", "we", "our") operates messaging products under the Loki umbrella, including Loki Messages (a transactional iMessage API), Loki Chat (AI agents that appear as contacts), and Beside (a consumer chatbot at beside.chat). This Privacy Policy explains what information we collect, how we use it, and the choices you have.

This policy applies to lokimessages.com and all subdomains, as well as the consumer service at beside.chat.

2. Data Controller

For the purposes of the EU General Data Protection Regulation (GDPR), the Polish Personal Data Protection Act, and the UK GDPR, the data controller is:

Loki Labs
ul. Chmielna, Warszawa
Poland
Email: privacy@lokimessages.com

The supervisory authority in Poland is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO), uodo.gov.pl.

3. Information We Collect

Account information

  • Name, email address, and (for OAuth sign-in) your provider user ID
  • Organization name, role, and billing contact
  • API keys and webhook endpoints you configure

Messaging content and metadata

  • The phone numbers and email handles you connect, and the messages sent and received through them
  • Message timestamps, delivery receipts, read receipts, reactions, and attachments
  • Conversation transcripts associated with AI agents you operate

Billing information

  • Payment method details are processed by Stripe; we store only a token reference and the last 4 digits of the card
  • Invoice history, usage metrics, and tax identifiers

Technical data

  • IP address, user agent, device identifiers
  • Cloudflare and Sentry logs for security and reliability
  • Cookies for session authentication on .lokimessages.com

Beside-specific data (consumers)

  • Coarse and (with your permission) precise location, used to give location-aware recommendations
  • Conversational preferences derived from prior messages with the Beside agent

4. How We Use Information

  • To deliver, operate, and improve the products
  • To authenticate users and protect against abuse
  • To bill you and comply with tax and accounting obligations
  • To send transactional notifications (sign-in alerts, billing, security)
  • To respond to support requests
  • To comply with legal obligations and enforce our Terms

We do not sell personal information, and we do not use your messaging content to train third-party AI models.

5. Legal Bases for Processing (GDPR)

Under the GDPR and the UK GDPR, we process personal data on the following legal bases:

  • Contract (Art. 6(1)(b)) — to provide the Services you or your organization signed up for
  • Legitimate interests (Art. 6(1)(f)) — to secure the Services, prevent fraud and abuse, and improve reliability
  • Legal obligation (Art. 6(1)(c)) — to retain records required by tax, accounting, or communications law
  • Consent (Art. 6(1)(a)) — where required, for example for precise location in Beside

6. AI Model Providers

Loki Chat and Beside route messages to third-party AI model providers (currently Anthropic, OpenAI, Google, and Cloudflare Workers AI) chosen by the operator of each agent. These providers process the message text needed to generate a response under their own privacy and data-retention terms. Where supported, we use the providers' zero-retention or no-training endpoints.

7. Sharing

We share information only with:

  • Service providers — Cloudflare (hosting and email), Stripe (billing), Sentry (error monitoring), the AI model providers listed above, and (for SMS-eligible numbers in the past) carrier-side intermediaries
  • Operators of agents — when you message an agent built on Loki Chat, the operator of that agent receives the transcript
  • Legal disclosures — when required by law, subpoena, or to protect rights and safety
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to you

8. Retention

We retain account information for the life of your account and for a reasonable period afterward to satisfy legal and audit obligations. Messaging content is retained while the associated handle is active; you can delete individual messages or conversations through the dashboard or API. Backups are purged on a rolling basis (typically within 30 days).

9. Security

We use industry-standard controls including TLS for data in transit, encryption at rest for D1 and R2 storage, ES256-signed session tokens, and least-privilege access for personnel. No system is perfectly secure; please report suspected vulnerabilities to security@lokimessages.com.

10. Your Rights

To exercise any right below, contact privacy@lokimessages.com. We may need to verify your identity before responding and will reply within the timeframes required by applicable law.

EU / EEA / UK residents (GDPR, UK GDPR): you have the right to access, rectify, erase, restrict, and object to processing of your personal data; the right to data portability; and the right to withdraw consent at any time (withdrawal does not affect the lawfulness of prior processing). You also have the right to lodge a complaint with your national supervisory authority — in Poland, the President of UODO (uodo.gov.pl).

California residents (CCPA/CPRA): you have the right to know what personal information we collect, to delete it, to correct it, to opt out of any sale or sharing, and to limit our use of sensitive personal information. We do not sell personal information. Authorized agents may submit requests on your behalf with proper documentation.

Other jurisdictions: you may have similar rights under local law. We honor substantive rights on a global basis where operationally feasible.

11. Children

The Loki products are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact privacy@lokimessages.com and we will delete it.

12. International Transfers

We operate primarily on Cloudflare's global edge network, which means your data may be processed in countries outside the EEA (including the United States). Where personal data is transferred out of the EEA/UK, we rely on appropriate safeguards under Chapter V of the GDPR, such as the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions, or processor commitments under the EU-U.S. Data Privacy Framework where applicable.

13. Cookies

We use a single first-party authentication cookie (__session) scoped to .lokimessages.com to keep you signed in across our subdomains. This cookie is strictly necessary for the Service and does not require consent under the ePrivacy Directive. We do not use third-party advertising or analytics cookies.

14. Changes

We may update this policy from time to time. Material changes will be communicated by email or through the dashboard at least 30 days before they take effect.

15. Contact

Loki Labs
ul. Chmielna, Warszawa
Poland
Email: privacy@lokimessages.com