Privacy Policy
Last updated: May 10, 2026
This Privacy Policy describes how Retrograde Labs ("Retrograde Labs," "we," "us," or "our") collects, uses, discloses, and safeguards information when you use Lune (the "Service"), including:
- the Lune dashboard at luneresearch.com,
- the Lune custom connectors and apps that let you use Lune from inside third-party AI applications such as ChatGPT, Claude, Cursor, VS Code, Codex, OpenCode, Perplexity, Manus, Hermes, and other AI applications that support custom connectors or Model Context Protocol (MCP) integrations, and
- the Lune command-line application distributed under the npm
package
@retrograde-labs/lune-cli.
By creating a Lune account or otherwise using the Service you acknowledge that you have read and understood this Privacy Policy. If you do not agree, do not use the Service.
1. Information we collect
1.1 Information you provide
- Account information. When you sign up we collect your email address; if you sign in via a federated identity provider (currently Google), we receive your provider-issued ID, name, email, and avatar image.
- Profile information. Your display name, your team or organization name, and any optional profile data you supply through the dashboard.
- Payment information. Card numbers and other payment instrument data are submitted directly to our payments processor (Stripe) and are never received or stored by Retrograde Labs. We retain only the customer identifier and subscription metadata Stripe returns to us (plan, status, period dates, last four digits of the card brand for display).
- Support communications. Messages, attachments, and other content you send when contacting support.
1.2 Information generated through use of the Service
- Authentication data. A session record is created when you sign in. We never see your password — passwords are hashed and stored by our authentication provider (Supabase Auth) using industry-standard password-hashing.
- Service requests. When your AI application or the command-line app makes a request to Lune (a paper search, citation lookup, conference query, etc.), we log the request timestamp, the endpoint invoked, the API key prefix (never the full key), the response status, and the size of the response. This data is used for billing, abuse prevention, and debugging.
- Content of queries. The text of your queries (e.g., the search string you ask your assistant to look up) is processed by the Service and may be retained for a short period for diagnostics. We do not associate query content with marketing profiles, and we do not sell or share query content with third parties beyond the subprocessors listed below.
- Telemetry. Aggregate counts of API calls, error rates, and performance metrics. Telemetry is associated with your account so we can show you accurate billing and quota information.
- Cookies and similar technologies. We use a small number of first-party cookies for authentication, session management, theme preference, and active-team selection. We do not use third-party advertising cookies.
1.3 Information from third parties
- Federated sign-in. When you sign in with Google, the items listed in Section 1.1 are received from the provider per its OAuth scopes.
- Payment processor. Stripe sends us subscription lifecycle events (charge succeeded, charge failed, refund issued, etc.) so we can keep your account state in sync.
1.4 What we do not collect
We do not knowingly collect biometric data, precise geolocation, sensitive personal information (as defined by CCPA), or information about persons under 13.
2. How we use information
We use the information we collect to:
- Provide and maintain the Service, including authenticating you, routing your requests to the correct team, applying your plan and credit balance, and delivering responses to your AI application or command-line app.
- Bill you for paid plans and credit purchases through Stripe.
- Detect, prevent, and respond to security events such as abuse, credential stuffing, denial-of-service, and policy violations.
- Operate, debug, and improve the Service, including diagnosing errors, profiling performance, and identifying integrations that need attention.
- Communicate with you about service-critical events (security alerts, billing failures), product updates you have opted into, and responses to your support requests.
- Comply with law and respond to lawful requests by public authorities.
We do not train machine-learning models on your queries, your account data, or any other content you generate through use of the Service.
3. Legal bases (EEA / UK / Switzerland)
Where the GDPR or equivalent law applies, our legal bases for processing are:
- Contract. Most processing is necessary to provide the Service you have signed up for.
- Legitimate interests. Security monitoring, abuse prevention, service diagnostics, and direct communication about your account.
- Consent. Optional product-update emails and any cookies that go beyond strict necessity.
- Legal obligation. Tax, accounting, anti-fraud, and lawful process.
You can withdraw consent at any time via your account settings or by contacting [email protected].
4. How we share information
We share information only as described below. We do not sell personal information.
- Service providers (subprocessors). We engage third parties to operate the Service. These providers process information on our behalf, under written agreements, and only for the purposes we specify. The current list is in Section 7.
- AI application vendors. When you connect Lune to a third-party AI application (for example, by adding Lune as a custom connector or app inside ChatGPT, Claude, Cursor, etc.), Lune sends results ("tool responses") back to that application so your assistant can use them. The vendor's privacy policy then governs what it does with those responses inside its own product. Retrograde Labs does not transmit your account credentials, billing information, team membership, or other account state to those vendors.
- Legal compliance. We may disclose information if compelled by legal process, regulation, or to protect the rights, property, or safety of Retrograde Labs, our users, or the public, where permitted by law.
- Business transfers. If Retrograde Labs is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.
- With your direction. If you choose to share, export, or publicly post content through the Service, that content is processed accordingly.
5. Retention
We retain your information for as long as your account is active and for a reasonable period afterward to satisfy our legal obligations, resolve disputes, and enforce our agreements.
| Category | Default retention |
|---|---|
| Account profile | Until you delete the account. |
| Sessions / refresh tokens | Up to 30 days from last use, then expired. |
| Service request logs | Up to 90 days, then aggregated and discarded. |
| Billing records | As required by tax and accounting law (typically 7 years). |
| Backups | Up to 35 days, after which superseded backups are purged. |
When you delete your account through the dashboard at
/dashboard/settings/account, we cancel any active subscriptions,
revoke every API key, and remove your personal data within 30 days,
except for records we are legally required to retain (most commonly
billing records).
6. Security
We use industry-standard technical and organizational measures to protect information, including TLS 1.2+ in transit, encryption at rest, role-based access controls, principle-of-least-privilege for employee access, audit logging, and routine vulnerability monitoring. No system is perfectly secure; if we discover a security incident that affects your information, we will notify you and the relevant authorities consistent with applicable law.
7. Subprocessors
We use the following subprocessors at the date of this policy:
| Subprocessor | Purpose | Data location |
|---|---|---|
| Supabase | Authentication, primary database. | United States |
| Amazon Web Services (AWS) | Compute, storage, queues, secrets. | United States |
| Cloudflare | Edge network, DNS, DDoS protection. | Global edge network |
| Stripe | Payments processing, billing. | United States |
| Resend | Transactional email. | United States / EU |
| Sentry | Application error reporting. | United States |
We may add or replace subprocessors. Material changes will be reflected here, and (where required) advance notice will be sent to the email on file.
8. International transfers
Lune is operated from the United States. By using the Service from outside the United States, you consent to the transfer of information to the United States and processing there. Where the GDPR or equivalent law applies, we rely on Standard Contractual Clauses or an equivalent transfer mechanism with each subprocessor.
9. Your rights
Depending on where you reside, you may have rights to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Delete your information (subject to legal retention).
- Export a portable copy of your information.
- Restrict or object to certain processing.
- Withdraw consent for processing that is based on consent.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, write to [email protected]. We will verify your identity and respond within 30 days, or such other timeline as required by applicable law.
For California residents: under the CCPA you may also request a list of the categories of personal information we have shared in the prior 12 months and may direct us not to sell or share your personal information. We do not sell or share personal information for cross-context behavioral advertising.
10. Children's privacy
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it.
11. Third-party links
The Service may link to third-party websites and AI applications. We are not responsible for the privacy practices of those services. We encourage you to review the privacy policies of any third party you connect to Lune.
12. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects when we last revised it. If a change is material, we will provide additional notice (for example, by email or by an in-app banner) before it takes effect. Continued use of the Service after a change becomes effective constitutes acceptance.
13. Contact
For privacy questions or to exercise your rights:
- Email: [email protected]
- Mail: Retrograde Labs, Attn: Privacy, [mailing address on file with Stripe].