Privacy policy.

Luna Agency (“Luna,” “we,” “us”) provides a white-label AI assistant for service businesses. We are based in Montréal. Contact: hello@luna.agency.

Clients — shop owners who sign up for Luna and use the studio, dashboard, and connected channels.
End customers — the people who message a shop and receive a Luna-authored reply. End customers interact with their shop, not with Luna directly.
This policy covers both, separately where the data handling differs.

Email address, business name, vertical, language preferences, and the 15 voice-studio answers you write during onboarding. If you connect Gmail we receive an OAuth refresh token, which is stored encrypted and can be revoked anytime from your dashboard. If you connect a Messenger / Instagram / WhatsApp page through ManyChat, we receive the API token you paste into the dashboard. Payment information is handled by Stripe — we never see card numbers.

When an end customer messages a Luna-connected channel, we receive: the message body, sender identifier (handle, email, or phone), timestamp, and conversation thread. We store these so Luna can reply in context and so the client can review the conversation. We do not attempt to match end customers across shops. We do not sell or share end-customer data with anyone besides the client who owns the conversation.

We share data with the following providers strictly to operate the service:

• Anthropic (Claude) — message content is sent to generate replies. Anthropic does not train on our API data.
• Supabase — Postgres database that stores conversations, client config, and bookings.
• Vercel — hosts the studio, landing, and widget.
• Stripe — payment processing and subscription management.
• Resend — transactional and summary email delivery.
• Google (Gmail API)— only if the client connects Gmail. We read and send mail on behalf of the client’s mailbox.
• Cal.com — booking events.
• ManyChat — message routing for Meta channels (IG, Messenger, WhatsApp).
• Twilio — only if the client opts in to SMS.

When a client connects Gmail, Luna reads their inbox to identify new customer threads and writes replies on their behalf. Luna’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Gmail data to third parties except to provide the Luna service to the client. We do not use Gmail data for advertising. We do not allow humans to read Gmail data except (a) with the client’s express consent, (b) for security investigations, or (c) when required by law.

Conversations are retained while the client’s account is active. On account closure, we delete client data within 30 days, except where retention is required for legal or accounting purposes (Stripe transaction records, for example, must be kept per applicable law). Clients can request earlier deletion by emailing hello@luna.agency.

If you are an end customer who messaged a Luna-connected shop, your data is controlled by that shop. Direct deletion or access requests to the shop owner, who can act on them through the Luna dashboard. We will support the shop in fulfilling lawful requests within applicable time limits (e.g., 30 days under Québec Law 25 / Canada PIPEDA, 1 month under GDPR).

If you are a client, you can access, export, or delete your data from the dashboard or by emailing us.

All data is transmitted over HTTPS. Service-role database access is gated by a JWT held only in server-side environment variables. Per-client dashboard URLs use HMAC-signed share tokens. Gmail OAuth refresh tokens are stored encrypted at rest. We do not have a security guarantee program at this stage — if you find a vulnerability, please email hello@luna.agency and we will respond.

Luna is for businesses. We do not knowingly process data of children under 16. If you believe we have, contact us and we will delete it.

Our infrastructure providers (Vercel, Supabase, Anthropic, Stripe, Resend) operate from servers primarily in the United States. By using Luna, you consent to data being processed in jurisdictions outside your own, with safeguards consistent with applicable law.

We may update this policy. Material changes will be notified by email to active clients at least 30 days before they take effect. The “last updated” date at the top of the page reflects the most recent revision.

Email hello@luna.agency. Postal address available on request.