Lantern

Privacy Policy

Last updated: January 15, 2025

1. Introduction

Lantern is bug tracking software for web agencies. This policy explains what data we collect, why we collect it, and what we do with it. We keep it simple because we have nothing to hide.

By using Lantern, you agree to this privacy policy. If you don't agree, you can delete your account at any time.

2. What Data We Collect

2.1 User Account Data

When you create an account, we collect:

  • Email address - Used for login and notifications
  • Name - Displayed in the app (e.g., "Nathan Love replied to issue #123")
  • Password - Hashed with bcrypt by Supabase Auth (we never see your actual password)
  • Organization name - Your company or agency name
  • User role - Owner, admin, member, or client (determines what you can access)

2.2 Issue and Bug Data

When you create issues or comments, we store:

  • Issue titles and descriptions - What you write about the bug
  • Issue status, priority, and labels - How you categorize issues
  • Loom video URLs - We only store the URL, not the video itself (videos stay on Loom's servers)
  • Comments and attachments - Screenshots and files you upload
  • Timestamps and metadata - When issues were created, updated, etc.
  • Assignee information - Who's working on each issue

2.3 Usage Data

We automatically collect some data to keep the service running:

  • Login timestamps - When you sign in (for security)
  • Feature usage - Which pages you visit (to improve the product)
  • Browser and device type - From HTTP headers (to fix compatibility issues)
  • IP address - For security and rate limiting (not for tracking)
  • Session data - Authentication tokens to keep you logged in

2.4 Payment Data (via Stripe)

We use Stripe to process payments. Here's what we store:

  • Stripe customer ID - A reference number (not your card details)
  • Subscription status and plan - Whether you're on Individual or Team plan
  • Billing email - May differ from your account email

We do NOT store: Credit card numbers, CVV codes, or any payment details. Stripe handles all of that securely.

3. What We Don't Collect

We don't collect or store:

  • Browsing history outside the app
  • Personal communications unrelated to issues
  • Social media profiles
  • Location data (except IP address for geo-detection of currency)
  • Biometric data
  • Health information
  • Political opinions
  • Racial or ethnic data
  • Marketing tracking beyond basic analytics

4. How We Use Your Data

4.1 Provide the Service

  • Display issues and comments to authorized users
  • Send email and in-app notifications about new issues and comments
  • Manage user accounts and permissions
  • Process subscription payments

4.2 Improve the Product

  • Analyze which features are used most (to prioritize improvements)
  • Fix bugs and improve performance
  • Add features users request

4.3 Security

  • Prevent fraud and abuse
  • Detect suspicious activity
  • Secure accounts with authentication
  • Rate limiting to prevent API abuse

4.4 Legal Compliance

  • Tax requirements (billing records)
  • GDPR and data protection laws
  • Respond to legal requests (with proper authorization)

4.5 Communication

  • Product updates and security notices
  • Billing notifications
  • Support responses

5. What We Don't Do

  • We don't sell your data to third parties
  • We don't share data with advertisers
  • We don't track you across other websites
  • We don't send marketing emails (unless you opt in)
  • We don't use your data for AI training (without your consent)
  • We don't access your Loom videos - only you and Loom can view them

6. Third-Party Services

We use these services to run Lantern. Each has their own privacy policy:

1. Supabase (Database & Authentication)

Stores all user and issue data. EU & US servers available. SOC 2 Type II compliant.

Supabase Privacy Policy →

2. Stripe (Payments)

Processes subscription payments. We only store Stripe customer ID. They handle all card data. PCI DSS compliant.

Stripe Privacy Policy →

3. Loom (Video Hosting)

When you embed a Loom video, we only store the URL. The video stays on Loom's servers. We never download or process your videos.

Loom Privacy Policy →

4. Vercel (Hosting)

Hosts the application, edge functions, and API routes. Automatic HTTPS/SSL encryption.

Vercel Privacy Policy →

5. Resend (Email)

Sends transactional emails (notifications, invitations, account emails). We don't use it for marketing.

Resend Privacy Policy →

7. Loom Video Integration

When you attach a Loom video to an issue:

  • You paste a Loom share link (e.g., https://www.loom.com/share/...)
  • We store only the URL in our database
  • The video remains on Loom's servers
  • We never download, store, or process your videos
  • Loom's privacy policy applies to video content
  • Only users with access to the issue can view the video link

8. Client vs Team Member Data

Lantern has two types of users:

  • Team members - Your agency employees
  • Clients - Your agency's customers

Both types can:

  • Create and view issues
  • Comment on issues
  • Attach Loom videos and screenshots

Team members can additionally:

  • Manage client accounts
  • View all client issues
  • Access billing and settings

Data isolation: Client data is isolated per organization. Clients from Company A cannot see data from Company B.

9. Data Retention

Active Accounts

We keep your data as long as your account is active. This is required to provide the service.

Deleted Accounts

When you delete your account:

  • Personal data (email, name) deleted within 30 days
  • Some metadata kept for legal/security purposes (anonymized)
  • Billing records kept for 7 years (UK tax law requires this)

Issues and Comments

Issues and comments are deleted when:

  • The organization deletes them
  • The account is deleted
  • Backups are purged after 30 days

10. Your Rights (GDPR)

If you're in the EU, you have these rights:

1. Right to Access

You can export your data (Settings → Export Data) or contact us to see what we have about you.

2. Right to Rectification

Update your info in Settings or contact us to correct errors.

3. Right to Erasure

Delete your account (Settings → Delete Account). We delete your data within 30 days.

4. Right to Data Portability

Export your data as JSON and take it elsewhere.

5. Right to Object

Opt out of marketing emails. Note: objecting to data processing may limit service functionality.

6. Right to Restrict Processing

Temporarily stop processing your data. Contact support to request this.

11. Cookies & Tracking

Essential Cookies (Required)

These are necessary for the service to work:

  • Authentication token - Keeps you logged in
  • Session ID - For security
  • CSRF token - Prevents cross-site attacks

No Third-Party Tracking

We don't use Google Analytics, Facebook Pixel, ad trackers, or cross-site tracking. We keep it simple.

12. Security Measures

We protect your data with:

  • HTTPS/SSL encryption - All data in transit is encrypted
  • Database encryption at rest - Supabase encrypts data on disk
  • Password hashing - Passwords are hashed with bcrypt (we never see them)
  • Row Level Security (RLS) - Database-level access control
  • Regular security updates - We keep dependencies up to date
  • Rate limiting - Prevents API abuse
  • CSRF protection - Prevents cross-site request forgery
  • XSS protection - Prevents cross-site scripting attacks
  • SQL injection prevention - Using parameterized queries

13. International Data Transfers

Data Storage Location

  • Supabase: EU or US (you choose when setting up)
  • Vercel: Global edge network (data cached closest to users)
  • Stripe: US with EU data residency option

For EU Users

Lantern complies with GDPR. We use Standard Contractual Clauses (SCC) for data transfers. A Data Processing Agreement is available upon request.

14. Children's Privacy

Lantern is not intended for users under 16. We do not knowingly collect data from children. If we discover an underage user, we delete their data immediately. Contact us at privacy@lanternhq.app if you believe a child has created an account.

15. Changes to This Policy

We may update this policy from time to time:

  • Material changes: We'll email you 30 days before they take effect
  • Minor changes: Posted here with an updated "Last updated" date
  • Continued use: Using Lantern after changes means you accept the new policy
  • Don't agree? You can delete your account before changes take effect

16. Contact Us

Questions about this policy or our data practices? Get in touch:

Privacy & GDPR Requests:
privacy@lanternhq.app

Response time: Within 30 days

General Support:
hello@lanternhq.app

Legal Disclaimer

This privacy policy was last updated on January 15, 2025.

By using Lantern, you agree to this privacy policy.

We reserve the right to update this policy. If we make material changes, we'll email you 30 days before they take effect.

If you don't agree to the new policy, you can delete your account before it takes effect.

For EU users: Lantern complies with GDPR. The data controller is Lantern.

This policy is governed by UK law.

← Back to Home