LUNARLABS
LUNARLABS
Back to home

Privacy Policy

Last updated: April 29, 2026

LunarLabs ("we," "us," or "our") operates the website lunarlabs.io. This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our service and the choices you have associated with that data. This Privacy Policy applies to all visitors and users of our website, as well as to clients and prospective clients of our professional services. LunarLabs is subject to the Protection of Personal Information Act 4 of 2013 ("POPIA") as a South African entity, and complies with the EU General Data Protection Regulation (GDPR) where applicable to international data subjects, and the California Consumer Privacy Act (CCPA) for California residents. For the purposes of POPIA, LunarLabs is the "responsible party" (data controller) for website visitor data and the "operator" (data processor) for any personal data processed on behalf of clients under a separate written agreement.

Information Collection and Use

Information You Provide. We collect personal data that you voluntarily provide when you: (a) submit a contact inquiry, including your name, email address, phone number, company name, and message content; (b) subscribe to our newsletter, including your email address; (c) engage us for services, including billing information, project details, and communication records. We do not collect special categories of personal data (e.g., health information, biometric data) unless explicitly provided in connection with a specific service engagement and documented in a separate consent form.

Automatically Collected Information. When you visit our website, we automatically collect: (a) your IP address and approximate geographic location; (b) browser type, operating system, and device identifiers; (c) pages visited, referring URLs, and time spent on pages; (d) cookies and similar tracking technologies as described in our Cookie Notice below.

AI Tools. LunarLabs may use AI-powered tools in the operation of our business, including for customer support, analytics, and marketing automation. Any personal data processed through AI tools is handled in accordance with this Privacy Policy and applicable law.

How We Use Your Information

We use the personal data we collect for the following purposes and on the following legal bases:

  • Contract Performance. To provide professional services, communicate about project status, issue invoices, and fulfill contractual obligations (South African law: lawful basis under POPIA Section 11; EU law: GDPR Article 6(1)(b)).
  • Legitimate Interests. To improve our website and services, send service-related updates, conduct analytics, and prevent fraud (South African law: lawful basis under POPIA Section 11; EU law: GDPR Article 6(1)(f)). You may opt out of marketing communications at any time.
  • Consent. For newsletter subscriptions, marketing emails, and any processing requiring explicit consent (South African law: under POPIA Sections 11 and 18; EU law: GDPR Article 6(1)(a)). Consent may be withdrawn at any time via the unsubscribe link in each email.
  • Legal Obligation. To comply with applicable laws, regulatory requirements, tax obligations, and to respond to lawful government requests (South African law: POPIA Section 37; EU law: GDPR Article 6(1)(c)).
  • Legitimate Purpose. Under POPIA Section 11(1)(b)(iii), processing may be conducted for the legitimate purpose of pursuing the reasonable interests of LunarLabs or a third party to whom the information is supplied, except where such processing is unreasonable or unjustified in the circumstances.

We do not sell, trade, or rent your personal information to third parties for their marketing purposes. We may share personal data with: (a) service providers who assist us in operating our website and business (e.g., email delivery, analytics); (b) professional advisers where necessary for legal, accounting, or compliance purposes; (c) law enforcement or regulatory authorities when required by law; and (d) successor entities in the event of a merger, acquisition, or asset sale.

Data Retention

We retain your personal data for no longer than necessary for the purposes for which it was collected. The following retention periods apply:

  • Contact Form Submissions. Up to twenty-four (24) months from the date of submission, after which data is deleted or anonymized.
  • Newsletter Subscribers. Until you unsubscribe; your email address is removed within thirty (30) days of unsubscription.
  • Client Project Data. Retained for the duration of the engagement plus three (3) years for accounting and dispute resolution purposes, unless a longer period is required by law or agreed in writing.
  • Website Analytics. Aggregated and anonymized data retained indefinitely; individual session data retained for up to twenty-six (26) months.

Upon expiry of the retention period, personal data is securely deleted or anonymized. You may request deletion of your personal data at any time, subject to the exceptions described in the "Your Rights" section below.

Cookies and Tracking

Our website uses cookies and similar tracking technologies. A cookie is a small text file stored on your device when you visit a website.

Essential Cookies. These cookies are required for the website to function and cannot be disabled without rendering the site inoperable. They include session cookies, security cookies, and functionality cookies.

Analytics Cookies. We use Google Analytics to collect information about how visitors use our website. This data helps us understand site traffic, identify popular content, and improve user experience. Google Analytics collects: pages visited, time spent on pages, referring URLs, device and browser information, and geographic location. You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

reCAPTCHA. We use Google reCAPTCHA v3 to protect contact and newsletter signup forms from spam and automated abuse. reCAPTCHA collects hardware and software information and may set cookies to help distinguish humans from bots. Use of reCAPTCHA is governed by Google's Privacy Policy and Terms of Service.

Managing Cookies. You may manage your cookie preferences through your browser settings. Note that disabling cookies may affect website functionality.

Third-Party Services and Data Transfers

We use the following third-party service providers, each governed by their own privacy policies:

  • Google (Analytics, reCAPTCHA, Gmail). Privacy Policy. Data may be transferred to Google servers in the United States. Standard Contractual Clauses are in place for any EU personal data transfers.
  • Email Delivery Services. Used for transactional and marketing emails. These providers are contractually bound to data processing agreements.
  • Cloud Infrastructure. Our website and client data may be hosted on cloud infrastructure providers (e.g., Vercel, AWS) in the United States or other jurisdictions depending on service configuration.
  • Customer Relationship Management. We use CRM software to manage client communications and project relationships.

International Transfers. Where personal data is transferred outside of the European Economic Area (EEA) or the United Kingdom, we ensure appropriate safeguards are in place, including Standard Contractual Clauses adopted by the European Commission. You may request details of such safeguards by contacting us at [email protected].

Data Security

We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encrypted storage for sensitive data at rest
  • Access controls and authentication requirements for all systems containing personal data
  • Regular security updates and patching procedures
  • Employee training on data protection and security awareness
  • Incident response procedures including notification to affected parties and supervisory authorities within seventy-two (72) hours of a reportable breach, as required by GDPR Article 33

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority (e.g., the Irish Data Protection Commission for EU data subjects) within seventy-two (72) hours of becoming aware of the breach, and will notify affected data subjects directly when the breach is likely to result in a high risk.

Your Rights

GDPR Rights (European Union Residents). If you are located in the European Economic Area, you have the following rights under the GDPR:

  • Right of Access (Article 15). Obtain a copy of your personal data and information about how it is processed.
  • Right to Rectification (Article 16). Correct inaccurate or incomplete personal data.
  • Right to Erasure (Article 17). Request deletion of your personal data ("right to be forgotten"), subject to applicable legal retention requirements.
  • Right to Restriction (Article 18). Request restriction of processing in certain circumstances.
  • Right to Data Portability (Article 20). Receive your personal data in a structured, machine-readable format and transmit it to another controller.
  • Right to Object (Article 21). Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent (Article 7). Withdraw consent at any time where processing is based on consent.
  • Right to Lodge a Complaint. File a complaint with your local supervisory authority (e.g., the Data Protection Commission in Ireland or the ICO in the UK).

CCPA Rights (California Residents). If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know. Request disclosure of: categories of personal information collected; categories of sources; business purposes for collection; categories of third parties with whom information is shared; and specific pieces of personal information held.
  • Right to Delete. Request deletion of personal information, subject to certain exceptions.
  • Right to Opt-Out. Opt out of the sale of personal information (we do not sell personal information).
  • Right to Non-Discrimination. Not be discriminated against for exercising your CCPA rights.

Exercising Your Rights. To exercise any of the above rights, please contact us at [email protected]. We will respond to your request within the timeframes required by applicable law: thirty (30) days for GDPR requests; forty-five (45) days for CCPA requests; and within the timeframe prescribed under POPIA for South African data subjects. We may require you to verify your identity before processing your request. You may also designate an authorized agent to exercise your rights on your behalf.

South African Protection of Personal Information Act (POPIA) Rights

If you are a South African data subject, you have the following rights under POPIA:

  • Right to Access (Section 23). Request access to your personal information held by LunarLabs, including the identity of any third parties who have access to your information and a description of the information held.
  • Right to Correction or Deletion (Sections 24 and 24). Request correction, deletion, or destruction of your personal information where it is no longer needed, is inaccurate, or has been unlawfully processed.
  • Right to Object (Section 11(3)). Object to the processing of your personal information in certain circumstances, including where such processing is likely to cause substantial damage or unjustifiable distress.
  • Right to Adduce Evidence (Section 11(4)). Adduce evidence that your personal information is not accurate, complete, or not processed in accordance with POPIA.
  • Right to Have Incorrect Information Corrected (Section 29). Have any incorrect or misleading information corrected without delay.
  • Right to Data Portability. Receive your personal information in a structured, commonly used, and machine-readable format where processing is automated and consent-based or contract-based.
  • Right to Lodge a Complaint. Lodge a complaint with the Information Regulator of South Africa (the "Regulator") at https://www.justice.gov.za/inforeg/ if you believe your rights under POPIA have been violated.

LunarLabs will respond to any POPIA data subject request within the timeframe prescribed by POPIA (generally thirty (30) days). Where we are unable to comply with your request within this period, we will notify you and may extend the period by a further thirty (30) days where reasonably necessary.

Children's Privacy

Our service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from children under 18. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us so we can take necessary action.

Privacy by Design and Data Minimization

LunarLabs embeds data protection principles into the design of our services and business processes ("privacy by design"). We implement the following principles in accordance with POPIA Section 19 and GDPR Article 25:

  • Data Minimization. We collect only the minimum personal data necessary for each specific purpose, as required by POPIA Section 13.
  • Purpose Specification. Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (POPIA Section 10).
  • Storage Limitation. Personal data is kept in identifiable form only for as long as necessary for the purposes for which it was collected.
  • Integrity and Confidentiality. Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage (POPIA Section 19).

We maintain a record of all processing operations as required by POPIA Section 22 and GDPR Article 30 for all personal data processing activities. In terms of POPIA Section 21, LunarLabs will only transfer personal data to a third party in another country if: (a) the recipient country provides an adequate level of protection for the processing of personal data; or (b) the data subject consents to the transfer; or (c) the transfer is necessary for the performance of a contract with the data subject; or (d) the transfer is otherwise legally permitted.

POPIA Information Officer and Registration

LunarLabs maintains registration with the Information Regulator of South Africa as a "responsible party" where required under POPIA. All personal information processing activities are conducted in accordance with our registered information officer mandate. Questions regarding our POPIA compliance may be directed to our Information Officer at [email protected].

California Sharing Disclosure (Shine the Light Law)

California Civil Code Section 1798.83 permits users who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes. If you have questions about this policy, please contact us at [email protected].

Changes to This Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top. You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy, please contact us at [email protected] or through our contact form.