Privacy Policy

Last Updated: April 14th, 2026

Lovable Labs Incorporated ("Lovable," "we," "us," or "our") provides tools to empower developers and non-technical users to build, share, and deploy web applications using natural language prompts. Our mission is to simplify software development through innovative tools, seamless integrations, and collaborative features, while prioritizing the privacy and security of your data. We are committed to fostering a vibrant builder community and ensuring compliance with applicable privacy laws in the United States (including all applicable state privacy statutes), European Economic Area, United Kingdom, Switzerland, and Canada.

This Privacy Policy ("Policy") outlines how Lovable collects, uses, shares, and otherwise processes Personal Data from users, including developers, entrepreneurs, and visitors ("User," "you," or "your") of our website, any software, platform (collectively, our "Services"). By using our Services, you acknowledge and agree to this Policy.

This Policy incorporates our Terms of Service. If you do not agree with the terms of this Policy, please discontinue your use of our Services. Existing users with contractual obligations should contact us to discuss applicable terms.

Please note: This Privacy Policy applies to Free and Pro plans. This does not include Business and Enterprise plans which are governed by our terms and Data Processing Agreement found here.

1. Definitions

   a. "Data Protection Laws": Collectively, (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR"), UK GDPR and any implementing or supplementary legislation, and (ii) all U.S. federal or state privacy statutes in force during the Term together with other national laws governing the Processing of Personal Data. If the Customer is a UK entity, any reference to the "GDPR" shall be interpreted to include a reference to the UK GDPR.
   b. "Personal Data": For purposes of this Policy, Personal Data (also called personal information under the California Consumer Privacy Act/Privacy Rights Act and similar U.S. state laws) means any information that relates to an identified or identifiable natural person or is reasonably capable of being linked to a particular consumer or household, as set out in the EU GDPR, UK GDPR, Canada's PIPEDA, the revised Swiss Federal Act on Data Protection, and all applicable U.S. federal or state privacy statutes. Personal Data may include, for example, your name, business email address, postal address, telephone number, username, unique device or browser identifiers, Internet-protocol ("IP") address, authentication tokens, usage and telemetry logs, or other information generated through your use of our Services.
   c. "Service Data": Any data relating to the use, support and/or operation of the Services, which is collected directly by Lovable from the Customer's use of the Service. Service Data is used for Lovable's security, billing, analytics, or product-improvement purposes. Service Data is not Personal Data.

2. Collection and Use of Information

• Information You Provide Directly: When you create an account, purchase a subscription, open a support ticket, apply for a role, or otherwise use our Services, you may supply Personal Data such as your name, business-email address, phone number, payment information (processed via Stripe; see Stripe's privacy policy at stripe.com/privacy for details on how they handle your card details and transaction data). For usage-based services like Lovable Cloud and AI Gateway, we collect and process Usage Data (e.g., API calls, storage usage, prompt volumes) to meter consumption against your Credits (prepaid balances). These Credits are tracked in separate balances per service, with metering reliant on Stripe and third-party providers. We do not store full payment card details; Stripe serves as the source of truth for billing records, which may include anonymized usage metrics shared with us for invoicing, and project artefacts (for example, natural-language prompts, code snippets, or deployment configurations). These artifacts are used only to serve your workspace and, once anonymized or aggregated, to improve our models; they are never used to train general-purpose AI models that benefit other customers without your permission.

• Information Collected Automatically: When you interact with the Services, we automatically collect technical data such as IP address, browser type, operating system, device identifiers, pages visited, timestamps, and error logs. Service Data is processed by Lovable as an independent controller for security, billing, analytics, and product-improvement purposes. Billing and Metering Data: Telemetry on service usage (e.g., compute hours in Lovable Cloud, API requests via AI Gateway) is collected to generate monthly invoices showing consumption by service. This data is anonymized where possible and shared with Stripe for payment processing and revenue recognition.

• Usage And Analytics Data: We record how you engage with key features (e.g., prompts submitted, code generated, build and deployment events, clicks on the GitHub or Supabase integrations). If you authorize a third-party integration, Lovable accesses only the minimum data required to provide that integration and processes it under the same terms as other Customer Personal Data.

• Data Handling In Lovable Cloud and AI Gateway: Lovable Cloud provides cloud hosting and back-end services (e.g., database, authentication, storage), where your Customer Data (as defined in our Terms of Service), including hosted applications, files, and generated outputs, is stored and processed on Supabase infrastructure. By using Lovable Cloud, you consent to the transfer, storage, and processing of your Customer Data by Supabase under their privacy policy (available at supabase.com/privacy). The AI Gateway acts as a proxy to connect your applications to third-party AI providers, including OpenAI, Google Gemini, and models via OpenRouter. When using the AI Gateway, your inputs (e.g., prompts, queries) and related Customer Data are transmitted to these providers for processing and response generation. These transmissions occur on a pass-through basis; we do not store the raw prompts or responses unless you explicitly save them in your workspace. By using the AI Gateway, you consent to such transfers under the privacy policies of OpenRouter (openrouter.ai/privacy), OpenAI (openai.com/policies/privacy-policy), and Google (policies.google.com/privacy). We do not control these providers' data practices, and you are responsible for reviewing their policies

• Data Handling In Integrations and Shared Connectors: Our Services allow users to send and receive Personal Data from third-party services (which we refer to as 'Integrations'). Integrations are applications or platforms that integrate with Lovable via API Connectors or using a Model Context Protocol for Personal connectors ('MCP Server'). Once an API connection is enabled, the provider of an Integration may share certain information with Lovable. For example:

  • If an Integration is connected via MCP Server to permit data to be accessed, Lovable may receive information that the Integration makes available through the API to facilitate the integration.
  • When an Integration is enabled via API, Lovable is authorised to connect and access data made available to it in accordance with our agreement with the provider of the Third-Party Service and any permission(s) granted by the Customer. Lovable may receive whether you successfully authenticated with an Integration and your usage of the functionality.

• Data Handling In Lovable Desktop: If you access Lovable through our desktop app ('Lovable Desktop') the data handling of Integrations applies. Certain actions may be taken locally on your device. Where no data is transmitted to Lovable's servers or the Lovable API, such processing does not constitute a submission of Customer Data to Lovable and is not subject to this Policy. More information can be found in our Desktop App Terms.

• Data Handling For Domain Name Registrars: Lovable provides domain registrations through cooperation with domain name registrars subject to the Domain Name Registration Terms. To provide domain registrations Lovable may process your Personal Data to:

  • Process and maintain your domain name registration;
  • Comply with applicable ICANN requirements, including the publication of certain data elements in the Registration Data Directory Service (RDDS);
  • Enable the sponsoring registrar and applicable registry operator to fulfil their obligations under the Registrar Accreditation Agreement and applicable registry agreements;
  • Communicate with you regarding your domain name registration, including verification and renewal, and any other ICANN-required communications.

  The Personal Data required to fulfil the domain purchase will be clearly indicated to you during the purchase flow. Any additional data fields not marked as required are voluntary. Your Personal Data may be shared with:

  • The applicable registry operator;
  • ICANN;
  • Any ICANN-authorised escrow service provider; and
  • Other third parties as required or permitted by applicable ICANN policies or law.

  By completing a domain purchase, you confirm that:

  • You consent to the collection, use, and processing of your Personal Data for the purposes described above;
  • You consent to certain data being transferred to ICANN (as described in the ICANN Privacy Policy) and to other third parties as described; and,
  • Where you have supplied Personal Data relating to a third party (someone that is not you) for a domain registration, you have obtained that individual's equivalent consent.

  You may access, correct, or request deletion of your Personal Data at any time by contacting us at privacy@lovable.dev, as described in this Policy. Lovable and its registrar partners take reasonable technical and organisational precautions to protect your Personal Data against loss, misuse, unauthorised access or disclosure, alteration, or destruction, as outlined in this Policy. In the event that Lovable changes its registrar partner or ceases operations, your domain name and associated registration data (including DNS records, nameserver configuration, authorisation codes, and expiry dates) will be made available to you or transferred to a new registrar on your behalf in accordance with the ICANN Bulk Transfer process. Lovable will not impose any lock or restriction on your domain that prevents transfer, except as required by ICANN policy or applicable law.

• Children's Data: Lovable's Services are not intended for individuals under the age of eighteen (18), and we do not knowingly collect or solicit Personal Data from anyone under this age, unless as part of a program with a partner, the child has obtained consent or authorisation from a parent or guardian before they can use the Services. By using our Services, you represent that you are at least 18 years old or the age of majority in your jurisdiction. If we discover that we have collected Personal Data from a minor without verifiable parental consent, we will promptly delete that information. If you believe we may have collected such data, please contact us at privacy@lovable.dev.

• Sensitive Data: Lovable does not intentionally collect special-category or sensitive Personal Data, such as biometric identifiers, health information, or precise geolocation, and instructs customers not to upload such information. This definition will be interpreted to include any equivalent term under other privacy laws that come into force during the life of this Policy.

We process Personal Data for the following purposes:

• to provide, operate, and maintain the Services, including storing code, generating suggestions, and deploying applications;
• To personalize your experience and tune AI-driven features for your workspace, unless you withdraw consent by emailing us at privacy@lovable.dev;
• to analyze usage patterns and improve performance, functionality, and reliability;
• to detect, prevent, and investigate fraud, abuse, or security incidents;
• to deliver product updates and measure the effectiveness of our own marketing;
• to communicate with you and provide customer support, as permitted by your account settings;
• to process payments and other transactions you authorize;
• to comply with legal, regulatory, export-control, and sanctions obligations in the jurisdictions where we operate; and
• to meet record-keeping, accounting, and audit requirements.

Lovable does not engage in automated decision-making that produces legal or similarly significant effects on individuals (GDPR Art 22). We collect only the Personal Data necessary for these purposes and retain it in line with the schedule in the Policy. You can exercise your opt-out or objection rights to certain processing activities as described in this Policy.

3. How we use your Personal Data

Lovable processes Personal Data only where a valid legal ground applies under each privacy regime that governs our Services.

Legal bases we rely on:

• Performance of a Contract: We process your Personal Data to provide, maintain, and support the Services you have requested under our Terms of Service or other agreement with you.
• Legitimate Interests: We use Personal Data to secure the platform, detect fraud, generate aggregate analytics, and improve AI features where these interests are not outweighed by your privacy rights.
• Consent: We rely on your opt-in consent for non-essential cookies, marketing e-mails, and any other processing that requires consent under Data Protection Laws. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligations: We retain and disclose information as necessary to comply with bookkeeping rules, export-control and sanctions regulations, court orders, or other legal duties.
• Protection of Vital Interests: In rare cases, we may process Personal Data to protect an individual's vital interests, such as preventing serious harm or responding to an emergency.

4. Data Processing and Sub-Processors

As a data processor, Lovable processes Personal Data on behalf of our customers in accordance with their instructions and applicable DPAs. We engage third-party sub-processors to support our Services, such as:

• Hosting and maintaining our platform, website, and databases.
• Processing payments through secure third-party payment processors.
• Providing technical support, customer service, and analytics.
• Storing and securing data, including integrations with Supabase and GitHub.

All sub-processors are bound by contractual obligations equivalent to those in our DPAs, ensuring compliance with Data Protection Laws. We provide notice of sub-processor changes, allowing customers to object within ten (10) business days. The current list of authorized sub-processors is available at https://trust.lovable.dev and includes the sub-processor's name, location, and processing purpose. We do not sell your Personal Data.

5. Data Usage

   We do not use raw or identifiable Personal Data for training but may anonymize/aggregate it for any lawful purpose. To opt out of using your Customer Data for model training, contact us at privacy@lovable.dev or upgrade to a Business plan with enhanced controls.

6. International Data Transfers

For customers in the EEA, UK, or Switzerland, we may transfer Personal Data to the United States or other jurisdictions whose privacy laws have not been deemed "adequate" by European or Swiss authorities. Lovable safeguards these transfers through the following legally recognized mechanisms:

• EU Standard Contractual Clauses (SCCs): Module 2 (Controller-to-Processor) per Commission Decision 2021/914.
• UK International Data Transfer Addendum: Version B1.0, issued by the UK ICO under s119A DPA 2018.
• Swiss Addendum: Adapts the SCCs to the revised Swiss FADP, naming the Swiss Federal Data Protection and Information Commissioner (FDPIC) as the competent authority.

7. Investigations

Lovable may investigate and disclose information, as permitted by law, if we believe in good faith that such action is:

• Necessary to comply with a valid legal process or governmental request (e.g., subpoena, court order, or law-enforcement demand) and, unless legally prohibited, Lovable will notify the affected customer before producing data.
• Helpful to prevent, investigate, or identify fraud, security incidents, or other wrongdoing in connection with our Services.
• Necessary to protect our rights, reputation, property, or those of our users, affiliates, or the public.

Disclosures will comply with Data Protection Laws and be limited to what is necessary.

8. Log Data

When you use our Services, Lovable automatically collects operational telemetry ("Log Data") that helps us secure and improve the platform. Log Data may include:

• Your device's IP address and approximate location
• Browser type and version.
• Pages, APIs, or features you access within the Services.
• Timestamps and time spent on specific screens or functions.
• Unique session or device identifiers and error/debugging codes.
• Other usage statistics.

Log data is retained for up to ninety (90) days, unless required by law, to monitor performance, troubleshoot issues, and improve user experience.

9. Cookies and Other Tracking

Lovable and selected third-party partners use cookies, pixels, and similar technologies ("Cookies") to operate, secure, and analyze our Services. We deploy four types of Cookies:

• Strictly Necessary Cookies support core functions such as sign-in, session routing, fraud prevention, and consent storage. These are set on the basis of legitimate interests / contract performance and do not require consent.
• Analytics & Performance Cookies measure feature adoption, diagnose errors, track user interactions, and improve service performance. We use first-party analytics (PostHog) and third-party services (Google Analytics, TikTok) for these purposes. We obtain prior consent for these Cookies in the EEA/UK/CH and honor CPRA "opt-out" signals (e.g., Global Privacy Control) in the United States.
• Functional Cookies remember your preferences (language, theme, layout) and are configurable in the in-product Cookie Settings panel.
• Marketing Cookies enable conversion tracking and campaign measurement through third-party services including Tiktok, Facebook/Meta, and Google Ads. While we use these cookies to measure the effectiveness of our marketing efforts, we do not "sell" or "share" Customer Personal Data for cross-context behavioral advertising as defined under Data Protection Laws. These cookies require consent in the EEA/UK/CH and respect opt-out preferences in other jurisdictions.

You can manage or withdraw your Cookie preferences at any time by (i) clicking the Cookie Preferences button in our Cookie Policy, (ii) changing your browser controls, or (iii) enabling an authorized browser signal such as the Global Privacy Control. Disabling non-essential Cookies will not affect core functionality but may limit analytics-based improvements. Cookie-derived identifiers are retained only for the period necessary to fulfil the purposes above and never longer than thirteen (13) months for analytics cookies after which they are deleted or irreversibly anonymized.

10. Information Security and Accuracy

Lovable is committed to protecting your Personal Data and maintaining its accuracy. We implement reasonable industry standard safeguards, including:

• Data in Transit: All traffic between your browser or API client and our servers is protected with industry standard end-to-end encryption.
• Data Storage: Database encryption with secure key management and pseudonymize or anonymize data, where feasible.
• Access Controls: Role-based access, multi-factor authentication, and regular reviews to ensure only authorized staff can view your data.
• System Resilience: Continuous backups with industry-standard recovery objectives designed to minimize downtime and data loss.
• Security Monitoring: Real-time monitoring, centralized logging with one-year retention, and annual SOC 2 Type II audits.
• Physical Security: Data is hosted in SOC 2- and ISO 27001-certified data centers with 24/7 guards, biometric access, CCTV, and environmental safeguards.
• Staff & Vendor Oversight : All employees pass background checks, sign confidentiality agreements, and receive yearly security training; sub-processors are vetted and contractually bound to equivalent protections.
• Incident Response: We maintain a 24/7 incident-response team and will notify affected customers within 72 hours of confirming any notifiable breach.
• Your Role: Please keep your account credentials confidential, enable multi-factor authentication, and let us know if any of your information is incorrect so we can update it.

Lovable keeps a record of processing activities in line with GDPR Article 30(2) and performs regular risk assessments to adapt these measures as threats evolve. If you believe your account information is inaccurate, contact us as set out in this Policy and we will correct it promptly. We implement reasonable security measures (e.g., encryption in transit/rest, access controls) to protect your Personal Data, but our Services rely on third-party providers like Supabase (for Lovable Cloud), OpenAI, Google, and OpenRouter (for AI Gateway). We cannot guarantee uninterrupted availability, security, or performance of these providers, and data interruptions, delays, or losses may occur due to their actions or events beyond our control (including force majeure). For Lovable Cloud, certain provisioned resources may not be immediately terminable via API; you remain responsible for any data hosted there until fully decommissioned. In cases of misuse or abuse (e.g., excessive data uploads causing cost spikes), you agree to indemnify us for related privacy or security claims arising from third-party provider interactions, as detailed in our Terms of Service. We use commercially reasonable efforts to notify you of material security incidents involving your data but disclaim liability for third-party failures.

11. Retention of Your Information

We retain Personal Data only as long as necessary to fulfill the purposes outlined in this Policy or as required by applicable law, including:

• Providing and improving our Services.
• Complying with legal and regulatory obligations.
• Resolving disputes or enforcing agreements. Customer data is retained for up to ninety (90) days, unless required by law, after which it is deleted or isolated. To cancel your account or request data deletion, contact us as outlined in the Policy. Upon account termination or expiration (including forfeiture of unused Credits as per the Terms), we will delete your Personal Data within 30 days, except for data required for fraud prevention, legal compliance, or legal defense purposes. Backups may retain data for up to 90 days. To request deletion, contact us at privacy@lovable.dev; we comply with Data Protection Laws (e.g., GDPR erasure rights). We retain Customer Data only as needed to provide the Services, with deletion available upon request (subject to backups and legal holds).

12. Links to Other Sites and Integrations

    Our Services may include links or integrations (for example, GitHub, Supabase, CI/CD tools, or payment providers) that are not controlled by Lovable.

    Your interactions with Third-Party Services are governed by their own privacy policies and terms. We encourage you to review those policies before providing Personal Data, as Lovable is not responsible for the privacy or security practices of external sites or integrations.

13. Notice and Communications

    By using the Services, you consent to receive transactional or administrative electronic communications from Lovable - such as account alerts, security notifications, and billing messages. You may opt out of non-essential marketing e-mails at any time via the "unsubscribe" link or your account settings; this will not affect core service communications. To send formal privacy notices to Lovable, e-mail privacy@lovable.dev or post to the address in this Policy. Lovable may provide legal or privacy notices to you via e-mail, in-product banners, or any other method allowed by law.

14. Governing Law & Venue

    This Policy is governed by and governed in accordance with the laws of the State of Delaware, United States, without regard to its conflict-of-law principles. However, if you are located in a jurisdiction that grants you mandatory consumer protection or data protection rights under local law, those provisions will take precedence to the extent they conflict with this Policy. For residents of the European Economic Area (EEA), United Kingdom (UK), or Switzerland, international data transfers are subject to the EU Standard Contractual Clauses governed by Irish law with the courts of Dublin as the chosen forum, the UK International Data Transfer Addendum governed by the laws of England and Wales with the courts of London as forum, and the Swiss Addendum governed by Swiss law with the FDPIC as the competent authority. Any other disputes arising under this Policy shall be exclusively resolved in the state or federal courts located in Wilmington, Delaware, unless otherwise required by applicable mandatory law. We disclaim warranties on data accuracy/security in AI outputs or third-party services. See Terms for IP ownership (you own Customer Data/AI Output; we own Usage Data).

15. Residents of the United States, Canada, EEA, United Kingdom, and Switzerland

This section supplements the rest of the Policy and applies to individuals located in the United States—including California, Colorado, Connecticut, Virginia, Utah, Florida, Nebraska, and any other state with an active consumer-privacy statute, as well as Canada, the EEA, the United Kingdom, and Switzerland. Lovable collects the personal information categories below when you use the Services:

• Identifiers such as name, business-e-mail, phone number, user ID, and IP address (city-level location only).
• Commercial information such as subscription tier and purchase history; full payment-card numbers are processed solely by our PCI-compliant provider and are never stored by Lovable.
• Internet / network activity such as log-in events, feature usage, prompts submitted, code generated, and telemetry.
• Inferences drawn to personalize the platform.
• Project information you upload (e.g., repositories and configuration files).
• Sensitive Personal Information is not intentionally collected, and customers are instructed not to upload sensitive data (for example, Social-Security numbers or precise geolocation). No sensitive data (e.g., HIPAA-protected health info, financial accounts) should be uploaded; our Services are not designed for it, and we disclaim responsibility if submitted.

Depending on where you live, you may have some or all of the rights listed below (subject to legal limits). You can exercise them by e-mailing privacy@lovable.dev; Lovable will verify your identity and respond within 30 days or the period required by your local law.

• Right of Access/Portability: Request disclosure of personal information collected, used, or disclosed.
• Right of Deletion: Request deletion of personal information, subject to exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Withdraw Consent: Withdraw consent for certain processing activities.
• Opt-out of sales, sharing, or targeted advertising: Opt out of the sale or sharing of personal information. Lovable does not sell or share personal information as defined under U.S. privacy laws.

Lovable will not discriminate against you for exercising your privacy rights. If you believe a request has been wrongly denied, U.S. residents may file an appeal by replying to our decision within sixty days; EEA, UK, or Swiss residents may contact their supervisory authority (the Irish DPC, the UK ICO, or the FDPIC).

16. Changes to This Policy
    Lovable reserves the right to update or revise this Privacy Policy to reflect changes in our practices, legal requirements, or the Services themselves. We will post any revised Policy at https://www.lovable.dev/privacyand indicate the "Effective" date at the top of the document. For material changes that reduce your rights or expand our processing purposes, we will provide at least thirty (30) days' advance notice by e-mail or in-product banner. Your continued use of the Services after the new Policy takes effect constitutes acceptance of the revised terms.

17. Severability
    If any provision of this Policy is found to be unlawful, void, or unenforceable under applicable law, that provision will be interpreted to achieve its intent as closely as possible, or, if impossible, deemed severed, and the remaining provisions will remain in full force and effect.

18. Contact Details

    If you have questions, concerns, or wish to exercise your privacy rights, please contact us. We have appointed a Data Protection Officer (DPO) that you can contact at:
    a. Email: dpo@lovable.dev
    b. Representative name: Assenteo Ltd
    c. EU Address: Lovable Labs AB, Box 190, 101 23, Stockholm, Sweden

    We aim to respond to verified data-subject requests within thirty (30) days, or longer where permitted under applicable law, in which case we will notify you of the delay and reason. If you believe your inquiry has not been satisfactorily resolved, you may lodge a complaint with your local supervisory authority, the Irish Data Protection Commission, the UK Information Commissioner's Office, or the Swiss FDPIC, as appropriate.

19. Entire Agreement
    This Policy, together with the Terms of Service constitutes the entire agreement between you and Lovable regarding privacy and data protection in connection with the Services.