Privacy Policy

1. Controller

The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) and other applicable national data protection laws is:

LILY Labs GmbH
Maudacherstraße 45
67065 Ludwigshafen am Rhein
Germany

Represented by: Milan Wiedemann (Chief Executive Officer)
Email: milan.wiedemann@lily.org

A data protection officer is not required by law and has not been appointed. Please direct data protection enquiries to the email address above.

2. Scope of This Privacy Policy

This Privacy Policy informs you about the nature, scope and purpose of the processing of personal data in connection with:

the LILY website (the "Website"); registration on the LILY Alpha Programme waitlist; use of the web-based LILY platform (dashboard); use of the LILY command-line interface (CLI); execution of user applications on the "Void" server infrastructure; and email communication with LILY Labs.

The terms "LILY", "Platform", "CLI", "Void" and "LILY Services" are used as defined in the LILY Alpha Programme Terms of Use.

3. General Information

Legal Bases. Where we process personal data, we do so on the following legal bases: Art. 6(1)(a) GDPR — where you have given us your consent; Art. 6(1)(b) GDPR — for the performance of a contract or pre-contractual measures; Art. 6(1)(c) GDPR — for compliance with a legal obligation; Art. 6(1)(f) GDPR — for the purposes of our legitimate interests, provided your interests do not override them.

Retention periods. Personal data are retained only for as long as necessary for the respective purposes or as required by statutory retention obligations. Data subject to statutory retention requirements (in particular § 257 HGB, § 147 AO) are retained for the prescribed period (generally 6 to 10 years). Data needed to assert, exercise or defend legal claims are retained until expiry of the applicable limitation period (generally 3 years). After the purpose ceases and any retention periods expire, data are deleted or anonymised.

Recipients and processors. We use carefully selected service providers who process personal data on our behalf as processors within the meaning of Art. 28 GDPR. We have concluded data processing agreements with these providers. An overview is provided in Section 5.

Third-country transfers. Personal data are generally processed within the European Union. Where processing occurs in a third country (in particular the USA), this is done on the basis of appropriate safeguards pursuant to Art. 46 GDPR (EU Standard Contractual Clauses, "SCCs") and supplementary technical and organisational measures. Details are set out in Section 5.

4. Processing Activities

4.1 Website access (server logs). When you visit our website, your browser transmits certain data to our web server, including: IP address, date and time of access, requested URL and HTTP status code, browser type and version (user agent), operating system, and referrer. Purpose: ensuring the functionality and security of the website, detecting and repelling attacks. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation). Retention: 14 days, then automatic deletion; longer retention in the event of security incidents.

4.2 Analytics (Plausible). We use Plausible Analytics, a cookie-free web analytics tool provided by Plausible Insights OÜ (Tallinn, Estonia). Plausible collects aggregated and anonymised statistics on website usage: pages visited and time spent, referrer, approximate country of origin (derived from IP address; IP is not stored), device category and browser type, and conversion events (e.g. clicks on sign-up buttons). No cookies are set, no cross-device profiles are created, and no personal identifiers are stored. Identification of individual persons is not possible. Processing takes place on servers in the EU. Purpose: reach measurement and website optimisation. Legal basis: Art. 6(1)(f) GDPR. Retention: aggregated statistics up to 12 months.

4.3 Waitlist registration. When you register for the waitlist, we process: email address (required), name (required), company (required), description of planned use case (optional), and time of registration. Purpose: managing the waitlist, selecting participants, communicating programme launch information. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures). Retention: transferred to account on invitation; deleted 24 months after registration if not invited.

4.4 Account setup and authentication (OAuth). After invitation you create a user account. We process: email address, name, account identifier (internally generated ID), timestamps of account creation and last login. Authentication is available via email/password or via GitHub or Google OAuth. Where you use an OAuth provider, we receive from that provider only the data required for authentication (email address, name, profile ID). We do not receive access to your password at the provider. Data processed by OAuth providers is the responsibility of the respective provider — GitHub (GitHub Inc., San Francisco, USA) and Google (Google Ireland Limited, Dublin). Legal basis: Art. 6(1)(b) GDPR. Retention: up to 30 days after account deletion.

4.5 Platform analytics (PostHog). Within the logged-in LILY dashboard we use PostHog for product analytics, click analysis, heatmaps and A/B testing. Provider: PostHog Inc., San Francisco, USA. Data are processed exclusively on PostHog EU Cloud servers in Frankfurt am Main, Germany. Data collected includes: page views and time spent within the dashboard, button clicks and UI interactions, features used and feature flag assignments (A/B test groups), browser type, OS and device information, internal user ID (linked to account), anonymised IP address. Purpose: product improvement, identifying usage patterns, optimising user experience, A/B testing. Legal basis: Art. 6(1)(f) GDPR. Retention: 12 months, then automatic deletion or anonymisation. We have concluded SCCs with PostHog supplementary to EU data residency.

4.6 CLI usage. The LILY CLI compiles and deploys on your local system. No usage or telemetry data are transmitted from the CLI to LILY Labs, except for technical data strictly required for a deployment to the Void (authentication token, compiled artefact, deployment metadata). Legal basis: Art. 6(1)(b) GDPR.

4.7 Void execution (crash and error logs). When you run user applications on the Void, we collect technical logs for error analysis and operational stability: deployment identifier and associated account, time and type of crash or error, stack traces and error messages from the executed binary artefact, resource usage (CPU, RAM, storage) at the time of the error. Incoming requests to user applications (request logs) are not stored; application content is not evaluated. Purpose: error analysis, operational stability, platform development. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR. Retention: 90 days, then automatic deletion.

4.8 Email communication (Resend). For transactional emails (waitlist confirmation, invitation, notifications, support) we use Resend (Solamatic, Inc., San Francisco, USA). Data processed: recipient email address, name, email content, and technical delivery information (bounces, open and delivery events). We have concluded a data processing agreement including SCCs with Resend. Purpose: sending contractually required and operationally necessary emails. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR. Retention: delivery metadata at Resend for 30 days; email content at LILY Labs until end of contract.

4.9 Cookies. We use technically necessary cookies to ensure the functionality of the website and platform (e.g. session cookies, authentication cookies). These are set without consent on the basis of applicable law. On the logged-in platform, PostHog additionally uses identifiers for product analytics (see 4.5). On the public website we intentionally use no cookie-based tracking (see Plausible, 4.2).

5. Processors and Third-Country Transfers

We use the following processors for the provision of LILY. All processors handle personal data exclusively in EU data centres unless otherwise stated.

IONOS SE — Montabaur, Germany — Karlsruhe / Frankfurt, Germany — Server infrastructure (Void), hosting.

Google Ireland Limited — Dublin, Ireland — EU data centres (europe-west) — Parts of server infrastructure (Void).

Plausible Insights OÜ — Tallinn, Estonia — EU servers — Website analytics (anonymised, no cookies).

PostHog Inc. — San Francisco, USA — Frankfurt, Germany (EU Cloud) — Platform analytics. Transfer to USA covered by SCCs.

Resend (Solamatic, Inc.) — San Francisco, USA — USA (with SCCs) — Transactional email delivery.

For transfers to the USA: residual risks exist due to potential access by US authorities. We use EU Standard Contractual Clauses and assess supplementary protective measures. Where providers are certified under the EU-US Data Privacy Framework, we additionally rely on the applicable adequacy decision.

6. Your Rights

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR); right to rectification (Art. 16 GDPR); right to erasure (Art. 17 GDPR); right to restriction of processing (Art. 18 GDPR); right to data portability (Art. 20 GDPR); right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR); right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR).

To exercise your rights, contact us at: milan.wiedemann@lily.org. We handle requests within the statutory period of one month (Art. 12(3) GDPR).

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for LILY Labs is: Landesbeauftragter für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz, Hintere Bleiche 34, 55116 Mainz, Germany.

7. Technical and Organisational Measures

We implement appropriate technical and organisational measures to protect your personal data (Art. 32 GDPR), including: TLS-encrypted transmission between CLI and Void and between browser and platform; access controls and permission management at infrastructure level; logging of security-relevant events; exclusive processing of customer data in EU data centres; and regular review and adaptation of security measures.

Encryption of data stored at rest on the Void (encryption-at-rest) is not currently implemented and is planned for a later stage of the platform. Regular automated backups of customer data stored on the Void are not performed during the Alpha Programme; users are required under the Alpha Terms to maintain their own backups.

8. Changes to This Policy

We update this Privacy Policy when processing activities, service providers or legal requirements change. The current version is available at lilylabs.io/legal/privacy. For material changes, registered users will additionally be notified by email.