Privacy Policy

Engine is a trading name of Lunar Fitness Ltd, a company registered in England and Wales with company number 16551732. In this policy, “Engine”, “we”, “us”, and “our” refer to Lunar Fitness Ltd. “You” means anyone using the Engine service or our website at getengine.ai.

This policy explains what personal data we collect when you use Engine, how we use it, who we share it with, and your rights under the UK GDPR and the Data Protection Act 2018.

Data controller

Lunar Fitness Ltd is the data controller for the personal data we collect from you as an Engine customer. You can reach our data protection contact at privacy@getengine.ai.

What we collect

1. Account information you provide: your name, email, company name, role, optional phone, and business postal address.
2. Onboarding information: details about your business, your target customers, your personas, and the email templates you create or approve.
3. Connected mailbox credentials: OAuth tokens for the Gmail or Microsoft 365 account you connect for sending. We never see or store your password.
4. Email content sent through Engine and any replies routed back through your inbox, plus send metadata such as timestamps, deliverability events, and bounces.
5. Prospect data Engine generates on your behalf: business names, publicly available decision-maker contacts, and enriched email addresses.
6. Usage data: pages visited, features used, IP address, browser, and device type. Collected for product improvement and security.
7. Billing information: handled by Stripe. We do not see or store full card numbers.

How we use it

• To operate Engine: send outreach as you, classify replies, generate templates.
• To bill you (via Stripe).
• To support you, including answering questions and diagnosing issues.
• To improve the product through anonymized analytics.
• To comply with our legal obligations.
• To protect against abuse, fraud, and security threats.

Legal bases for processing (UK GDPR Article 6)

• Performance of a contract: providing Engine to you under our Terms of Service.
• Legitimate interests: product improvement, fraud prevention, and network security.
• Legal obligation: tax, accounting, and lawful disclosures to authorities.
• Consent: where required, for example for marketing communications you have opted into.

Google user data: Limited Use disclosure

Engine’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.

We use Google user data (Gmail messages and metadata you grant access to) solely to provide the user-facing features of Engine, namely composing and sending outreach emails on your behalf from the Gmail account you have connected.

• We do not use Google user data for advertising.
• We do not sell Google user data, and we do not transfer it to third parties except where necessary to provide our user-facing service, comply with applicable law, or as part of a merger, acquisition, or sale of assets in which Google user data continues to be protected by this policy.
• We do not allow humans to read Google user data, unless we have your explicit consent, it is necessary for security purposes (such as investigating abuse), it is required to comply with applicable law, or the data is aggregated and anonymized for internal operations and complies with applicable rules.

Microsoft 365 / Outlook data

The same principle applies to data accessed via Microsoft Graph: we use it only to deliver Engine’s user-facing features, we never use it for advertising, and we do not sell or transfer it except as necessary to provide our service or as required by law.

Subprocessors

We share personal data with carefully selected service providers who help us operate Engine:

• Vercel Inc. (USA): hosting and content delivery
• Neon (USA / EU): managed Postgres database
• Clerk (USA): authentication
• Stripe (USA / UK): payment processing
• Anthropic (USA): AI processing for onboarding and template generation
• Mailgun (USA / EU): email infrastructure where the legacy sending path is used
• Google LLC (USA): Gmail API where you have connected a Google account
• Microsoft Corporation (USA): Microsoft Graph API where you have connected a Microsoft 365 account

Where personal data is transferred outside the UK, we rely on UK-approved Standard Contractual Clauses, the UK-US Data Bridge, or other lawful transfer mechanisms.

Retention

We retain personal data only for as long as it is needed to provide Engine and to comply with our legal obligations. When you delete your account, we delete or anonymize your personal data within 30 days, except where retention is required by law (for example, invoicing records held for six years for UK tax purposes).

Your rights

Under the UK GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data erased (right to be forgotten), subject to legal retention requirements.
• Restrict or object to certain processing.
• Receive your data in a portable format.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

To exercise any of these rights, email privacy@getengine.ai.

Security

We use industry-standard measures to protect your data: TLS encryption in transit, encryption at rest, role-based access controls, regular secret rotation, and vendor due diligence. No system is perfectly secure. We will notify you and the ICO without undue delay if a personal data breach is likely to result in a risk to your rights and freedoms.

Cookies

We use essential cookies for authentication and lightweight analytics. We do not use advertising cookies and we do not sell cookie data.

Changes to this policy

We may update this policy from time to time. The “last updated” date at the top reflects the current version. Material changes will be communicated by email or in-app notice.

Contact

Lunar Fitness Ltd t/a Engine
Registered in England and Wales, company number 16551732
Email: privacy@getengine.ai