Lola Tech, Inc.
Global Privacy Policy
Effective July 3, 2026 · Last updated July 3, 2026 · Version 2026-07-03
Lola Tech, Inc. and its subsidiaries and affiliates (collectively, “Lola”, “we”, “us” or “our”) respect your right to privacy and are fully committed to protecting and securing all the information we have about you with the highest standards.
We recommend that you read this Global Privacy Policy (the “Policy”) completely to ensure you are informed about how Lola collects and uses your Personal Data (as defined below).
1. Applicability of the Policy - What this Policy is and what it covers.
This Policy explains how Lola, acting as a data controller, collects, uses, stores, discloses, transfers, and protects personal information about you in connection with:
- our websites, including www.lola.tech and related subdomains (the “Sites”);
- your access to and use of our software platform, applications, dashboards, autonomous agents, APIs, and related professional and support services (collectively, the “Services”);
- our marketing, sales, recruiting, and other business activities, including in-person meetings or at events; and/or
- any other digital service that links to this Policy.
This Policy sets the global baseline standard for personal-data protection across all Lola entities. Where local law requires it, we adopt supplemental country-specific notices (each, a “Local Notice”) that adapt this Policy to a particular jurisdiction. To the extent a Local Notice conflicts with this Policy on a matter of local-law definition, scope, or individual rights, the Local Notice prevails for individuals in that jurisdiction.
Lola’s Services are provided to businesses and other organizations (each, a “Customer”) for professional use. We enter into a written agreement with each Customer that governs the delivery and use of the Services (the “Customer Agreement”).
This Policy does not apply to the inputs submitted to, the outputs generated by, or the documents and information uploaded to or otherwise included in the Services (“Customer Content”). We process Customer Content solely as a data processor on behalf of the relevant Customer, which acts as the data controller and determines the purposes and means of that processing. Our processing of Customer Content is governed by the relevant Customer Agreement, and not by this Policy. Any question or request concerning personal data contained in Customer Content should be directed to the relevant Customer; if we receive a data subject rights request relating to processing in which we act as a data processor, we will refer or forward that request to the relevant Customer (the data controller).
This Policy governs the Personal Data that Lola processes as a data controller, as described below.
Capitalized terms used in this Policy have the meanings given in Section 3.
2. Scope and audience.
This Policy applies to you if you are:
- a visitor to our Sites;
- a prospect or business contact;
- an authorized user of the Services;
- a job applicant or candidate; or
- an individual whose personal information appears within the Customer Content. For this group, please refer to Section 5.2.
This Policy does not change the terms of any Customer Agreement. Where we process Customer Content as a processor, the Customer Agreement governs and controls in the event of any conflict with this Policy as to that processing.
3. Definitions.
The following terms have the meanings below (singular and plural alike):
- Applicable Data Protection Laws:
- the data-protection, privacy, and information-security laws, regulations, and binding guidance applicable to Lola’s processing. These include, without limitation: the EU General Data Protection Regulation (“GDPR”); the UK GDPR and Data Protection Act 2018; Brazil’s Lei Geral de Proteção de Dados (“LGPD”); Mexico’s Ley Federal de Protección de Datos Personales en Posesión de los Particulares (“LFPDPPP”); Colombia’s Law 1581 of 2012 and its implementing decrees (“Habeas Data”); the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); and other U.S. state privacy laws and additional jurisdictions where Lola operates, in each case as amended. Where interpretive conflicts arise, the applicable Local Notice, aligned to the baseline in this Policy, prevails.
- Authorized User:
- an individual permitted by a Customer to access and use the Services on the Customer’s behalf.
- Controller:
- the entity that, alone or jointly, determines the purposes and means of processing personal information.
- Customer:
- a business or organization that subscribes to or uses the Services. A Customer is a controller of the personal information within its Customer Content.
- Customer Agreement:
- the agreement between Lola and a Customer that governs the Customer’s access to and use of the Services.
- Customer Content:
- the inputs submitted to, outputs generated by, and documents and information uploaded to or otherwise included in the Services by or on behalf of a Customer, together with any Personal Data contained in them. Lola processes Customer Content as a processor under the applicable Customer Agreement (see Section 1), and this Policy does not govern it.
- Personal Information / Personal Data:
- any information relating to an identified or identifiable natural person, including names, identifiers, online identifiers, and factors specific to that person.
- Processor:
- an entity that processes personal information solely on behalf of, and on the documented instructions of, a controller.
- Processing:
- any operation performed on personal information, whether automated or manual (collection, storage, use, disclosure, combination, restriction, erasure, and so on).
- Sensitive / Special-Category Data:
- categories afforded heightened protection under Applicable Data Protection Laws (see Section 5.3).
- Sub-processor:
- a third party engaged by Lola to process personal information in connection with the Services.
4. Our two roles: controller and processor.
Understanding our role is essential to understanding how your information is handled.
4.1 When Lola acts as a controller.
Lola is a controller (it determines the why and how of processing) when it processes personal information for its own business purposes, including:
- operating, securing, and improving the Sites and the Services;
- managing relationships with prospects, customers, partners, and vendors;
- administering accounts and authenticating authorized users;
- sending marketing, sales, and product communications where permitted;
- recruiting and evaluating job applicants; and
- complying with our legal, tax, and regulatory obligations.
For this processing, this Policy and applicable Local Notices describe our practices and your rights.
4.2 When Lola acts as a processor.
Lola is a processor (it acts only on documented instructions) when it processes Customer Content on behalf of that Customer.
In this role:
- the Customer is the controller and determines the purposes, means, and legal basis for processing the personal information within Customer Content, including the personal information of any third party named in that content;
- Lola processes Customer Content only under the Customer’s documented instructions and as set out in the Customer Agreement and applicable law;
- if you are an individual whose personal information appears in Customer Content and you wish to exercise rights over it, you should contact the relevant Customer (the Controller). Lola will support that Customer in responding, as required by the Customer Agreement and applicable law; and
- the Customer is responsible for establishing a valid legal basis and providing any required notices to, or obtaining any required consents from, the individuals whose personal information it connects to Lola, including for the processing Lola performs as part of the Services.
5. Personal information we collect.
The categories below depend on your relationship with us and the role in which we process. Not all categories apply to every individual.
5.1 As a controller: information about you.
Information you provide.
- Identifying and contact information: name, employer and job title, business and personal email address, telephone number, and postal or business address.
- Account and authentication information: username, credentials, multi-factor authentication details, and access and role settings.
- Business and commercial information: company details, contractual and billing information, and records of products or services purchased or considered.
- Payment information: billing contact and transaction details. Card payments are processed by our payment provider; Lola does not store full card numbers.
- Recruitment information: résumé/CV, employment and education history, interview notes, assessment results, and references (where lawful and, where required, with consent).
- Communications: the content of messages, support requests, and survey or event responses you send us. We may monitor or record telephone calls with you for quality, training, and record-keeping, unless you ask us not to, and where permitted by law.
Information we collect automatically.
- Usage and device data: IP address, device and browser type, operating system, settings, language, pages and features accessed, referring/exit pages, and the dates and times of access.
- Product analytics: events describing which features and screens are used, app version, and approximate region. Analytics events do not include the contents of Customer Content.
- Diagnostics: crash reports and error logs (which may include redacted technical state) so that we can fix problems.
5.2 As a processor: Customer Content we process on a Customer’s instructions.
When a Customer connects content to the Services, we process the personal information contained in that content to deliver the Services in accordance to the Customer Agreement.
5.3 Sensitive information, privileged content, and children’s data.
Connected content may contain sensitive or specially protected information, including financial information, legal advice and attorney–client privileged or work-product material, employment and disciplinary matters, regulatory and compliance records, internal-investigation or whistleblower material, and third-party personal information contained in agreements. We apply heightened safeguards to such content and process it only as a processor on the Customer’s instructions and under the Customer Agreement.
As a controller, Lola does not seek to collect special-category data for its own purposes except where strictly necessary and lawful, and, where required, with explicit consent. Please do not send us sensitive personal information through unsecured channels (such as ordinary email).
The Services are intended for businesses and are not directed to children, and we do not knowingly collect children’s personal information as a controller. Where children’s personal information appears in Customer Content, the Customer is responsible for any consent required from a child or a parent/guardian. If we become aware that we hold children’s personal information without an appropriate basis, we will take steps to delete it.
6. How we collect personal information.
We collect personal information:
- Directly from you: when you contact us, register, configure an account, apply for a role, attend an event, or otherwise interact with us;
- Automatically: through your use of the Sites and Services (Section 5.1);
- From connected sources: when a Customer authorizes integrations and Lola receives content and metadata from third-party tools (see Section 8); and
- From third parties: such as our group companies, partners, referral sources, recruiters, identity-verification or background-check providers (where lawful), and publicly available sources.
If you provide us with another person’s personal information, you represent that you are authorized to do so and that the information is accurate.
7. How we use personal information and our legal bases.
We use personal information for the purposes described in the table below. Where Applicable Data Protection Laws require a legal basis for processing, the table identifies the basis we typically rely on. The precise basis may vary by jurisdiction and, where relevant, is set out in the applicable Local Notice.
| Purpose: what we do and why | Personal Data used (see Section 5) | Legal basis (where one is required) |
|---|---|---|
| Provide, operate, and support the Services: set up and administer accounts, authenticate users, deliver and configure the Services, provide customer support, and bill for the Services. | Identifying and contact; account and authentication; business and commercial; payment; communications. | Necessary to perform a contract with you or your organization. |
| Secure the Services: detect, investigate, and prevent fraud, abuse, security incidents, and misuse, and enforce our terms. | Account and authentication; usage and device. | Our legitimate interests. We and our Customers have a legitimate interest in keeping the Services secure and preventing misuse; this processing is necessary for that purpose and does not override your rights and freedoms. |
| Improve and develop the Services: diagnose problems, analyze aggregate usage, conduct research, and build and improve features. | Usage and device; diagnostics. | Our legitimate interests. We have a legitimate interest in understanding how the Services are used and improving them; the processing is necessary for that purpose and is not overridden by your rights and freedoms. |
| Manage sales and business relationships: respond to inquiries, manage prospects and Customer relationships, and develop our business. | Identifying and contact; business and commercial. | Our legitimate interests. We have a legitimate interest in managing and growing our business relationships; the processing is necessary for that purpose and does not override your rights and freedoms. |
| Marketing and events: send product updates, offers, and event invitations, and run campaigns. | Identifying and contact; business and commercial. | Your consent, where required; or, for business contacts where permitted by law, our legitimate interests. You may withdraw consent or object at any time, including via the unsubscribe link in every message. |
| Recruiting: evaluate applicants and manage hiring. | Identifying and contact; recruitment. | Steps taken at your request before entering a contract; our legitimate interests in assessing candidates; and your consent where required. |
| Comply with legal obligations: meet tax, accounting, and record-keeping duties, and respond to lawful requests from authorities. | As relevant to the obligation or request. | Compliance with a legal obligation. |
| Establish, exercise, or defend legal claims: protect our rights and respond to disputes, investigations, and proceedings. | As relevant to the claim. | Our legitimate interests; and, where applicable, the regular exercise of rights in proceedings. We have a legitimate interest in protecting our legal rights; the processing is necessary for that purpose and does not override your rights and freedoms. |
We do not sell personal information, and we do not use it for cross-context behavioral advertising.
When Lola processes Customer Content as a Processor, the Customer (as Controller) determines the purposes and legal basis, and Lola processes only on the Customer’s instructions and under the Customer Agreement.
8. Third-party integrations and connector credentials.
The Services are designed to connect to tools a Customer already uses (for example, contract-management and e-signature systems, document and knowledge repositories, communication tools, and email). When a Customer authorizes a connection:
- the credentials and tokens needed to authorize the connection are stored in encrypted form and used only to provide the Services;
- data flows between Lola and the connected tool only as needed for the integration to function and as instructed by the Customer; and
- the connected third party’s own handling of data is governed by its own terms and privacy policy, which we do not control.
A Customer’s administrators control which integrations are enabled and can revoke access. Lola does not use connector access to retrieve content beyond what is necessary to deliver the Services.
9. How we share and disclose personal information.
We disclose personal information only as described below:
- Lola companies: for administration, support, security, and to provide integrated Services, consistent with this Policy.
- Service providers and sub-processors: vendors that help us run the Sites and Services (for example, cloud hosting and infrastructure, authentication, analytics, error monitoring, payment processing, CRM, customer support, and recruiting). They are bound by contract to process personal information only on our documented instructions and to protect it.
- Partners and connected services: where required to deliver an integration or Service a Customer has requested (Section 8).
- Professional advisors: auditors, lawyers, accountants, and insurers, where necessary.
- Authorities and legal requirements: government, regulatory, judicial, or law-enforcement authorities where we believe in good faith that disclosure is required by law or legal process, or is necessary to protect rights, property, or safety, or to detect or prevent fraud or security issues. Where a request originates from a jurisdiction different from the individual’s, we assess the lawfulness of compliance.
- Business transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets, in which case personal information may be transferred subject to this Policy; we will provide notice as required.
When Lola acts as a Processor, it discloses Customer Content only as the Customer instructs and as set out in the Customer Agreement. We do not sell personal information and do not disclose it for cross-context behavioral advertising.
10. International data transfers.
Lola operates globally, and personal information may be transferred to, stored in, and processed in countries other than the one in which it was collected, including the United States and other countries where Lola or its sub-processors operate. Those countries may have different data-protection standards.
Where Applicable Data Protection Laws require it, we implement appropriate safeguards for international transfers, which may include:
- transfers to countries recognized by a competent authority as providing an adequate level of protection;
- intra-group transfer mechanisms (such as binding corporate rules), if and where adopted; and
- transfer impact assessments where appropriate, particularly for transfers to countries without an adequacy decision.
Certain jurisdictions impose data-localization or specific transfer requirements; we address these through appropriate hosting and contractual arrangements. For jurisdiction-specific mechanisms, see the applicable Local Notice or contact us using Section 15.
11. Data retention.
We retain personal information only for as long as necessary for the purposes described in this Policy, including to provide the Services, maintain business records, resolve disputes, and comply with legal, tax, regulatory, and contractual obligations — after which we delete or anonymize it. We periodically review retention periods based on the nature of the data, the purpose of processing, and legal requirements.
When Lola processes Customer Content as a Processor, retention and deletion follow the Customer Agreement: on termination or on Customer request, we delete or return Customer Content as provided in the Customer Agreement, except where retention is required by law.
12. Security.
Lola maintains a risk-based information-security program with administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, loss, and misuse. Measures include encryption in transit and, where supported, at rest; access controls and least-privilege access; network security; logging and monitoring; vulnerability management; incident response; personnel training; and vendor risk management. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
In the event of a personal-data breach, we act in accordance with Applicable Data Protection Laws and our contractual commitments. Where Lola acts as a Processor, we notify the affected Customer (controller) without undue delay and support its notifications to authorities and individuals. Where Lola acts as a Controller, we notify the competent authority and affected individuals where and as required by law.
13. Your rights and choices.
Subject to Applicable Data Protection Laws and certain exceptions, you may have the right to:
- access the personal information we hold about you and obtain information about its processing;
- correct or update inaccurate, incomplete, or outdated information;
- delete your personal information (the “right to be forgotten”);
- restrict or object to certain processing, including direct marketing;
- port your information to another controller in a structured, machine-readable format, where technically feasible;
- withdraw consent where processing relies on consent (without affecting prior lawful processing);
- opt out of marketing at any time; and
- lodge a complaint with your local data-protection authority.
To exercise these rights, contact us using Section 15. We may need to verify your identity before responding, and we will respond within the timeframes set by Applicable Data Protection Laws.
If you are an individual whose personal information appears in Customer Content, Lola generally acts as a processor, and the Customer is the Controller. Please direct your request to that Customer; Lola will support the Customer’s response as required by the Customer Agreement and law.
14. Marketing communications.
If you give us your contact details (for example, by joining a waitlist, registering, or contacting us), we may send you product updates, offers, event invitations, and other communications. Where required by Applicable Data Protection Laws, we obtain your consent first.
Every marketing email contains a one-click unsubscribe link. You can also opt out by emailing us (Section 15). Opting out of marketing does not stop transactional or service messages (such as security alerts, billing notices, and support replies) that you need to use the Services. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
15. How to contact us.
For questions, requests, or to exercise your rights, contact Lola’s privacy team at contact@lola.tech.
If you are an individual whose personal information appears in Customer Content, please contact the relevant Customer (controller); we will support their response as required by the Customer Agreement.
16. Changes to this Policy.
We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Sites or Services after the changes take effect means you accept the updated Policy, to the extent permitted by law. Prior versions are available on request.