Privacy Policy

1. Introduction

Welcome to Lana! This Privacy Policy explains how Lana Commerce, Inc. ("Lana," "We," "Us," or "Our") collects, uses, discloses, and protects Personal Information. This Policy applies to Personal Information we collect when you visit our website (lana.dev), use our headless commerce platform and related services (collectively, the "Services"), or otherwise interact with us.

This Privacy Policy is incorporated into our Terms of Service. By accessing or using our Services, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your Personal Information as described in this Privacy Policy and our Terms of Service.

Important Note for Merchants: If you are a Merchant using Lana's Services to operate your online store, this Privacy Policy primarily explains how we collect and use your Personal Information (as an Account Owner or staff member) and information from visitors to our website.

When Lana processes Personal Information of your customers ("End Customer Data") through our Services on your behalf, Lana acts as a "Data Processor" or "service provider," and you (the Merchant) act as the "Data Controller" or "business." The processing of End Customer Data is governed by the Data Processing Addendum ("DPA") between you and Lana, which is part of our Terms of Service. Merchants are responsible for their own privacy practices and for making their own privacy policies available to their customers. Lana is not responsible for the privacy or security practices of our Merchants, which may differ from those set forth in this Privacy Policy.

2. What Information We Collect

We collect Personal Information to provide and improve our Services. The types of Personal Information we may collect include:

a. Information You Provide to Us Directly:

Account Information: When you register for an Account (as an Account Owner or staff member), we collect information such as your name, company name, email address, phone number, physical address, and password.

Payment Information: If you subscribe to our paid Services, we collect your payment information (e.g., credit card details, billing address) through our secure payment processors. Lana does not store full credit card numbers.

Communications: If you contact us directly (e.g., via email, support requests, feedback forms), we may receive additional information about you such as your name, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide.

Business Information: Information about your business, such as store setup details, product information you manage through our platform (though this is primarily processed on your behalf), and integration preferences.

b. Information We Collect Automatically When You Use Our Services or Visit Our Website:

Log Files and Usage Data: Like most websites and online services, we automatically collect certain information when you access our website or use our Services. This may include your Internet Protocol (IP) address, browser type, Internet Service Provider (ISP), referring/exit pages, operating system, date/time stamps, clickstream data, and information about how you interact with our Services (e.g., features used, pages viewed).

Cookies and Similar Tracking Technologies: We use cookies and similar tracking technologies (e.g., web beacons, pixels) to collect information about your Browse activities over time and across different websites following your use of our Services. Cookies help us provide, protect, and improve our Services, such as by personalizing content, tailoring and measuring ads, and providing a safer experience. You can control the use of cookies at the individual browser level. For more information, see Section 6 ("Cookies and Other Tracking Technologies").

Device Information: We may collect information about the device you use to access our Services, including the hardware model, operating system and version, unique device identifiers, and mobile network information.

c. Information We May Receive from Third Parties:

We may receive Personal Information about you from third-party sources, such as social media platforms (if you interact with us through those platforms), marketing partners, and publicly available sources, in compliance with applicable laws.

3. How We Use Your Information

We use the Personal Information we collect for various purposes, including:

• To Provide, Operate, and Maintain our Services:
• Create and manage your Account.
• Process transactions and send you related information, including purchase confirmations and invoices for our Services.
• Enable the features of our headless commerce platform.
• To Improve, Personalize, and Expand our Services:
• Understand and analyze how you use our Services.
• Develop new products, services, features, and functionality.
• Personalize your experience.
• To Communicate with You:
• Send you technical notices, updates, security alerts, and support and administrative messages.
• Respond to your comments, questions, and requests, and provide customer service.
• Provide you with information about our Services, features, surveys, newsletters, offers, promotions, contests, and events, and provide other news or information about us and our partners (with your consent, where required by law). You can opt-out of marketing communications as described in Section 8 ("Your Privacy Choices and Rights").
• For Security and Fraud Prevention:
• Protect the security and integrity of our Services.
• Prevent, detect, and investigate fraud, unauthorized access, and other illegal activities.
• For Legal and Compliance Purposes:
• Comply with applicable laws, regulations, legal processes, or governmental requests.
• Enforce our Terms of Service and other agreements.
• Protect our rights, privacy, safety, or property, and/or that of you or others.
• For Other Purposes:
• For any other purpose disclosed to you at the time we collect your information or with your consent.

4. How We Share Your Information

We may share your Personal Information in the following circumstances:

• With Service Providers (Sub-processors): We share Personal Information with third-party vendors, consultants, and other service providers who perform services on our behalf (our "Sub-processors"). These services may include hosting and infrastructure, payment processing (for fees owed to Lana), customer support tools, analytics, and email delivery. Our Sub-processors are contractually obligated to protect your Personal Information and are only permitted to use it for the specific services they provide to us. Our DPA provides more information on our use of Sub-processors for End Customer Data.
• For Legal Reasons and Safety: We may disclose your Personal Information if we believe it's required by applicable law, regulation, legal process, or governmental request, or to protect the safety, rights, or property of Lana, our Merchants, our users, or the public.
• In Connection with a Business Transfer: We may share or transfer your Personal Information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We will notify you of such a change in ownership or transfer of assets by posting a notice on our website or as otherwise required by law.
• Aggregated or De-identified Data: We may share aggregated or de-identified information that cannot reasonably be used to identify you. For example, we may share aggregated usage statistics about our Services.
• With Your Consent: We may share your Personal Information with third parties when we have your consent to do so.
• Within Lana Commerce, Inc.: We may share information between and among Lana Commerce, Inc. and our current and future parents, affiliates, subsidiaries, and other companies under common control and ownership.

Lana does not sell your Personal Information in the traditional sense (i.e., for monetary consideration). However, some data sharing for purposes like targeted advertising with third-party partners may be considered a "sale" or "sharing" under certain data protection laws like the CCPA/CPRA. Please see Section 8 ("Your Privacy Choices and Rights") and our Cookie Policy for more details.

5. Data Security

Lana takes reasonable technical and organizational measures to protect the Personal Information submitted to us, both during transmission and once we receive it. These measures are designed to prevent unauthorized access, disclosure, alteration, or destruction of Personal Information. These include encryption, access controls, and secure development practices.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

6. Cookies and Other Tracking Technologies

We use cookies and similar tracking technologies to collect and use Personal Information about you, including to serve interest-based advertising. For further information about the types of cookies and tracking technologies we use, why, and how you can control them, please see our Cookie Policy.

7. Data Retention

We will retain your Personal Information for as long as your Account is active or as needed to provide you Services and to fulfill the purposes outlined in this Privacy Policy. We will also retain and use your Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

For End Customer Data processed on behalf of Merchants, retention periods are governed by the DPA and the Merchant's instructions. Typically, End Customer Data is retained for the duration of the Merchant's agreement with us, plus a defined period for deletion post-termination (e.g., 90 days as stated in our DPA template).

8. Your Privacy Choices and Rights

Depending on your location and applicable Data Protection Laws and Regulations, you may have certain rights regarding your Personal Information. These may include:

• Access: The right to request access to the Personal Information we hold about you.
• Rectification: The right to request correction of inaccurate Personal Information.
• Erasure (Deletion): The right to request deletion of your Personal Information, subject to certain exceptions.
• Restriction of Processing: The right to request that we restrict the processing of your Personal Information in certain circumstances.
• Data Portability: The right to receive your Personal Information in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible.
• Objection: The right to object to the processing of your Personal Information in certain circumstances, including for direct marketing.
• Withdrawal of Consent: If we process your Personal Information based on your consent, you have the right to withdraw that consent at any time.
• Right to Opt-Out of "Sales" or "Sharing" (for targeted advertising): As applicable under laws like CCPA/CPRA.
• Right to Lodge a Complaint: The right to lodge a complaint with a supervisory authority if you believe our processing of your Personal Information violates applicable law.

How to Exercise Your Rights: To exercise any of these rights, please contact us at hello@lana.dev. We will respond to your request in accordance with applicable Data Protection Laws and Regulations. We may need to verify your identity before processing your request.

Marketing Communications: You can opt-out of receiving promotional communications from us by following the unsubscribe instructions in those communications or by contacting us. If you opt-out, we may still send you non-promotional communications, such as those about your Account or our ongoing business relations.

9. International Data Transfers

Your Personal Information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country.

Specifically, our servers are located in the United States, and our third-party service providers and partners operate around the world. This means that when we collect your Personal Information, we may process it in any of these countries.

However, we have taken appropriate safeguards to require that your Personal Information will remain protected in accordance with this Privacy Policy and applicable Data Protection Laws and Regulations. For individuals in the European Economic Area (EEA), UK, or Switzerland, this includes implementing Standard Contractual Clauses (SCCs) for transfers of Personal Information between our group companies and with our third-party service providers and partners. Our DPA further details the mechanisms used for transfers of End Customer Data.

10. Children's Privacy

Our Services are not directed to individuals under the age of 16 (or a higher age threshold if required by applicable law in your jurisdiction). We do not knowingly collect Personal Information from children under 16. If we become aware that a child under 16 has provided us with Personal Information, we will take steps to delete such information. If you believe that a child under 16 has provided us with Personal Information, please contact us at hello@lana.dev.

11. Third-Party Websites and Services

Our Services may contain links to other websites and services operated by third parties. This Privacy Policy does not apply to, and we are not responsible for, the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party websites or services you visit.

12. Specific Regional Disclosures

a. For Individuals in the European Economic Area (EEA), United Kingdom (UK), and Switzerland:

Legal Basis for Processing: If you are from the EEA, UK, or Switzerland, our legal basis for collecting and using the Personal Information described above will depend on the Personal Information concerned and the specific context in which we collect it. However, we will normally collect Personal Information from you only (i) where we need the Personal Information to perform a contract with you (e.g., to provide our Services), (ii) where the processing is in our legitimate interests and not overridden by your rights, or (iii) where we have your consent to do so. In some cases, we may also have a legal obligation to collect Personal Information from you.

Your Rights: You have the rights outlined in Section 8, including the right to lodge a complaint with your local data protection authority.

Data Protection Officer (DPO):

Please refer to Section 14 for contact information.

b. For Residents of California (CCPA/CPRA Notice): This section provides additional details about the Personal Information we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected: In the preceding 12 months, we have collected the categories of Personal Information detailed in Section 2 ("What Information We Collect").

Sources of Personal Information: We collect this information from the sources described in Section 2.

Purposes for Collecting Personal Information: We collect and use this information for the business and commercial purposes described in Section 3 ("How We Use Your Information").

Categories of Personal Information Disclosed for a Business Purpose: In the preceding 12 months, we have disclosed the categories of Personal Information detailed in Section 2 for business purposes to the categories of third parties described in Section 4 ("How We Share Your Information").

"Sales" or "Sharing" of Personal Information: Lana does not "sell" Personal Information in the traditional sense (for monetary value). However, our use of certain third-party cookies for analytics and advertising purposes may be considered a "sale" or "sharing" under CCPA/CPRA. You have the right to opt-out of such "sales" or "sharing." Please see our Cookie Policy for details on how to manage your preferences or contact us as described in Section 8. We do not knowingly sell or share the Personal Information of minors under 16 years of age.

Your California Privacy Rights: You have the rights outlined in Section 8, including the Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale/Sharing, and Right to Non-Discrimination.

Shine the Light: California law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their Personal Information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of Personal Information disclosed to those parties. Lana does not share Personal Information with third parties for their own direct marketing purposes without your consent.

c. For Residents of Australia:

Compliance with Australian Privacy Principles (APPs): Lana is committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Access and Correction: You have the right to request access to the Personal Information we hold about you and to request its correction. Please contact us as described in Section 8 and Section 14.

Complaints: If you believe that we have breached the APPs or mishandled your Personal Information, you can lodge a complaint with us using the contact details in Section 14. We will investigate your complaint and respond to you in writing within a reasonable period. If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC).

Overseas Disclosure: As mentioned in Section 9, your Personal Information may be disclosed to overseas recipients (e.g., where our servers or service providers are located). We take reasonable steps to ensure that overseas recipients handle your Personal Information in accordance with the APPs.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. If we do, we will update the "Last Updated" date at the top of this Privacy Policy. If we make material changes, we will notify you by posting the new Privacy Policy on our website and, where required by law, by providing a more prominent notice (such as by adding a statement to our homepage or sending you a notification).

We encourage you to review this Privacy Policy periodically to stay informed about our collection, use, and disclosure of Personal Information.

14. Contact Us

If you have any questions about this Privacy Policy, your Personal Information, or your privacy rights, or if you would like to make a complaint, please contact us at:

Lana Commerce, Inc. Attn: Privacy Officer / Legal Department 548 Market St Suite #35443 San Francisco, California 94104, US Email: hello@lana.dev.