Legal
Privacy Policy
Last updated: 2 March 2026
1. Who we are
Lantern Labs ("Engraph", "we", "us") is the controller responsible for the processing of your personal data. We are a developer tools company registered in the Netherlands. Engraph is our product.
- Company: Lantern Labs
- KVK number: 98926322
- Address: Postbus 34, 1687 ZG, Wognum, Netherlands
- Privacy contact: dpa@engraph.io
Our privacy contact handles all data protection enquiries and can be reached at dpa@engraph.io.
2. What personal data we collect
We collect only the data necessary to provide our service and communicate with you. Here is what we collect and when.
When you visit our website
We do not use analytics or tracking tools. We do not collect IP addresses, browser fingerprints, or browsing behaviour for analytics purposes. Our hosting provider (Vercel) processes server logs that may contain IP addresses for security and operational purposes. See Section 4 for details on sub-processors.
When you join our waitlist
- Email address
- Name (optional)
When you use the contact form
- Name
- Email address
- Subject and message content
When you create an account and use the Engraph platform
- Name, email address, and profile picture (from your identity provider)
- GitHub username (if you sign in with GitHub)
- Organisation name
- Usage data: constraints, redirections, subsystem configurations, agent session metadata (model used, files touched, branch names), and related metadata you create through the platform
3. Why we process your data and on what legal basis
| Purpose | Data involved | Legal basis (GDPR Art. 6) |
|---|---|---|
| Responding to your enquiry | Name, email, message content | 6(1)(f) Legitimate interest (answering your question) |
| Managing your waitlist signup | 6(1)(b) Performance of a contract (pre-contractual steps at your request) | |
| Providing the Engraph platform | Account data, usage data | 6(1)(b) Performance of a contract |
| Authenticating your session | Session tokens | 6(1)(b) Performance of a contract |
| Sending product updates and service emails | 6(1)(f) Legitimate interest (keeping you informed about the service you signed up for) | |
| Maintaining security and preventing abuse | Server logs (IP address, timestamps) | 6(1)(f) Legitimate interest (protecting our service and users) |
4. Who we share your data with
We do not sell your personal data. We do not share it with advertisers. We share it only with the service providers ("sub-processors") we need to run the platform.
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Website hosting, edge functions | EU (Frankfurt) |
| Railway | Application and database hosting | US (EU SCCs in place) |
| Resend | Transactional email delivery (contact form replies, account notifications) | US (EU SCCs in place) |
| GitHub | OAuth authentication and repository integration | US (EU SCCs in place) |
We maintain data processing agreements with each sub-processor. If this list changes, we will update this policy. If you are an Engraph customer, changes to sub-processors are also communicated via the Data Processing Agreement.
5. International data transfers
Our website is hosted in the EU via Vercel (Frankfurt). Our application server and database are hosted by Railway, Resend handles email delivery, and GitHub provides authentication and repository integration. Railway, Resend, and GitHub are based in the United States. For these transfers we rely on the European Commission's Standard Contractual Clauses (SCCs). If we add further sub-processors outside the EEA, we will ensure appropriate safeguards are in place (SCCs or an adequacy decision) and update this policy accordingly.
6. How long we keep your data
| Data category | Retention period |
|---|---|
| Contact form submissions | Not stored in our database. Delivered to our team via email (Resend). Retained in our mailbox for up to 12 months, then deleted. |
| Waitlist signups | Until you unsubscribe or we close the waitlist |
| Account and platform data | Duration of your contract, plus 30 days for data export |
| Server logs | 90 days |
7. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Access (Art. 15) — request a copy of the personal data we hold about you
- Rectification (Art. 16) — ask us to correct inaccurate data
- Erasure (Art. 17) — ask us to delete your data when there is no compelling reason to keep it
- Restriction (Art. 18) — ask us to limit how we process your data
- Data portability (Art. 20) — receive your data in a structured, machine-readable format
- Objection (Art. 21) — object to processing based on legitimate interest
- Withdraw consent (Art. 7) — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, email us at dpa@engraph.io. We will respond within 30 days.
8. Complaints
If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You can reach them at autoriteitpersoonsgegevens.nl. We would appreciate the chance to address your concerns first, so please contact us before filing a complaint.
9. For Engraph customers (data processing)
When you use the Engraph platform, we act as a data processor for the constraint data, redirections, and other content your team creates. You (or your organisation) remain the data controller for that content.
We offer a Data Processing Agreement (DPA) that meets the requirements of GDPR Article 28. If you need a signed DPA, email dpa@engraph.io and we will provide one.
10. How we protect your data
We implement technical and organisational measures appropriate to the risk, including encryption in transit (TLS), access controls, and regular security reviews. We do not store passwords. Authentication is handled through third-party identity providers (OAuth 2.0 via GitHub and Google) or passwordless email magic links. OAuth tokens stored in our database are encrypted at rest.
11. Children's data
Engraph is a B2B service for software engineering teams. We do not knowingly collect personal data from anyone under 16 years of age (the Dutch digital age of consent under the UAVG). If we discover we have collected data from a child, we will delete it promptly.
12. Automated decision-making
We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.
13. Changes to this policy
We may update this privacy policy from time to time. When we do, we will update the date at the top of this page. For significant changes, we will notify you by email (if we have your address) or by a prominent notice on our website.
14. Contact
For any questions about this privacy policy or how we handle your personal data, email us at dpa@engraph.io or use our contact form.