L
lunalink.ai
Tools for creators & shops
Legal · Privacy

Privacy policy

Last updated: April 27, 2026

Short version

The free tools at lunalink.ai/tools run primarily in your browser. We don't require accounts and don't store your recordings, prompts, or uploads on our servers. Each Shopify app published under lunalink.ai has its own appendix below covering scopes, data, retention, and Shopify GDPR webhooks.

1. Who we are

lunalink.ai is the controller of the data described in this policy. We publish a growing set of free browser tools and a small family of Shopify apps under the lunalink.ai brand. Each Shopify app's specific data handling is documented in its appendix at the bottom of this page.

Contact: hello@lunalink.ai.

2. lunalink.ai free tools

Our free tools — AI logo maker, product description rewriter, SEO meta generator, screen recorder, image resizer + AI reframe, screenshot beautifier, AI eraser, video voiceover, and others listed at lunalink.ai/tools — run primarily in your browser. We don't require accounts for the tools themselves, and we don't persist your recordings, prompts, or uploaded files on our servers.

  • Screen recorder and the in-browser image resize never leave your device. Nothing is uploaded.
  • The AI logo maker, description rewriter, SEO meta generator, screenshot beautifier auto-design, AI eraser, video voiceover, and the AI reframe mode of the image resizer send your prompt or media to fal.ai for processing. fal.ai handles this data under their own privacy policy. We don't retain a copy beyond the short-lived storage fal hosts to feed the model.
  • The paid model routes (anything that costs us a credit) are gated behind sign-in via Supabase Auth. We store your email and a session record so we can verify the admin allowlist on each request. We don't use this for marketing.
  • No analytics cookies, no ad trackers, no third-party personal data collection.

3. Common sub-processors

These services support the marketing site and most of our products. Per-app sub-processors (e.g. an LLM that only one app uses) are listed in that app's appendix below.

  • fal.ai — model hosting (image, video, audio, vision, language). Used by the free tools that run AI calls and by some apps for specific models.
  • Supabase — authentication, Postgres database, and Storage. Holds admin session records and any persistent data we explicitly store on a user's behalf.
  • Vercel — hosting and edge CDN for lunalink.ai and most of the free tools. Located in the United States.

We do not sell, rent, or share your data with third parties for marketing, advertising, or any commercial purpose.

4. Cookies and analytics

We use the minimum cookies required to keep you signed in (a Supabase session cookie on routes that need authentication) and no third-party advertising or cross-site tracking cookies. If we add product analytics in the future, this section will be updated and the “Last updated” date at the top will change.

5. Security

All traffic is served over HTTPS. Database and storage access is restricted to the application servers. Routes that consume paid model credits are gated behind an admin allowlist. We follow Shopify's security best practices for app authentication and access-token handling on every Shopify app.

6. Your rights

You have the right to:

  • Access — request a copy of the data we hold about you or your store.
  • Deletion — request deletion of your data at any time. For Shopify apps you can also simply uninstall, which triggers our deletion path.
  • Correction — request correction of inaccurate data.
  • Portability — request data we hold in a portable format.

If you are located in the European Economic Area, the United Kingdom, or California, the rights above apply under GDPR and CCPA respectively. To exercise any of them, email hello@lunalink.ai. We respond within 30 days.

7. International transfers

Data may be stored and processed in the United States. By using the tools or installing one of our Shopify apps you consent to this transfer. To the extent we process personal data, we do so as a processor acting on your instructions as the data controller.

8. Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via the affected product or by updating the “Last updated” date at the top.

9. Contact

Questions about this policy or data requests:

hello@lunalink.ai

App appendices

Each Shopify app published under lunalink.ai has its own appendix. The common sections above (controller, sub-processors, security, rights, contact) apply to every app. The appendix for an app covers what's specific to it: scopes, additional sub-processors, retention, billing, and Shopify GDPR webhook handling.

The Partner Dashboard “privacy policy URL” for each app deep-links to its appendix below.

A. Descriva — AI product descriptions for Shopify

Descriva is a Shopify app that generates product descriptions and SEO metadata. This appendix supplements the common policy above. The Partner Dashboard privacy URL for this app is https://lunalink.ai/privacy#descriva.

A.1 Scopes requested

Descriva requests exactly one explicit scope:

  • write_products — write AI-generated descriptions, SEO title and meta description, image alt text, URL handles, and tags back to your products when you publish a draft.

read_products is granted implicitly by Shopify when write_products is requested. Descriva uses it to read your catalog at install time and on the dashboard so it can show which products need work and feed product fields to the model.

Descriva does not request read_orders, read_customers, read_themes, write_metafields, or any analytics-, customer-, or storefront-related scope. The app never sees your shoppers' personal data.

A.2 Data we read and store

  • Product titles, descriptions, tags, type, vendor, product IDs.
  • Shop domain (e.g. yourstore.myshopify.com).
  • Session tokens (to keep the embedded app authenticated).
  • Billing plan and subscription status from the Shopify Billing API.
  • Generation history — which products you optimised and the AI-generated drafts — so you can review, restore, or compare versions.
  • Aggregate usage counts (number of generations) for plan limits.

A.3 How Descriva uses your data

  • Content generation — product fields are sent to OpenAI to draft descriptions, SEO titles, meta descriptions, and tag suggestions on your behalf.
  • History — so you can review, restore, or compare previously generated content.
  • Billing — usage counts determine which plan tier applies.
  • Support — to diagnose issues you report.

A.4 App-specific sub-processors

Descriva calls the following services from production. Each one receives the minimum data needed for its job; nothing is shared with them for marketing or training. The common sub-processors in section 3 (fal.ai, Supabase, Vercel) are not used by Descriva.

  • OpenAI — generates product descriptions, SEO copy, and image alt text from the product fields you provide. Every API call is sent with the store: false flag, so OpenAI does not retain inputs or outputs once the response is returned. No customer personal data is ever sent. Privacy policy.
  • Render — application hosting and the Postgres database that stores merchant settings, generation history, and bulk-job records (United States). Privacy policy.
  • Sentry — server- and client-side error tracking. May capture stack traces, request paths, and shop domains so we can diagnose crashes. Personal data is filtered out before send. Privacy policy.
  • PostHog — anonymised product analytics (page views, button clicks). No personally identifiable information and no product content is sent. Privacy policy.
  • Resend — sends transactional email (bulk-job-complete notifications and monthly-usage warnings) to the merchant's installed-shop email address. Privacy policy.

A.5 Data retention and deletion path

  • Generation history — retained per the shop's chosen retention window. The default is 90 days; merchants can configure this anywhere from instant deletion up to 90 days in app settings.
  • Bulk job records — retained 30 days by default; configurable in app settings.
  • Session tokens — expire automatically after inactivity.
  • Billing records — retained for 12 months after your subscription ends for accounting purposes.

All merchant data — settings, generation history, bulk-job rows — is deleted within 30 days of either an app/uninstalled webhook or a Shopify shop/redact GDPR webhook, whichever comes first. The 30-day delay matches Shopify's compliance window so a re-install during that period restores your settings rather than starting from scratch.

A.6 Shopify GDPR webhooks

Descriva implements all three mandatory Shopify compliance webhooks at the endpoints below.

  • customers/data_request /webhooks/customers/data_request — we respond within 30 days. Descriva stores no shopper personal information, so the response is an attestation that there is no shopper data to export.
  • customers/redact /webhooks/customers/redact — same attestation: nothing to delete, because no shopper personal information is stored in the first place.
  • shop/redact /webhooks/shop/redact — purges the shop's settings, generation history, and bulk-job rows from the Postgres database within Shopify's 48-hour compliance window.

A.7 Billing

Descriva uses the Shopify Billing API. Charges are made by Shopify against your existing Shopify billing relationship — we never see your card details. We receive only the subscription plan and status from Shopify so we can apply the correct plan limits.

© 2026 lunalink.ai. All rights reserved. ← Back to lunalink.ai