Privacy Policy
Lore Labs AG
Last Updated: January 2026
Effective Date: January 2026
1. Introduction
This Privacy Policy explains how Lore Labs AG ("Lore Labs," "we," "us," or "our") collects, uses, and protects personal data when you use our CONTXT platform ("Platform" or "Service") accessible at https://contxt.art and related services.
We are committed to protecting your privacy and handling your personal data in accordance with applicable data protection laws, including the Swiss Federal Act on Data Protection (FADP) and the European General Data Protection Regulation (GDPR).
2. Data Controller
Lore Labs AG
Neptunstrasse 42
8032 Zürich
Switzerland
For privacy-related inquiries, please contact us at: [email protected]
3. Data We Collect
3.1 Information You Provide Directly
Workspace Users (Institution Representatives):
- Account information: name, email address, profile photo
- Authentication data: OAuth tokens (Google, Apple, Microsoft) or password credentials
- Workspace data: institution name, description, website, social media links
- Content uploads: artwork images, documents, exhibition data, audience configurations
Visitors (Museum/Exhibition Visitors):
- Account information (optional): name, email address, username, profile photo
- Conversation data: messages exchanged with AI audiences
- Archive data: artworks you interact with and save
- Preferences: language settings, notification preferences
3.2 Information Collected Automatically
Technical Data:
- Device information: browser type, operating system, device identifiers
- Connection data: IP address, access times, referring URLs
- Usage data: pages visited, features used, interaction patterns
Analytics Data:
- Session information: duration, message counts, artwork interactions
- Photo recognition attempts: images submitted for artwork identification
- Engagement metrics: audience switches, social shares, navigation patterns
3.3 Information from Third Parties
- OAuth providers (Google, Apple, Microsoft): basic profile information when you choose to authenticate via these services
- Payment processors (Stripe): transaction status and billing information (we do not store full payment card details)
4. How We Use Your Data
4.1 To Provide and Improve Our Services
- Operating the CONTXT platform and delivering personalized experiences
- Processing artwork recognition requests
- Generating AI-powered responses about exhibitions and artworks
- Building and maintaining your personal Archive across museum visits
- Providing analytics and insights to workspace users
4.2 To Communicate With You
- Sending service-related notifications and updates
- Responding to your inquiries and support requests
- Providing transactional emails (account verification, password resets)
4.3 For Legal and Business Purposes
- Complying with legal obligations and regulatory requirements
- Protecting against fraud, abuse, and security threats
- Enforcing our Terms of Service
- Analyzing usage patterns to improve our platform
5. Legal Basis for Processing
We process your personal data based on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Providing Services | Performance of contract |
| Account Management | Performance of contract |
| Analytics & Improvements | Legitimate interests |
| Security & Fraud Prevention | Legitimate interests |
| Marketing Communications | Consent |
| Legal Compliance | Legal obligation |
6. Data Sharing and Disclosure
6.1 Service Providers
We share data with trusted third-party service providers who assist in operating our platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Hetzner | Cloud hosting and object storage | All platform data |
| Cloudflare | CDN and DNS services | Traffic data, IP addresses |
| LLM Providers | AI language model services | Conversation content (anonymized) |
| Stripe | Payment processing | Billing information |
| Resend | Transactional emails | Email addresses, names |
| Sentry | Error tracking and monitoring | Technical error data |
| Google/Apple/Microsoft | Authentication | OAuth tokens, basic profile |
6.2 Workspace Users (Institutions)
When you interact with an institution's exhibition as a visitor:
- Institutions receive aggregated analytics only (not individual conversation transcripts)
- Flagged AI responses may be reviewed with anonymized context
- Your personal identity is not disclosed to institutions without your consent
6.3 Legal Requirements
We may disclose your data when required by law, court order, or governmental authority, or when necessary to protect our rights, property, or safety.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity.
7. International Data Transfers
Your personal data may be transferred to and processed in countries outside Switzerland and the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Other legally recognized transfer mechanisms
Our primary infrastructure is hosted in the European Union (Hetzner, Germany), and we prioritize keeping data within the EU/EEA where possible.
8. Data Retention
We retain your personal data for as long as necessary to fulfill the purposes outlined in this policy:
| Data Type | Retention Period |
|---|---|
| Workspace user accounts | Until account deletion + 30 days |
| Visitor accounts | Until account deletion + 30 days |
| Conversation history | Anonymized after 36 months |
| Analytics data | Aggregated and retained indefinitely |
| Deleted content (trash) | 12 months, then permanently deleted |
| Anonymous session data | 24 hours (cookie-based) |
9. Your Rights
Under applicable data protection laws, you have the following rights:
- Access: Request a copy of your personal data we hold.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Restriction: Request limitation of processing in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw Consent: Withdraw consent at any time where processing is based on consent.
To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Access controls and authentication requirements
- Regular security assessments and monitoring
- Employee training on data protection practices
While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
11. Cookies and Tracking Technologies
We use cookies and similar technologies to:
- Maintain your session and authentication state
- Remember your preferences and settings
- Analyze platform usage and performance
- Provide security features
Types of Cookies:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, core functionality | Session |
| Functional | Preferences, language settings | 1 year |
| Analytics | Usage patterns, performance monitoring | 1 year |
You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect platform functionality.
12. Children's Privacy
CONTXT is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete such information.
Institutions may create child-friendly AI voices with simplified language, but visitors under 13 should use the platform under parental supervision.
13. AI and Automated Processing
CONTXT uses artificial intelligence to provide conversational experiences about artworks and exhibitions. This involves:
- Processing your messages to generate relevant responses
- Analyzing uploaded images for artwork recognition
- Generating personalized suggestions and themes
Important Notes:
- AI responses are grounded in institution-provided content
- We may use fully anonymized and aggregated conversation data to improve our AI systems, but your personal conversations are never used in identifiable form for training purposes
- You can flag AI responses for review if you believe they are inaccurate or inappropriate
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the "Last Updated" date
- Sending email notification for significant changes (registered users)
We encourage you to review this policy periodically.
15. Contact Us
If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:
Supervisory Authority:
If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant data protection authority:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
- EU/EEA: Your local supervisory authority
16. Additional Information for Swiss Residents
As a Swiss company, we comply with the Swiss Federal Act on Data Protection (FADP). Swiss residents have additional rights under the FADP, including the right to information about the processing of personal data and the right to data portability.
17. Additional Information for EU/EEA Residents
If you are located in the European Union or European Economic Area, you have additional rights under the GDPR. Lore Labs AG acts as the data controller for your personal data. For the purposes of GDPR compliance, our legal basis for processing is as outlined in Section 5 above.
This Privacy Policy is effective as of January 2026.