Privacy Policy — lenne.ai
lenne hello@lenne.ai

lenne.ai · legal

privacy policy.

Effective date: May 1, 2026  ·  Last updated: May 1, 2026

01  · Overview

lenne.ai, Inc. ("lenne," "we," "us," or "our") operates lenne.ai and related AI-powered receptionist and concierge services (the "Services"). This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and the choices you have.

We built lenne to be the front desk that never sleeps — that means we handle sensitive call data, appointment information, and sometimes health-adjacent details on behalf of our business customers. We take that responsibility seriously.

By using our website or Services, you agree to the practices described below. If you don't agree, please don't use the Services.

02  · Information we collect

We collect information in three ways: directly from you, automatically through your use of the Services, and from our business customers (operators) on behalf of their end users.

Information you give us

  • Name, email address, and phone number when you sign up or contact us.
  • Billing information (processed by our payment processor — we don't store raw card numbers).
  • Business details when you set up a lenne account (spa name, address, hours, booking rules).
  • Communications you send us via email, chat, or support tickets.

Information collected automatically

  • IP address, browser type, device identifiers, and referring URL when you visit lenne.ai.
  • Pages viewed, clicks, and session duration via analytics tools.
  • Cookies and similar tracking technologies (see Section 06).

Information processed on behalf of operators

When lenne handles a call or SMS for one of our business customers ("Operators"), we process data about their end users ("Callers") — including voice recordings, transcripts, appointment details, and contact information. In this context, lenne acts as a data processor and the Operator is the data controller. Operators are responsible for their own privacy disclosures to Callers.

03  · How we use it

We use the information we collect to:

  • Provide, operate, and improve the Services — including answering calls, booking appointments, and sending confirmations.
  • Authenticate users and maintain account security.
  • Process payments and send invoices.
  • Train and improve our AI models in aggregate, anonymized form (never tied to a named individual without explicit consent from the Operator).
  • Send you product updates, usage reports, and service announcements. You can opt out of marketing emails at any time.
  • Respond to your support requests and troubleshoot issues.
  • Comply with legal obligations.

We don't sell your personal information. We don't use your data to serve third-party advertising.

04  · Sharing & disclosure

We share data only in the following circumstances:

With Operators

Caller data is shared with the Operator whose number the Caller dialed. That's the point — lenne surfaces the appointment to your front desk.

With service providers

We use vetted sub-processors to run the Services, including cloud hosting, telephony infrastructure, payment processing, and analytics. These providers access data only to perform services on our behalf and under strict contractual data-protection terms.

Key sub-processors

  • Cloud infrastructure: AWS / Google Cloud (US regions)
  • Telephony: Twilio, Inc.
  • AI model inference: OpenAI, L.L.C. (under data processing agreement)
  • Payments: Stripe, Inc.
  • Analytics: Posthog, Inc. (self-hosted option available)

For legal reasons

We may disclose information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of lenne, our customers, or the public.

Business transfers

If lenne is acquired, merges with another company, or sells assets, data may transfer to the acquiring entity. We'll notify you before your data becomes subject to a materially different privacy policy.

05  · Voice & text data

lenne's core product answers phone calls and exchanges SMS messages on behalf of Operators. Here's exactly what that means for data:

  • Call recordings: Inbound calls to lenne-powered numbers may be recorded. Operators configure whether recording is enabled. Where required by law (e.g., two-party consent states), Operators are responsible for ensuring callers are notified.
  • Transcripts: Every call and message is transcribed automatically. Transcripts are stored in the Operator's account and accessible to their authorized team members.
  • Retention: Voice recordings are retained for 90 days by default. Transcripts are retained for 12 months. Operators may request shorter retention windows. See Section 07 for full retention policy.
  • AI training: Voice and text data may be used to improve our models only in de-identified, aggregated form. We do not use individually identifiable call content to train models without explicit written agreement from the Operator.

06  · Cookies & tracking

We use cookies and similar technologies on lenne.ai to:

  • Keep you signed in to your account (strictly necessary).
  • Understand how visitors use the site so we can improve it (analytics).
  • Remember your preferences (functional).

We do not use third-party advertising cookies. You can control cookies through your browser settings. Disabling cookies may affect functionality (e.g., you'll need to sign in each visit).

We don't respond to "Do Not Track" browser signals at this time, but we do support Global Privacy Control (GPC) where technically feasible.

07  · Retention

We keep data only as long as necessary for the purposes described in this policy:

  • Account data: Retained while your account is active, plus 90 days after closure to allow reactivation. After that, deleted or anonymized.
  • Call recordings: 90 days (configurable per Operator).
  • Transcripts & booking data: 12 months (configurable per Operator).
  • Billing records: 7 years to comply with financial regulations.
  • Support correspondence: 3 years.
  • Aggregated analytics: Indefinite (no personal identifiers).

You may request earlier deletion of your personal data (see Section 09 — Your Rights).

08  · Security

We implement industry-standard safeguards to protect your data:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted using AES-256.
  • Access to production systems is restricted to authorized personnel via SSO and hardware MFA.
  • We conduct regular security reviews and penetration tests.
  • Sub-processors are vetted for SOC 2 compliance where applicable.

No system is perfectly secure. If you believe you've found a security vulnerability, please report it responsibly to security@lenne.ai. We don't sue researchers acting in good faith.

In the event of a data breach affecting your personal information, we'll notify affected parties as required by applicable law — and sooner than required whenever possible.

09  · Your rights

Depending on where you live, you may have the following rights regarding your personal data:

Everyone

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Ask us to correct inaccurate or incomplete data.
  • Deletion: Request that we delete your personal data (subject to legal retention obligations).
  • Opt-out: Unsubscribe from marketing emails at any time via the unsubscribe link in any email or by emailing hello@lenne.ai.

California residents (CCPA / CPRA)

  • Right to know what personal information is collected, used, shared, or sold.
  • Right to delete personal information.
  • Right to opt out of the sale or sharing of personal information. (We don't sell data — this right is available but moot.)
  • Right to non-discrimination for exercising your rights.
  • Right to correct inaccurate personal information.
  • Right to limit use of sensitive personal information.

EEA / UK residents (GDPR / UK GDPR)

  • Right to restrict processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interests.
  • Right to lodge a complaint with your supervisory authority.

To exercise any right, email privacy@lenne.ai with the subject line "Privacy Request." We'll respond within 30 days. For requests relating to Caller data held by an Operator, we'll direct you to the relevant Operator as the data controller.

10  · Children

The Services are not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us at privacy@lenne.ai and we'll delete it promptly.

11  · HIPAA notice

lenne serves medical spa, dental, aesthetics, and wellness businesses. Some information processed through the Services may constitute Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

When an Operator is a HIPAA-covered entity or business associate, lenne enters into a Business Associate Agreement (BAA) with that Operator prior to processing PHI. Under the BAA, lenne agrees to:

  • Use PHI only for the purposes described in the BAA and this policy.
  • Implement appropriate administrative, physical, and technical safeguards for PHI.
  • Report any breach of unsecured PHI to the Operator within the timeframes required by HIPAA.
  • Make PHI available to individuals exercising their HIPAA access rights.
  • Return or destroy PHI upon termination of the agreement.

If your business requires a BAA, contact hello@lenne.ai before processing any PHI through the Services.

This section is informational and does not constitute legal advice. Operators are responsible for their own HIPAA compliance determinations.

12  · International data transfers

lenne is based in the United States. If you're located outside the US, your data may be transferred to and processed in the US, which may have different data protection laws than your home country.

For transfers from the EEA, UK, or Switzerland to the US, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Agreements with customers and sub-processors.
  • The UK International Data Transfer Agreement (IDTA) for UK transfers.

A copy of the applicable transfer mechanism is available on request at privacy@lenne.ai.

13  · Changes to this policy

We'll update this policy as the Services evolve. When we make material changes, we'll notify you by email (if you have an account) or by posting a prominent notice on lenne.ai at least 14 days before the change takes effect. The "Last updated" date at the top of this page always reflects the most recent revision.

Continuing to use the Services after a change takes effect means you accept the updated policy. If you don't agree, you can close your account before the effective date.

14  · Contact us

Questions, requests, or concerns about this policy? We're here.

lenne.ai, Inc.

General: hello@lenne.ai
Privacy requests: privacy@lenne.ai
Security reports: security@lenne.ai
Website: lenne.ai

We aim to respond to all privacy-related inquiries within 5 business days and will resolve requests within 30 days (or within the timeframe required by applicable law, whichever is sooner).