Lamalama.
PricingDocs
Sign inGet started

Privacy Policy

Effective March 4, 2026

1. Who we are

Lama ("we", "us", "our") is an AI-powered web testing tool operated as a sole proprietorship. Our website is lamaqa.com and you can reach us at hi@lamaqa.com.

2. What we collect

We collect only the data necessary to provide and improve the service:

Account data

  • Name, email address, and a hashed password when you register.
  • Organization name (created automatically with your account).

Usage data

  • AI model used, token counts (input/output/cache), request duration, and computed cost for each AI request.
  • Credit transactions (top-ups, deductions) for billing purposes.

Chrome extension data

  • URLs of pages you test — captured only during active, user-initiated test sessions.
  • Page content — sent to AI models for test analysis and generation.
  • User actions during learning mode — to record test steps.

The extension does not capture data passively. Collection only occurs when you actively start a test session or enable learning mode.

Desktop app data

  • Project files and test code you open in the editor (stored locally on your machine).
  • Conversation history with the AI agent (encrypted and stored locally on your machine).
  • Application logs for debugging (stored locally, never sent to us unless you share them).

Knowledge data

  • When the AI agent learns about your app (page descriptions, workflow steps, navigation patterns), this knowledge is stored encrypted on our servers (AES-256-GCM) so it persists across sessions and devices.
  • Knowledge is scoped to the domain being tested (e.g., your staging or production URL) and is associated with your organization.
  • This does not include your actual code or conversation content — only the structured summaries the agent derives from its observations.

What we do not collect

  • We do not collect sensitive personal data such as biometric, genetic, health, religious, or political information.
  • We do not collect browsing data outside of active test sessions.
  • We do not use tracking pixels, fingerprinting, or any form of cross-site tracking.

3. How data flows

When you run an AI-powered test or chat with the agent, data moves through this pipeline:

→ Chrome Extension (your browser)
  → Desktop App (localhost, your machine)
  → Lama Backend API (authenticated, encrypted in transit)
  → AI Provider

All communication between your machine and our backend uses HTTPS. We do not store the content of your AI conversations on our servers — they are proxied in real-time and only token counts are recorded for billing.

4. AI and your data

We do not use your code, test content, page content, or AI conversations to train any AI models. For a plain-language summary of how your data is handled, see our Data Use page.

When you use Lama, your prompts and page content are sent to third-party AI providers through their commercial APIs. These providers do not train on your data. They may retain inputs briefly (up to 30 days) for safety and abuse monitoring, then automatically delete them. This is standard under commercial API terms.

On our end, your prompts are proxied in real-time and not stored on our servers — only token counts and cost are recorded for billing. We are actively working toward Zero Data Retention (ZDR) agreements with our AI providers, which would eliminate even the temporary safety retention.

This applies equally to all content sent to AI providers during a session: text prompts, file contents read by the agent, and screenshots captured during testing. All of it is sent inline as part of the API request and is subject to the same 30-day temporary retention by the provider, then deleted. None of it is stored on our servers.

In cases of suspected usage policy violations, AI providers may retain inputs and outputs for up to 2 years per their terms. This retention is solely for safety investigation and legal compliance — not for model training or any other purpose.

We do not make automated decisions that produce legal effects or similarly significant effects concerning you.

5. Third-party services

We use the following third-party services to operate Lama:

  • AI providers — process your prompts and page content to generate responses. We use commercial API agreements that prohibit training on your data.
  • Polar — Payment processing and subscription management. Handles credit card data directly; we never see or store your card number.

We do not sell, rent, or share your personal data with any third parties for advertising, marketing, or profiling purposes. We do not engage in cross-context behavioral advertising.

6. Data storage and security

  • Account and usage data is stored in a database hosted in the United States.
  • Passwords are hashed using industry-standard algorithms and never stored in plain text.
  • Authentication uses short-lived access tokens with rotating refresh tokens.
  • Conversation history and knowledge base are encrypted (AES-256-GCM) and stored locally on your machine — not on our servers.
  • All API communication is encrypted in transit (TLS/HTTPS).

We implement commercially reasonable technical and organizational measures to protect your data. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

7. Data retention

  • Account data — retained while your account is active. Deleted upon request.
  • Usage records — retained for billing and analytics purposes. Aggregated, anonymized data may be kept after account deletion.
  • Knowledge data — AI-learned page descriptions and workflow steps are retained on our servers, encrypted at rest, until you delete them or close your account.
  • AI conversations — stored locally on your machine. Not retained on our servers.
  • Extension data — page content and URLs are transmitted in real-time and not stored on our servers after the AI request completes.

We retain personal data only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

8. Your rights

You can:

  • Access your account data at any time through the dashboard.
  • Correct inaccurate personal data through your account settings.
  • Export your usage history from the dashboard.
  • Delete your account and all associated data by contacting us at hi@lamaqa.com.
  • Opt out of data collection by the extension by not installing it or disabling it.

For EU/EEA residents (GDPR)

You may also have the right to data portability, the right to restrict or object to processing, and the right to lodge a complaint with a supervisory authority. Our lawful basis for processing is contract performance (providing the Service) and legitimate interest (improving the Service and preventing abuse).

For California residents (CCPA/CPRA)

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. You have the right to know what personal information we collect, request deletion, and opt out of any sale or sharing. To exercise these rights, contact us at hi@lamaqa.com.

9. Cookies

Our website uses only essential cookies required for authentication and session management (e.g., login tokens, staging access). We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

10. Children

Lama is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child under 18 has provided us with personal data, please contact us and we will delete it.

11. Business transfers

If Lama is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your data becomes subject to a different privacy policy.

12. International data transfers

Our servers are located in the United States. If you are accessing the Service from outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer. We take reasonable steps to ensure your data is treated securely and in accordance with this policy.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through a notice in the application. The "Effective" date at the top of this page indicates when this policy was last updated. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact

For questions about this policy, to exercise your privacy rights, or to report a data concern, contact us at hi@lamaqa.com.