How Lorkon handles your information.

1. Overview

This Privacy Policy explains how Lorkon AI Inc. (“Lorkon”, “we”, “us”, “our”) collects, uses, stores, discloses, and protects information when you visit or use lorkon.ai, app.lorkon.ai, any subdomain we operate, any Lorkon mobile or web application, any API we expose, any email we send you, or any purchase of a Lorkon plan (collectively, the “Services”).

We wrote this Policy to be readable by humans. If a term looks technical (CCPA, CPRA, CDPA, GPC, sub-processor) we define it the first time we use it. If you have a question after reading, write to hello@lorkon.ai and a real person will answer.

2. Who we are

Lorkon AI Inc. is a Florida-based privacy-technology company. We operate the Services under the Lorkon brand and act as the data controller for the information described in this Policy. Our primary operations address and mailing address, along with the contact email for every privacy matter, are in Section 28 (Contact).

Where Lorkon acts as a service provider (under the CCPA) or a processor (under the GDPR, CPA, VCDPA, TDPSA, CTDPA, UCPA, or similar laws) on behalf of a business customer rather than as a data controller, a separate Data Processing Addendum (“DPA”) governs that relationship and supersedes any inconsistent part of this Policy with respect to the data processed under the DPA.

3. Scope and the Services we offer

Our Services currently include, without limitation:

Personal Data Removal

We scan data brokers, people-search sites, open-web search indexes, and breach databases for your phone number, name, email address, and other identifiers you submit. On paid plans we submit removal and opt-out requests to those brokers on your behalf as your authorized agent under state privacy laws, monitor for reappearance, and re-submit as needed. We do not contact government agencies or remove public records.

LLC Privacy Protection

We scan Secretary of State filings, business registries, and related directories for a business you own. On paid plans we help you form, restructure, or amend your entity to limit the personal information in the public record, appoint a privacy-structured registered agent, and submit correction or redaction requests where permitted by state law.

Free exposure scan

The one-time scan available on the marketing site, at lorkon.ai/remove and lorkon.ai/business, that runs a real-time check against brokers and breach databases and returns a report gated behind an email address you provide.

Reports, dashboards, and related tools

Including the in-app exposure dashboard, periodic report emails, the AI spam probability score, the broker fact extraction, the dark-web monitor, and the customer portal for managing your subscription.

Features, broker coverage, scan cadence, and support levels of each paid plan are described at checkout and may change over time as described in Section 27 and in our Terms of Service.

4. Information we collect

4.1 Information you provide

• Identity and contact information: name, email address, phone number, city and state of residence, optional mailing address, optional date of birth when needed for identity-verification by a broker.
• Business information (LLC Privacy Protection): entity name, entity type, state of formation, document or filing number, registered agent details, officer, member, or manager names and addresses, and related public-record fields.
• Authorization and identity-verification records: the electronic signature, affirmation, IP address, and timestamp you provide when appointing Lorkon as your authorized agent under applicable state privacy laws, together with any government-issued identification we need to verify you on your request or to satisfy a broker’s verification requirement.
• Payment information: handled by Stripe. Lorkon receives the last four digits of your card, brand, billing zip, subscription status, and charge metadata. We do not receive or store the full card number, expiration, or CVV.
• Family-plan additions: when you add family members to your plan, the identifiers of those members and your representation that you are authorized to act on their behalf.
• Communications and support content: the content of messages you send us by email, in-app forms, or any other support channel, including any files you attach.
• Preferences: notification, marketing, and accessibility preferences you set in your account or by responding to an email.

4.2 Information collected automatically

• Device and log data: IP address, user-agent string, referrer, timestamps, pages visited, actions taken, approximate location derived from IP, and session identifiers.
• Cookies, pixels, and similar technologies: first-party session cookies required for authentication, performance and analytics cookies, and advertising cookies as described in Section 22.
• Error and performance telemetry: via Sentry, which may capture stack traces and sanitized request metadata (no message bodies, secrets, or payment data).
• Rate-limit, anti-fraud, and abuse signals: counters and fingerprints used to protect the Services from credential stuffing, scraping, and abuse.

4.3 Information collected on your behalf from third parties

• Results returned by third-party data brokers, people-search sites, and public records when we perform a reverse-phone, reverse-email, or name lookup you authorized.
• Breach-database results from providers such as LeakCheck, limited to records that contain identifiers you submitted.
• Open-web search results returned by Firecrawl when we cross-reference your identifiers against indexed pages.
• Public filings retrieved from Secretary of State or similar state business registries for your LLC scan, via Firecrawl, Cobalt Intelligence, or direct APIs.

5. Categories of personal information (CPRA format)

For California residents, the following categories of personal information have been collected in the prior 12 months:

“No” means Lorkon does not sell personal information for money and does not share it for cross-context behavioral advertising as those terms are defined by the CCPA and CPRA. Disclosures to service providers and to covered businesses on your authorized agent request are not a sale or share.

6. Sources of information

• Directly from you: when you submit a scan request, create an account, check out, reply to an email, or message support.
• From your device: via cookies, browser headers, and server logs.
• From our processors: Stripe (billing), Resend (email delivery metadata), Supabase (authentication events), Sentry (error traces).
• From public sources and third-party look-ups performed on your behalf: data broker pages, state business filings, open-web search engines, and breach corpora.
• From your authorized-agent requests: responses, verification emails, and confirmations we receive from covered businesses after we submit a request on your behalf.

7. How we use information

• Deliver the scan, remediation, monitoring, reporting, and support features of the Services.
• Prepare, sign, and transmit data-deletion, opt-out, correction, and data-access requests to covered businesses as your authorized agent.
• Verify that deletions were honored, re-submit or escalate requests, and maintain an audit trail of each request and response.
• Compute scan signals such as the AI spam probability score, the exposure breakdown, and the per-broker fact summaries shown in your report.
• Process payments, bill subscriptions, handle refunds, and prevent fraud.
• Send transactional communications (scan reports, renewal notices, receipts, service notices) and, with your consent or where legally permitted, marketing communications about the Services.
• Measure, debug, and improve the Services; secure our infrastructure; and defend against abuse.
• Comply with legal obligations, respond to lawful requests, enforce our Terms, establish or defend legal claims, and protect the rights, safety, and property of Lorkon, our users, and the public.

8. Business and commercial purposes

For each category of personal information described in Section 5, Lorkon uses it for one or more of the following business or commercial purposes, as defined by the CPRA:

• Auditing related to a current interaction with you and concurrent transactions.
• Short-term, transient use of personal information, including non-personalized advertising shown as part of your interaction with us.
• Helping to ensure security and integrity.
• Debugging to identify and repair errors that impair existing intended functionality.
• Performing services on behalf of you, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, or providing similar services on behalf of you.
• Providing advertising and marketing services, except for cross-context behavioral advertising.
• Undertaking internal research for technological development and demonstration.
• Undertaking activities to verify or maintain the quality or safety of a service that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service that is owned, manufactured, manufactured for, or controlled by us.

9. Authorized-agent processing

When you purchase a paid Lorkon plan, or when you submit a removal request through the free scan, you appoint Lorkon as your authorized agent under the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Virginia Consumer Data Protection Act (VCDPA), the Texas Data Privacy and Security Act (TDPSA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and similar state privacy laws where applicable.

In that capacity, Lorkon may disclose to a covered business only the information reasonably necessary to (a) identify you, (b) verify your identity, and (c) submit and follow through on the request. Typical disclosures include your name, phone number, email address, state of residence, and our authorization signature. Lorkon does not disclose more than is required and does not authorize the covered business to retain your information for any purpose other than completing the request.

If a covered business asks for additional information Lorkon considers unreasonable or unsafe to share, we will decline that broker’s demand, flag the record in your dashboard, and, where possible, escalate the request through a statutory channel (for example, certified mail, state Attorney General complaint, or a written notice citing the applicable statute).

You may revoke the authorized-agent appointment at any time by cancelling your subscription or emailing hello@lorkon.ai. Revocation is prospective and does not undo requests already submitted.

10. Automated decision-making and the AI spam score

Lorkon computes an AI spam probability score (0 to 98) and related risk indicators from the signals returned by your scan. That score is a prediction about how likely your number is to be targeted by AI-generated spam, phishing, or scam calls in the next 90 days. It is not a decision about a legal right, credit eligibility, employment, insurance, housing, or any other purpose regulated by the Fair Credit Reporting Act.

The score is calibrated over a baseline (35 for any U.S. number) and adjusted by weighted contributions from: the number of broker sites we verified live, the count of open-web pages that surface your number, the number of breaches where you appear, whether the breach exposed an email or home address alongside the phone, the breach recency, and how widely your exposed email surfaces on the open web.

The report page includes a “How this is calculated” disclosure listing every weight that fired for your scan, so the score is auditable. You may request an explanation of your specific score by emailing hello@lorkon.ai. Where state law gives you a right to opt out of profiling that produces legal or similarly significant effects (for example, Colorado and Virginia), Lorkon’s scoring does not meet that threshold, but you may still email us to have the score suppressed from your account.

11. How we share information

11.1 With data brokers and covered businesses on your behalf

We share only the minimum information required to execute removals, opt-outs, verifications, and appeals you have authorized. If a broker or agency demands additional information, we will decline the request and flag it in your dashboard rather than oversharing.

11.2 With service providers (sub-processors)

We use vendors that act as processors on our behalf under written contracts that restrict their use of your information to providing services to Lorkon. The current list is in Section 12.

11.3 For legal, regulatory, and safety reasons

We may disclose information when we believe in good faith that disclosure is required or advisable to (a) comply with a law, subpoena, court order, or other legal process, (b) respond to a verified request from a government or regulator, (c) protect the rights, property, or safety of Lorkon, our users, or the public, or (d) investigate or prevent fraud or a security incident.

11.4 With your consent

We may share information for any other purpose with your express consent, which you can withdraw at any time.

11.5 Business transfers

See Section 26.

11.6 We do not sell or share for cross-context behavioral advertising

Lorkon does not sell your personal information for money, does not rent or exchange it with advertisers, and does not share it for cross-context behavioral advertising, as those terms are defined by the CCPA, CPRA, and similar state laws.

12. Sub-processors

The following sub-processors may process personal information on Lorkon’s behalf. We contractually require each to implement appropriate safeguards and to use personal information only for the purposes we authorize.

The list above is current as of the effective date of this Policy. We will update it here when we add, remove, or replace a sub-processor, and for significant changes we will announce the change by email or in-product notice at least 14 days before the new sub-processor begins processing.

13. Data retention schedule

We retain information only for as long as we need it for the purposes in Section 7 or as required by law. Typical windows:

You may request earlier deletion at any time under Section 15. We will honor the request unless a legal, billing, or authorized-agent audit obligation requires us to keep specific records longer, in which case we will tell you which records we are keeping and why, and delete the rest.

14. Security

Lorkon applies administrative, technical, and organizational safeguards designed to protect personal information, including:

• TLS 1.2 or higher for data in transit between your browser and our servers, and between our servers and sub-processors.
• AES-256 encryption at rest for supported storage backends.
• Least-privilege access controls, role-based permissions, and per-environment secret isolation.
• Audit logging for administrative actions, payment events, and authorized-agent request submissions.
• Multi-factor authentication on administrative tools.
• Dependency and infrastructure monitoring with automatic patching for known vulnerabilities.
• Rate limiting, bot detection, and anti-abuse measures.
• Periodic internal reviews of access logs and security posture.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we learn of a security incident affecting your information, we will notify you promptly, in the manner and on the timeline required by applicable law.

15. Your privacy rights

Depending on where you live and applicable law, you may have the right to:

• Access or confirm what personal information we hold about you.
• Correct inaccurate personal information.
• Delete personal information, subject to the legal and contractual exceptions described below.
• Obtain a portable copy of information you provided.
• Opt out of sale or sharing for cross-context behavioral advertising. As noted above, Lorkon does not engage in either.
• Limit the use of sensitive personal information to purposes necessary to deliver the Services.
• Opt out of profiling that produces legal or similarly significant effects, where applicable.
• Withdraw consent where processing is based on consent.
• Appeal a denial of your request, as required in some states.
• Be free from retaliation or discrimination for exercising any of these rights.

How to submit a privacy rights request

Email hello@lorkon.ai from the address associated with your account. Include the specific right you want to exercise and the identifier you want the request to apply to (phone, email, business entity).

Verification

We may need to verify your identity before acting on a request. Typical verification methods include confirming account ownership by email challenge, matching the identifier in the request to an existing scan, or, for particularly sensitive requests, a signed declaration. We do not request more verification information than is reasonably necessary.

Timing

We acknowledge most requests within 10 days and respond substantively within 45 days. Where law allows, we may extend once by an additional 45 days; if so, we will notify you within the initial period and explain why.

Authorized agents

You may designate an authorized agent to submit requests on your behalf. We will require written proof of the agent’s authority and may contact you to verify the request.

Appeals

If we deny a request in whole or in part, you may appeal by replying to our response within 45 days. We will complete appeals within 60 days and, if the appeal is denied, let you know how to contact the relevant state Attorney General.

16. California-specific disclosures

Shine the Light

California Civil Code § 1798.83 permits California residents to request certain information about Lorkon’s disclosure of personal information to third parties for their direct marketing purposes. Lorkon does not make those disclosures.

Notice at collection

The categories of personal information we collect are listed in Section 5. Our business and commercial purposes are listed in Section 8. Retention periods are in Section 13. We do not sell personal information and we do not share it for cross-context behavioral advertising.

Sensitive personal information

We do not use or disclose sensitive personal information for purposes that require you to be given a right to limit that use under Section 7027 of the CCPA regulations.

Minors

Lorkon does not knowingly sell or share the personal information of consumers under 16 years of age, and the Services are not directed at minors.

17. Colorado, Virginia, Texas, Connecticut, Utah, and other state rights

Residents of states with comprehensive consumer privacy laws have rights similar to California’s. You may exercise them by emailing hello@lorkon.ai. Specifically:

• Colorado (CPA): access, correction, deletion, portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects, appeal.
• Virginia (VCDPA): access, correction, deletion, portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects, appeal.
• Texas (TDPSA): access, correction, deletion, portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling, appeal.
• Connecticut (CTDPA): access, correction, deletion, portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling, appeal.
• Utah (UCPA): access, deletion, portability, opt-out of sale, opt-out of targeted advertising.
• Other states: we honor similar rights where applicable law grants them.

Lorkon does not engage in sale or targeted advertising as those terms are defined by those laws, and our profiling (the AI spam score) does not produce legal or similarly significant effects.

18. Nevada opt-out

Nevada residents may direct Lorkon not to sell their covered personal information under Nevada Revised Statutes Chapter 603A, even though Lorkon does not sell personal information. To submit an opt-out under Nevada law, email hello@lorkon.ai with the subject line “Nevada opt-out”.

19. European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, the UK, or Switzerland, you have rights under the GDPR or UK GDPR, including access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your supervisory authority. We rely on one or more of the following legal bases to process your personal information: performance of a contract with you, your consent, our legitimate interests in running, protecting, and improving the Services, and our need to comply with legal obligations.

Lorkon is based in the United States. When personal information is transferred out of the EEA, UK, or Switzerland to Lorkon or our sub-processors, we rely on the European Commission’s Standard Contractual Clauses (or the UK International Data Transfer Addendum, where applicable), supplemented by technical and organizational measures appropriate to the transfer.

If you would like a copy of the transfer mechanisms applicable to your data, email hello@lorkon.ai.

20. Illinois BIPA disclosure

Lorkon does not collect, capture, purchase, receive through trade, or otherwise obtain biometric identifiers or biometric information as defined by the Illinois Biometric Information Privacy Act (BIPA). We do not use fingerprints, voiceprints, retina or iris scans, scans of hand or face geometry, or other similar identifiers.

21. Do Not Track and Global Privacy Control

The internet has no universal standard for Do Not Track (DNT) browser signals, so Lorkon does not respond to generic DNT signals. Lorkon honors the Global Privacy Control (GPC) as a valid opt-out of sale or sharing for visitors from jurisdictions that recognize GPC.

22. Cookies, pixels, and analytics

We use the following categories of cookies and similar technologies:

You can control cookies through your browser settings. You can opt out of Google Analytics via the Google Analytics opt-out browser add-on, and opt out of personalized Google ads at adssettings.google.com. Disabling strictly-necessary cookies will prevent parts of the Services from working.

23. Children

The Services are intended for users 18 years or older. We do not knowingly collect personal information from children under 13 (or under 16 where local law applies). If you are a parent or guardian and believe a child has provided us with personal information, contact hello@lorkon.ai and we will delete it.

24. Not a Consumer Reporting Agency

Lorkon is not a Consumer Reporting Agency as defined by the Fair Credit Reporting Act (FCRA), and information in your scan report is not a “consumer report”. The Services may not be used, and you agree not to use them, for any purpose regulated by the FCRA, including employment screening, credit eligibility, tenant screening, or insurance underwriting.

25. Third-party links

The Services may link to third-party sites (for example, broker sites and search results we surface in your exposure report). Those sites are governed by their own privacy notices, and Lorkon is not responsible for their practices. We recommend you read their notices before providing information to them.

26. Business transfers

If Lorkon is acquired, merges with another entity, transfers substantially all of its assets, or goes through a reorganization or bankruptcy, your information may be transferred as part of that transaction, subject to standard confidentiality protections. The acquirer will be bound to honor this Policy or provide notice of any material change. We will notify affected users by email or in-product notice.

27. Changes to this policy

We may update this Policy to reflect changes in law or our practices. We will revise the “Last updated” date at the top, keep the prior version available on request, and announce material changes by email to the address associated with your account or by a prominent notice on the Services at least seven days before they take effect. Your continued use of the Services after the effective date constitutes acceptance of the revised Policy.

28. Contact

For privacy questions, data-subject requests, authorized-agent revocations, or anything else described in this Policy:

Lorkon AI Inc.
Email: hello@lorkon.ai
Web: lorkon.ai/contact

When contacting us about a privacy matter, please use the subject line “Privacy request” so your message is routed correctly. A real person will respond.