Privacy Policy

Lemorange Ltd ("Lemorange", "we", "us", or "our") is a company registered in Cyprus, based in Nicosia. We operate the website at lemorange.com, the client portal, the LemDesk remote desktop service, and related services (collectively, the "Services").

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Services. We act as the data controller for all personal data processed through our Services.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our Services.

2.1 Information You Provide

• Account Registration: Name, email address, phone number, and password when you create an account or accept a team invitation.
• Contact Form: Name, email, company name, phone number, project type, budget range, timeline, technical requirements, and any additional details you choose to provide.
• Portal Usage: Support tickets, project files, documents (including collaborative editing content), chat messages, and any attachments or files you upload.
• Payment Information: When you pay invoices, your payment card details are collected and processed directly by Stripe. We do not store your full card number on our servers. We receive only a confirmation of payment, partial card details, and transaction identifiers from Stripe.
• Team Management: Names, email addresses, and assigned roles of team members you invite to your company account.
• Video Content: Videos uploaded by administrators for client viewing, including titles, descriptions, and associated metadata.
• Company Information: Company name, email, logo, and other organisational details provided during account setup or in your settings.

2.2 LemDesk Remote Desktop Data

• Device Registration: Device ID, hostname, operating system, and last seen timestamp for devices registered with the LemDesk service.
• Connection Data: Session metadata including connection timestamps, connection duration, and relay server usage. Screen content, keyboard input, and clipboard data transmitted during active remote sessions are streamed in real time and are not stored on our servers.
• Authentication: SSO tokens and session data used to authenticate your LemDesk connections via your Lemorange account.

2.3 Automatically Collected Data

• Authentication Tokens: Encrypted JSON Web Tokens stored in secure, HTTP only cookies to maintain your session.
• Preferences: Dark mode setting and sidebar state stored locally on your device.
• Push Notification Subscriptions: If you opt in to browser notifications, we store the subscription endpoint and associated cryptographic keys.
• Analytics Data: Through Google Analytics, we collect anonymised information about how you use our website, including pages visited, session duration, referral source, approximate geographic location (city level), device type, and browser. IP addresses are anonymised before processing.
• Login Activity: Timestamps of your last login and rate limiting data (IP address combined with email) to protect against brute force attacks. Rate limiting data is ephemeral and not permanently stored.

We process your personal data for the following purposes:

• Service Delivery: To provide, operate, and maintain the client portal, project management, document collaboration, support ticketing, invoicing, chat, video sharing, and LemDesk remote desktop services.
• Communication: To respond to your enquiries, send support updates, invoice notifications, payment confirmations, ticket replies, and team invitations via email.
• Payment Processing: To facilitate invoice payments through Stripe, including processing card fees and tracking payment status.
• Security: To authenticate users, enforce access controls, detect and prevent fraudulent or unauthorised access, and apply rate limiting.
• Administration: To manage user accounts, company assignments, team roles, and permissions.
• Support: Our administrators may access your account or use an impersonation feature to troubleshoot issues on your behalf. This is done solely to provide technical support and resolve reported problems.
• CRM Synchronisation: To synchronise company and contact information with our internal business systems for record keeping and client management.
• Content Assistance: We may use AI services to assist with content rewriting or drafting within the platform, only when explicitly triggered by an authorised user.

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Performance of a Contract: Processing necessary to deliver the services you or your organisation have engaged us to provide, including account management, project delivery, invoicing, and support.
• Legitimate Interest: Processing necessary for our legitimate business interests, such as security monitoring, fraud prevention, service improvement, and internal administration, provided these interests do not override your fundamental rights and freedoms.
• Consent: Where you have provided explicit consent, such as opting in to push notifications or submitting a contact form. You may withdraw consent at any time.
• Legal Obligation: Where processing is required to comply with applicable law, regulation, or legal process.

We share data with the following third party service providers, strictly to the extent necessary for service delivery:

We do not sell, rent, or trade your personal data to any third party. We do not use third party advertising or remarketing services.

We implement appropriate technical and organisational measures to protect your data, including:

• Passwords are hashed using bcrypt with a high cost factor and are never stored in plain text.
• Authentication tokens are stored in HTTP only, secure cookies with strict same site policies to prevent cross site attacks.
• All connections to our services are encrypted using TLS in production environments.
• Login attempts are rate limited to prevent brute force attacks.
• Role based access controls restrict data visibility to authorised users only.
• LemDesk connections are encrypted end to end, and relay infrastructure is self hosted on our own servers.
• File uploads are validated for type and size before acceptance.
• OAuth authorisation codes are single use and expire within 60 seconds.

Despite our best efforts, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your data.

Lemorange operates from offices in Cyprus (EU), the United Kingdom, and China. Your personal data may be accessed by authorised personnel in any of these locations for the purposes described in this policy.

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including standard contractual clauses, adequacy decisions, or other legally recognised transfer mechanisms as required by GDPR.

Third party service providers (Stripe, Anthropic) may process data in jurisdictions outside the EEA. Each provider maintains its own data protection commitments and transfer mechanisms.

• Account Data: Retained for the duration of your account and for a reasonable period thereafter to fulfil legal and contractual obligations.
• Project and Support Data: Tickets, documents, project files, and related content are retained for the duration of the client relationship and for up to 7 years after termination for record keeping and legal compliance.
• Invoices and Payment Records: Retained for a minimum of 7 years as required by applicable tax and accounting regulations.
• Chat Messages: Retained for the duration of the client relationship. Messages may be deleted upon account termination at our discretion.
• Contact Form Submissions: Retained for up to 2 years from the date of submission, unless a business relationship is established.
• LemDesk Device Data: Device registrations are retained while the device remains associated with your account. Connection metadata is retained for up to 12 months.
• Email Logs: Records of transactional emails sent are retained for up to 2 years for delivery tracking and dispute resolution.

Under the GDPR and applicable data protection legislation, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data. You can update your name, email, and phone number directly in your portal settings.
• Erasure: Request deletion of your personal data, subject to our legal retention obligations.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Portability: Request your data in a structured, commonly used, machine readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent (such as push notifications), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at support@lemorange.com. We will respond within 30 days of receiving your request.

You also have the right to lodge a complaint with the Commissioner for Personal Data Protection in Cyprus or the relevant supervisory authority in your jurisdiction.

Our Services are designed for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of our Services after any changes constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy or our data practices, please contact us: