Privacy Policy

Lorika (“we”, “us”, “our”) is committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable data protection legislation. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have.

1. Data Controller

The data controller for the personal data processed through the Lorika platform is:

Lorika
Email: [email protected]

If you use Lorika on behalf of an organisation to monitor employee or company-owned devices, your organisation is the data controller for that data, and Lorika acts as a data processor under Article 28 of the GDPR.

2. Data We Collect

We collect the following categories of data:

Account data (via Google OAuth):

• Email address
• Display name
• Google profile identifier

Device telemetry data:

• Operating system type and version
• Security configuration (firewall status, disk encryption, screen lock settings, SSH configuration, etc.)
• Installed software and package lists
• Hardware specifications (CPU, RAM, disk capacity and usage)
• Network configuration relevant to security checks

Derived data:

• Security Score (calculated from check results)
• Compliance status per framework (CIS Level 1, NIST 800-53, ISO 27001, SOC 2 Type II, PCI DSS v4.0)
• Device country (derived from IP address via Cloudflare headers; the IP address itself is not stored)

Technical data:

• Authentication session tokens
• Scan timestamps and delta change history

3. Purpose & Legal Basis

We process your data on the following legal bases under Article 6(1) of the GDPR:

Contract performance (Article 6(1)(b)):

• Providing the core Service: enrolling devices, performing security checks, calculating Security Scores, generating compliance reports, and displaying results in the dashboard.
• User authentication and account management.
• Software inventory tracking and vulnerability matching.

Legitimate interest (Article 6(1)(f)):

• Security research: aggregated and anonymised telemetry analysis to improve check accuracy, detect emerging threat patterns, and enhance the Service. We perform a balancing test to ensure our interests do not override your rights and freedoms.
• Infrastructure security and abuse prevention.
• Service performance monitoring and error diagnosis.

4. Data Retention

We retain your data for the duration of your active account. Scan history is retained according to your subscription plan (90 days for free tier; 1 year for paid plans).

Upon account deletion or termination, all personal data and device telemetry associated with your account will be permanently deleted within 30 days, unless retention is required by applicable law (e.g., tax or accounting obligations).

Aggregated, anonymised data that cannot be linked back to an individual may be retained indefinitely for statistical and research purposes.

5. Third-Party Processors

We use the following third-party service providers who process data on our behalf. All processors are bound by data processing agreements in accordance with Article 28 of the GDPR:

• Google OAuth (Google LLC) — Authentication provider. Processes your Google profile data (email, name) during sign-in. Google’s privacy policy applies to their handling of your Google account data.
• Hetzner Cloud (Hetzner Online GmbH, Germany) — Infrastructure hosting. All Lorika backend servers, databases, and application data are hosted in Hetzner data centres located in Germany, EU.
• Cloudflare (Cloudflare, Inc.) — CDN, DDoS protection, and DNS proxy. Cloudflare processes network traffic to protect the Service from attacks and improve delivery performance.

6. International Data Transfers

Your data is primarily processed and stored within the European Union (Hetzner data centres in Germany). We do not intentionally transfer personal data outside the EU/EEA.

Cloudflare operates a global network, which means some network-level traffic data may be transiently processed at edge nodes outside the EU. Cloudflare maintains appropriate safeguards, including Standard Contractual Clauses (SCCs) and adherence to the EU-U.S. Data Privacy Framework, to ensure adequate protection of any data transiting through non-EU locations.

Google OAuth interactions involve Google’s global infrastructure. Google participates in the EU-U.S. Data Privacy Framework and maintains SCCs for international transfers.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15) — You may request a copy of all personal data we hold about you.
• Right to rectification (Article 16) — You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Article 17) — You may request deletion of your personal data (“right to be forgotten”). Upon request, we will delete your account and all associated data within 30 days.
• Right to data portability (Article 20) — You may request your data in a structured, commonly used, machine-readable format.
• Right to object (Article 21) — You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to restrict processing (Article 18) — You may request restriction of processing in certain circumstances.
• Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority. If you are in the EU, you may contact your local Data Protection Authority (DPA). The lead supervisory authority for Lorika is the Office of the Commissioner for Personal Data Protection in Cyprus.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

8. Cookies & Local Storage

Lorika uses minimal cookies. We do not use advertising cookies, analytics trackers, or third-party tracking scripts.

• Authentication session token — A strictly necessary cookie used to maintain your authenticated session. This cookie is essential for the Service to function and does not require consent under Article 5(3) of the ePrivacy Directive.

We do not use Google Analytics, Facebook Pixel, or any similar tracking technology on the Lorika platform.

9. Children’s Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

10. Security Measures

We implement appropriate technical and organisational measures to protect your data, including:

• HMAC-SHA256 signed telemetry payloads to prevent tampering.
• JWT token rotation with version tracking; idle timeout after 30 minutes of inactivity.
• All connections encrypted via TLS 1.2+ (enforced by Cloudflare).
• Device tokens stored as SHA-256 hashes; enrolment tokens are single-use and expire in 24 hours.
• Infrastructure hosted behind Cloudflare proxy with DDoS protection.
• No secrets stored in source code; all credentials managed via environment variables.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email or through the Service dashboard at least 30 days before the revised policy takes effect. The “Effective date” at the top of this page indicates when the policy was last updated.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

12. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:

Lorika
Email: [email protected]