Legal
Sign in
Limena Labs LtdScotland

Effective: 2 July 2026

Company No. SC890201 · Registered office: 0/2, 17 Cardon Square, Renfrew, PA4 8BY

Privacy Notice

Limena is operated by Limena Labs Ltd, a company registered in Scotland. This notice explains what personal data we collect when you use Limena, why we collect it, where we store it, and what rights you have over it.

01What we collect

When you create an account or your team adds you to one, we collect your name, email address, and role within your tenant. When your team uses Limena to manage outreach, the contact records, communications, and notes you add are personal data about third parties. Limena stores this on your behalf as a data processor. If you connect a Gmail or Microsoft 365 mailbox, we store an encrypted OAuth refresh token so we can send and receive mail through your account; we do not store your mailbox password.

02How we use it

We use the data to provide the CRM service you signed up for (showing your records, sending outreach you authorise, generating drafts via AI when you opt into the managed AI tier), to send transactional emails (invitations, password resets, demo-request notifications), and to investigate operational issues. We do not sell personal data, share it with advertisers, or use it to train AI models on behalf of third parties.

We rely on the following lawful bases under the UK GDPR: performance of our contract with you to provide the service; our legitimate interests in operating, securing, and improving it and in sending you service messages; and your consent where we specifically ask for it.

03Where we store it

Primary data lives in EU/UK regions: Supabase Postgres in London, Cloudflare R2 (Western Europe), Upstash Redis in eu-west-2, Fly.io machines in London. System email transits Resend (Ireland). The full sub-processor list lives at /security/sub-processors.

Some processing happens outside the UK and EEA: on the managed AI tier we send prompts to Anthropic in the United States, and semantic-search embeddings are generated by OpenAI in the United States. Where personal data is transferred to a country without a UK or EU adequacy decision, we rely on the UK International Data Transfer Addendum to the Standard Contractual Clauses (or the standalone IDTA) as the safeguard, as set out in our Data Processing Addendum.

04Retention

Account data is retained for the lifetime of your account and for 90 days after deletion for backup and dispute-resolution purposes. Encrypted OAuth tokens are revoked and deleted immediately on disconnect.

05Your rights

If you have a UK or EU presence, you have the right to access, correct, delete, or export your personal data, and to object to or restrict our processing of it. Contact hello@limena.io and we will respond within 30 days.

You also have the right to lodge a complaint with a data-protection regulator. In the UK this is the Information Commissioner’s Office (ico.org.uk); in the EU it is your local supervisory authority. We would appreciate the chance to resolve your concern first.

06Changes

If we materially change how we handle data, we will email account owners at least 14 days before the change takes effect.

07Contact

Limena Labs Ltd, hello@limena.io. For data-protection-specific questions, mark the subject “Data protection”.