Privacy Policy

1. Who we are

Locustra ("Locustra", "we", "us", "our") is a software-as-a-service platform operated by:

Locustra OÜ is the data controller for personal data processed about visitors to our website and individual end users of the Locustra platform. Where Locustra processes personal data on behalf of a customer organisation ("Customer") as part of providing the platform, Locustra acts as a data processor and the Customer is the data controller.

2. Scope

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have. It applies to:

• our website at https://locustra.ai,
• the Locustra web application,
• any related APIs, services, and communications.

3. Data we collect

3.1 Account data

When you sign up or are invited to a Locustra workspace we collect: your name, email address, password (stored as a hash), language preference, role within the workspace, and login activity (timestamps, IP address).

3.2 Customer / business data

The Locustra platform is designed for managing sales orders, quotes, production, planning, customers, suppliers, and related business operations. We process the data your organisation enters into the platform, which may include customer contact details, addresses, pricing, documents, and other business records. This data is processed on behalf of your organisation.

3.3 Email integration data

If you connect your Outlook (Microsoft) or Gmail (Google) account to send documents from Locustra, we store, in encrypted form:

• OAuth refresh and access tokens issued by Microsoft or Google,
• the email address of the connected mailbox,
• the date the connection was made or refreshed.

We do not read, store, or index the contents of your inbox, sent folder, drafts, or any other mail in your account. The OAuth scopes we request are limited to those required to send mail on your behalf (Mail.Send for Microsoft; gmail.send for Google), plus basic profile scopes used to display the connected mailbox address.

If instead you configure SMTP credentials, we store the SMTP host, port, username, "from" address and display name in plaintext, and the SMTP password encrypted with AES-256-GCM in a separate credentials table.

3.4 Usage data

We collect logs about how the platform is used, including page views, API calls, errors, and device / browser information. This is used for service operation, security, and product improvement.

3.5 Cookies

We use strictly necessary cookies for authentication and session management. We do not use advertising cookies. See section 11 for details.

4. How we use your data

We process personal data for the following purposes and on the following legal bases (GDPR Art. 6):

5. Limited Use disclosure (Google API Services & Microsoft Graph)

Locustra's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Locustra's use of information received from Microsoft Graph adheres to Microsoft's equivalent policies.

Specifically, for data accessed through your connected Google or Microsoft mailbox:

1. We only use the access granted to send emails that you initiate from inside the Locustra platform (for example, sending a quote PDF to a customer).
2. We do not use this data to develop, improve, or train generalised AI or machine-learning models.
3. We do not transfer this data to third parties except where necessary to provide the user-facing feature you initiated, to comply with applicable law, or as part of a merger, acquisition, or sale of assets (with the same protections in place).
4. We do not allow humans to read this data, except: with your explicit consent for support purposes, when necessary for security investigations, when required by law, or when the data has been aggregated and anonymised.
5. We do not use this data, or any data derived from it, for advertising purposes.

You can disconnect your Google or Microsoft account at any time from Settings → Email. Doing so deletes the stored OAuth tokens immediately. You can also revoke access at myaccount.google.com/permissions or account.microsoft.com.

6. Sharing and sub-processors

We do not sell personal data. We share data only with:

• Sub-processors that help us run the platform, under written data processing agreements:
  • Amazon Web Services EMEA SARL (Ireland) — cloud hosting and document storage (S3), region: EU (Ireland).
  • Microsoft Corporation — Microsoft Graph API for sending emails when the user connects their Outlook account.
  • Google LLC — Gmail API for sending emails when the user connects their Google account.
  • Anthropic PBC and OpenAI L.L.C. — large-language-model APIs used by optional in-app AI features. Customer business data is only sent to these providers when a user actively uses the AI feature, and only the minimum necessary content is sent.
• Authorities, regulators, or other third parties when required by law, court order, or to protect our rights.
• Acquirers in the event of a merger, acquisition, or sale of all or part of our business (with the same protections in place).

A current list of sub-processors is available on request from support@locustra.ai.

7. International transfers

Locustra primarily processes data within the European Union. Where data is transferred to a country outside the EEA (for example to Anthropic, OpenAI, Google, or Microsoft entities in the United States), we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework, as the legal mechanism for the transfer.

8. Storage and security

• Passwords are stored as bcrypt hashes; we never see them in plaintext.
• SMTP passwords and OAuth tokens are stored in a separate credentials table, encrypted at the application layer with AES-256-GCM. Encryption keys are stored separately from the database.
• All traffic between your browser and Locustra is encrypted with TLS.
• Database backups are encrypted at rest.
• Access to production systems is restricted to a limited number of Locustra personnel and protected by multi-factor authentication.

9. Data retention

• Account data: kept while your account is active, plus up to 90 days after deletion (for backup rotation).
• Business / Customer data: kept according to the Customer's instructions and our agreement with the Customer. After contract termination, data is deleted or returned within 30 days unless EU or Estonian law requires longer retention (e.g. accounting records — 7 years under the Estonian Accounting Act).
• OAuth tokens: deleted immediately when you disconnect the integration or delete your account.
• Logs: typically 90 days, longer for security-relevant events.

10. Your rights (GDPR)

If you are in the EEA, UK, or Switzerland, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion ("right to be forgotten");
• request restriction of processing;
• request portability of data you provided;
• object to processing based on legitimate interests;
• withdraw consent at any time, where processing is based on consent;
• lodge a complaint with a supervisory authority. In Estonia this is the Estonian Data Protection Inspectorate (aki.ee, info@aki.ee).

To exercise any of these rights, email support@locustra.ai. We will respond within 30 days.

If your personal data is processed by Locustra on behalf of a Customer (for example, you are a contact in a Customer's CRM), please contact that Customer directly. We will assist them in fulfilling your request.

11. Cookies

We use only the cookies necessary to provide the service:

We do not use third-party advertising or tracking cookies. We do not use Google Analytics or similar third-party analytics.

12. Children

Locustra is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact support@locustra.ai.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. If changes are material, we will notify you by email or in-app notice.

14. Contact

For privacy questions, requests, or complaints: