1. Introduction and Scope
LOB, LLC (“LOB,” “we,” “us,” or “our”) is committed to protecting personal data in accordance with applicable global data protection laws. This Privacy Policy explains how we collect, use, disclose, store, and safeguard personal data in connection with our website, platforms, and services. We do not sell personal data. We do not use Customer Data to train AI models without explicit written consent. We implement appropriate technical and organizational safeguards to protect personal data.
This Privacy Policy applies to www.lob.group and all related products and services, including LOB Veridux, LOB Unavita, LOB Fidenum, LOB Fons, and S.T.E.W.A.R.D. (collectively, the “Platforms” and “Services”). It applies to website visitors, registered users, enterprise customers, beneficiaries processed through authorized deployments, job applicants, contractors, and other individuals whose personal data we process.
This Policy does not apply to third-party services not operated or controlled by LOB.
2. Data Controller and Processor Roles
LOB, LLC is a Delaware limited liability company headquartered in the United States.
Primary Contact: privacy@lob.group
For general website operations, LOB acts as Data Controller. For enterprise Platform deployments, the applicable enterprise customer may act as Data Controller and LOB acts as Data Processor pursuant to a Data Processing Agreement (DPA).
If required under Article 27 GDPR or UK GDPR, LOB will appoint an EU/UK Representative and publicly list contact details.
3. Categories of Personal Data Collected
We may collect the following categories of personal data:
- Identity Data – name, title, username, organization affiliation.
- Contact Data – email address, telephone number, mailing address.
- Professional Data – job title, employer, industry.
- Account Credentials – usernames and encrypted passwords.
- Billing and Transaction Data – billing address, payment status (processed via PCI-compliant vendors).
- Communications – customer support requests, survey responses, feedback.
- Technical Data – IP address, browser type, device identifiers, operating system.
- Usage Data – pages visited, session duration, clickstream data, feature interactions.
- Customer Data – data submitted by enterprise customers for processing.
- Sensitive Personal Data – where authorized (see Section 15).
4. Methods of Collection
Personal data may be collected through:
- Direct submissions via forms or account registration;
- Enterprise customer uploads and API integrations;
- Automated technologies, including cookies and server logs;
- Public sources where legally permitted;
- Third-party integration partners where authorized.
5. Legal Bases for Processing (EEA/UK)
For individuals located in the European Economic Area or the United Kingdom, we process personal data under one or more of the following bases:
- Contractual Necessity;
- Legal Obligation;
- Legitimate Interests;
- Consent;
- Vital Interests;
- Public Task.
Where processing is based on legitimate interests, individuals may object. Where based on consent, consent may be withdrawn at any time.
6. Purposes of Processing
We use personal data to:
- Provide and maintain Services;
- Authenticate users and manage accounts;
- Process payments and administer billing;
- Enable AI-powered functionality;
- Conduct analytics and improve Services;
- Ensure security and prevent fraud;
- Comply with legal obligations;
- Conduct research using de-identified data;
- Support humanitarian or institutional programs where authorized.
7. AI Processing and Third-Party AI Providers
Our Platforms integrate third-party large language model (LLM) providers to generate Outputs based on user Inputs.
LOB requires such providers to:
- Process data solely to generate requested Outputs;
- Not use Inputs/Outputs for model training where zero-retention APIs are available;
- Maintain contractual data protection safeguards;
- Implement appropriate security measures;
- Comply with applicable law.
We do not operate our own foundational AI models. We do not use Customer Data to train AI models without explicit written consent.
9. International Data Transfers
LOB operates on a global basis and utilizes distributed infrastructure and authorized service providers to deliver the Services. Personal data may be collected, accessed, stored, and processed in the United States and in other jurisdictions where LOB or its authorized subprocessors maintain operations. These jurisdictions may have data protection laws that differ from, and in some cases may be less protective than, those of your country of residence.
Where personal data is transferred from the European Economic Area (EEA), the United Kingdom, or other jurisdictions that impose cross-border transfer restrictions to countries not recognized as providing an adequate level of data protection, LOB implements appropriate safeguards in accordance with applicable law. Such safeguards may include the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or other legally recognized transfer mechanisms.
LOB's Services are hosted on secure cloud infrastructure provided by Amazon Web Services (AWS), which maintains industry-recognized security certifications, including SOC 2 compliance. LOB implements reasonable technical and organizational measures designed to protect personal data and to ensure that international transfers are conducted in accordance with applicable data protection laws.
10. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described herein and to comply with legal obligations.
- Account and transaction records may be retained for up to seven (7) years where required for accounting, audit, or legal defense.
- Marketing data is retained until consent withdrawal.
- Enterprise Customer Data is retained in accordance with the applicable DPA.
- Biometric data (where processed) is retained only as long as strictly necessary and securely destroyed pursuant to written retention schedules.
11. Security Measures
We implement appropriate technical and organizational measures, including:
- Encryption in transit and at rest;
- Access controls and least-privilege permissions;
- Multi-factor authentication;
- Security testing and monitoring;
- Incident response procedures;
- Employee confidentiality training.
In the event of a notifiable data breach, we will notify regulators and affected individuals as required by law.
13. Privacy Rights
Depending on jurisdiction, individuals may have rights to access, rectify, erase, restrict, object, port data, withdraw consent, and not be subject to certain automated decisions.
Requests may be submitted to privacy@lob.group. We respond within legally required timeframes.
14. California Privacy Rights
California residents have rights under the CCPA/CPRA, including rights to know, delete, correct, limit use of sensitive personal information, and opt out of sale or sharing. LOB does not sell personal information.
15. Sensitive Personal Data
Certain Platforms may process biometric data, health data, government-issued identifiers, or data concerning vulnerable populations.
Processing of sensitive personal data requires:
- Explicit consent or other valid legal basis;
- Enhanced safeguards;
- Strict access controls;
- Documented retention and destruction schedules.
LOB applies a dignity-by-design framework to sensitive deployments.
16. Children’s Privacy
Our general Services are not directed to children under 13 (or higher age where required by law).
Humanitarian deployments may process minors' data only with appropriate consent or legal authorization.
17. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via website notice or email. Continued use of Services constitutes acceptance where legally permitted.
18. Contact Information
- Privacy Team: privacy@lob.group
- General Contact: hi@lob.group
- Registered Entity: LOB, LLC, Delaware Limited Liability Company
© 2026 LOB, LLC. All Rights Reserved.