Privacy Policy
Last updated: June 2026
This Privacy Policy explains how LANcarta Inc, operating the service known as "LANcarta" ("LANcarta," "we," "us," or "our"), collects, uses, shares, and protects information when you use the LANcarta website at https://www.lancarta.com, the LANcarta portal at https://portal.lancarta.com, and the LANcarta collector software (collectively, the "Service").
LANcarta is built on a simple principle: give you visibility into your own network without harvesting your data for any purpose other than running the Service. We do not use tracking cookies, third-party analytics, or advertising networks, and we do not sell your personal information.
This Privacy Policy is incorporated into and subject to our Terms of Service.
1. Who We Are
For the purposes of data protection law, LANcarta Inc is the controller of the account and operational data described below. For the network inventory data that your collectors submit, you are generally the controller and we act as a processor on your behalf, processing that data only to provide the Service.
Contact: [email protected]
2. Information We Collect
We collect the following categories of information:
2.1. Account Data
When you create and use an account, we collect:
- Your email address
- A hashed (not plain-text) version of your password
- Account preferences and settings
- Team membership information, if you invite or are invited as a team member
2.2. Network Inventory Data
This is the data your collector discovers on your network or that you enter manually, including:
- IP addresses and MAC addresses
- Hostnames and device metadata
- Vendor information derived from device identifiers
- SNMP data (on tiers where SNMP is enabled)
- Custom labels, fields, and notes you add
This data describes devices on the networks you own or are authorized to manage. It is submitted by your own collector under your control and is isolated to your account. Some of this data may, in your context, constitute or relate to personal data of individuals on your network; you are responsible for ensuring you have a lawful basis to monitor those networks.
2.3. Collector Telemetry
To operate and support the collector, we collect:
- Check-in (heartbeat) timestamps
- Collector software version
- The subnet(s) the collector detects and is configured to scan
2.4. Payment Data
When you subscribe to a paid plan, billing is handled by Stripe. We store your Stripe customer identifier, your subscription status, plan, and billing cycle. We do not store or process your full payment card number, CVC, or similar cardholder data. That information is collected and processed directly by Stripe.
2.5. Usage and Log Data
For security, debugging, and operating the Service, our servers generate logs that may include API request metadata (such as endpoint, timestamp, status, and originating IP address) and error and diagnostic information. Our logging is configured to redact sensitive fields such as authentication tokens, cookies, and passwords so that they are not written to logs in readable form.
2.6. Cookies
We use a single session cookie to keep you signed in to the portal. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. See Section 9 for details.
3. How We Use Information
We use the information we collect to:
- Provide, operate, and maintain the Service, including device discovery, dashboards, historical trends, alerts, and (on eligible plans) AI Security Analysis
- Authenticate you and secure your account, including protecting against unauthorized access and abuse
- Process subscriptions, billing, and renewals through Stripe
- Send transactional emails such as account verification, password resets, and alerts
- Provide customer support and respond to your requests
- Enforce our Terms of Service and Acceptable Use Policy
- Comply with legal obligations and protect our rights and the rights of others
We do not use your network inventory data to train any general-purpose model, and we do not sell or share your personal information for advertising.
4. Legal Basis for Processing (EU/EEA and UK Users)
If you are in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:
- Performance of a contract — to provide the Service you have signed up for, including processing account data, collector telemetry, and billing.
- Legitimate interests — to secure and improve the Service, prevent abuse, and maintain logs, balanced against your rights.
- Legal obligation — to comply with applicable laws, including tax and accounting requirements.
- Consent — where we rely on consent (for example, for certain optional communications), you may withdraw it at any time.
For network inventory data processed on your behalf, you are responsible for establishing the lawful basis to monitor the relevant networks; we process that data as your processor under our agreement with you.
5. How We Share Information
We do not sell your personal information. We share information only with the service providers necessary to operate the Service, and only as needed for them to perform their functions:
| Processor | Purpose | Location |
|---|---|---|
| DigitalOcean | Hosting of our servers and PostgreSQL database, where account and network data are stored | United States |
| Stripe | Payment processing and subscription billing | United States / global |
| SMTP email relay | Delivery of transactional email (verification, password reset, alerts) | As provided by the relay |
We may also disclose information:
- To comply with a valid legal request, court order, or applicable law
- To enforce our Terms or protect the rights, safety, or property of LANcarta, our users, or others
- In connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this Privacy Policy or notify you of any material change
We do not use third-party advertising or analytics providers.
6. International Data Transfers
Our infrastructure is located in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for transfers of personal data out of the EEA or UK.
7. Data Retention
7.1. Account data is retained for as long as your account is active. If you close your account, we delete or anonymize your account data within a reasonable period, except where we must retain certain records (for example, billing records) to comply with legal obligations.
7.2. Network inventory and observation data is subject to per-tier retention windows. Historical observation and audit data older than your plan's retention window is automatically and permanently deleted:
- Free tier: 30 days
- Small Business tier: 90 days
- IT Professional tier: 365 days
If you downgrade your plan, the shorter retention window of the new plan applies, and older data outside that window will be deleted.
7.3. Logs are retained only as long as needed for security and operational purposes and are then rotated or deleted.
7.4. Payment records are retained as required for accounting, tax, and legal compliance. Card data itself is held by Stripe under its own retention practices.
8. Your Rights and Choices
You have control over your information. Depending on your location, you may have some or all of the following rights:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate or incomplete data
- Deletion — ask us to delete your personal data
- Portability — request your data in a structured, commonly used, machine-readable format
- Restriction and objection — ask us to restrict or object to certain processing
- Withdraw consent — where we rely on consent, withdraw it at any time
You can exercise many of these rights directly in the portal (for example, editing account details, managing your network data, exporting data, and closing your account). For any request you cannot complete yourself, contact us at [email protected]. We will respond within the time required by applicable law. We will not discriminate against you for exercising your rights.
9. Cookies
9.1. We use a single, strictly necessary session cookie to maintain your authenticated session in the portal. Without it, you could not stay signed in.
9.2. We do not use tracking cookies, cross-site cookies, advertising cookies, or third-party analytics cookies. We do not build advertising profiles, and we do not share browsing behavior with ad networks.
10. GDPR Rights (EU/EEA and UK Users)
If you are in the EEA or the UK, you have the rights described in Section 8 under the General Data Protection Regulation (GDPR) and UK GDPR. In addition:
- You have the right to lodge a complaint with your local data protection supervisory authority (in the UK, the Information Commissioner's Office).
- Where we act as a processor for your network inventory data, business-tier customers acting as controllers may request a Data Processing Agreement (DPA) by contacting us at [email protected].
- We will notify the relevant supervisory authority and affected users of a personal data breach where and as required by law, generally without undue delay and, where feasible, within 72 hours of becoming aware of a reportable breach.
11. CCPA/CPRA Rights (California Users)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the right to:
- Know what personal information we collect, use, and disclose
- Access a copy of the personal information we hold about you
- Delete personal information we hold about you, subject to legal exceptions
- Correct inaccurate personal information
- Opt out of sale or sharing of personal information
We do not sell or share (as those terms are defined under the CPRA) your personal information, and we do not use it for cross-context behavioral advertising. We will not discriminate against you for exercising your rights. To make a request, contact us at [email protected]. We may need to verify your identity before fulfilling your request.
The categories of personal information we collect, the purposes for which we use them, and the parties with whom we share them are described in Sections 2, 3, and 5 above.
12. Security
12.1. We take reasonable technical and organizational measures to protect your information, including:
- Encryption of data in transit (HTTPS/TLS)
- Hashing of account passwords (we never store passwords in plain text)
- Redaction of sensitive fields (such as tokens, cookies, and passwords) in our logs
- Per-account data isolation so that each customer's network data is segregated
- Access controls and the use of reputable infrastructure providers
12.2. No system is perfectly secure. While we work to protect your information, we cannot guarantee absolute security, and you are responsible for safeguarding your account credentials and collector API keys.
13. Children's Privacy
The Service is not directed to children. We do not knowingly collect personal information from anyone under 13 years of age. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email or through the portal. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
15. Contact Us
Questions, requests, or concerns about your privacy? Contact us at:
LANcarta Inc
Email: [email protected]
Web: https://www.lancarta.com