This Privacy Policy explains how Llorut ("we", "us", or "our") collects, uses, stores, and protects information when you use our platform, including our website (llorut.com), AI chat tools, QR code channels, and any associated services (collectively, the "Service").
By using Llorut, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.
1. Who We Are
Llorut is an AI-powered customer engagement platform that enables businesses ("Companies") to deploy AI assistants across their website, QR code links, and other digital channels. Llorut operates primarily in Africa and complies with applicable data protection legislation including the Zimbabwe Data Protection Act, Chapter 11:22 and aligned international standards.
2. Information We Collect
A. Company Account Holders
When a business registers on Llorut, we collect:
Business name, email address, and password (hashed, never stored in plain text)
Google account information if you use Google Sign-In
Business branding details (logo, colours, AI name)
Knowledge base documents you upload (PDFs, Word files, text)
Payment references and subscription records
B. Visitors (End Users of AI Chats)
When a visitor interacts with an AI chat powered by Llorut, we may collect:
Approximate IP address and country/city (via IP geolocation)
Name and contact details if voluntarily provided during lead capture
Check-in name and stated purpose if a visitor checks in
Session identifier (randomly generated, not tied to a user account)
C. Agents (Onboarding Partners)
Full name, email, phone number, and business name
Agreement to our Terms of Service and this Privacy Policy
D. Automatically Collected Data
Server logs (request timestamps, HTTP status codes)
Service Worker and PWA cache usage (stored locally on your device)
3. How We Use Your Information
Service delivery: to operate AI chat functionality, process knowledge bases, and generate responses
Account management: to authenticate users, manage subscriptions, and process payments
Analytics: to provide businesses with anonymised visitor insights, traffic patterns, and AI performance reports
Lead capture: to relay visitor contact details to the relevant business (with the visitor's knowledge)
Security: to detect fraud, rate-limit abuse, and protect platform integrity
Communications: to send subscription renewal reminders, payment receipts, and platform notifications
We do not sell your personal data to third parties. We do not use visitor chat data to train AI models.
4. AI Processing
Llorut's AI is built and operated entirely by Llorut. When a visitor sends a message, that message — along with the company's knowledge base — is processed securely on Llorut's infrastructure over encrypted HTTPS.
Llorut's AI does not retain conversation data for model training purposes.
The AI identifies itself only as the company's named assistant and does not disclose platform or infrastructure details to visitors.
5. Data Sharing
We share data only in the following limited circumstances:
The Company you are chatting with: visitor interactions, leads, and check-ins are visible to the relevant business on their dashboard
IP Geolocation: IP addresses are sent to ip-api.com for country/city lookup (non-identifying, no personal identifiers shared)
Legal obligation: if required by law, court order, or governmental authority
6. Data Retention
Visitor interactions: retained for up to 12 months for analytics, then purged
Leads and check-ins: retained as long as the company account is active
Company accounts: retained for 90 days after account closure before permanent deletion
Rate-limiting files: automatically deleted after 1 hour
Uploaded documents: stored until deleted by the company admin
7. Cookies & Local Storage
Llorut uses:
Session cookies (HttpOnly, SameSite=Lax) for authentication — no tracking
localStorage in the AI Contacts PWA to store your saved contacts and chat history on your own device — this data never leaves your device unless you send a chat message
We do not use advertising cookies, analytics cookies (Google Analytics, etc.), or any third-party tracking pixels. See our Cookie Policy for full details.
8. Security
We implement appropriate technical and organisational measures to protect your data, including:
HTTPS encryption on all connections (HSTS enforced)
bcrypt password hashing (cost factor 12)
PDO prepared statements to prevent SQL injection
CSRF token protection on all state-changing requests
Rate limiting on login and API endpoints
Content-Security-Policy headers
Protected file uploads with MIME type validation
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we take commercially reasonable steps to protect your data.
9. Children's Privacy
Llorut is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data through our platform, please contact us and we will delete it promptly.
10. Your Rights
You have the right to:
Access the personal data we hold about you
Correct inaccurate data
Delete your data (right to erasure)
Object to processing of your data
Data portability — receive your data in a structured, machine-readable format
To exercise any of these rights, email us at privacy@llorut.com. We will respond within 30 days.
11. International Transfers
Llorut is hosted on secure cloud infrastructure across multiple regions to ensure reliability and speed. By using our Service, you consent to your data being processed on Llorut's infrastructure, which may span multiple geographic regions. We maintain appropriate technical and contractual safeguards across all infrastructure.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered company accounts of material changes by email or in-dashboard notification. Continued use of the Service after changes constitutes acceptance of the updated policy.