Skip to main content
Skip to main content
LandraBeta

Privacy Policy

Effective April 21, 2026

This policy explains what data Landra collects, how we use it, and what choices you have.

Introduction

Landra is operated by Pow Organics LLC, a California limited liability company doing business as “Landra” (“Landra,” “we,” “us,” “our”). We operate the website at getlandra.com and the application at app.getlandra.com. This Privacy Policy describes what personal data we collect, why we collect it, our legal bases for processing, and your choices regarding that data.

By using Landra, you agree to the collection and use of data as described here. If you do not agree, please do not use the service.

Data Controller

For the purposes of the EU/UK General Data Protection Regulation (“GDPR”) and similar laws, the data controller is:

  • Entity: Pow Organics LLC (d/b/a Landra), a California limited liability company
  • Email: ezra@getlandra.com
  • Mailing address: 584 Castro St, #3553, San Francisco, CA 94114

We have not appointed a data protection officer or an Article 27 EU representative; we will do so if and when required by applicable law. For any privacy question or request, email ezra@getlandra.com.

What We Collect

We collect only what we need to run the service.

Account data

When you create an account, we collect your email address and a hashed password (or an OAuth token if you sign in with a third-party provider). We use this to authenticate you and associate your pages with your account.

Billing data

When you subscribe to a paid plan, Stripe collects your payment card details and billing address. We never see or store your full card number. We receive from Stripe: the last four digits of your card, your billing email, your subscription status, and invoice history.

Brand URLs and generated content

When you generate a page, you provide a brand or product URL. We fetch publicly available content from that URL to analyze the brand. We do not fetch URLs that resolve to private network addresses or that require authentication. You represent and warrant that you are authorized to direct Landra to fetch and analyze the URL you submit and that doing so does not violate the URL owner’s terms of service, robots-exclusion directives (robots.txt), paywall, or login wall. We do not independently verify that you are authorized to submit a given URL. Generated pages — including text, component data, and image references — are stored in your account so you can edit and publish them.

Usage data

We collect usage data to operate, secure, understand, and improve the Service: pages created, pages published, feature and interface interactions, content viewed, error logs, and standard server request logs (IP address, browser type, timestamps). The current list of analytics and error-monitoring processors is in the Data Processors table.

AI-generated images

Images generated for your pages are stored in our cloud storage (Supabase Storage) and served via CDN. These images are associated with your account and your pages.

Shopify store data (if connected)

If you connect a Shopify store, we store your Shopify store domain, an encrypted OAuth access token scoped to the permissions you grant, and mappings between your Landra pages and the pages we have published to your Shopify store. We do not access customer data, order data, or product inventory from your Shopify store.

Customer review data (VOC)

When you submit a brand URL, our system may detect that the brand uses a customer-review platform (e.g., Judge.me, Okendo, Yotpo, Stamped, Loox, Reviews.io) and may harvest a sample of publicly-displayed reviews from that platform’s public widget endpoints. This data is used internally — and only internally — to inform the voice, tone, and topical emphasis of the generated page. We do not quote, paraphrase, or attribute statements to any individual reviewer in any Generated Content. Harvested reviews are retained in association with your generation history for up to 90 days and then deleted. By submitting a URL, you represent and warrant that you are the brand owner or are authorized by the brand owner to direct us to access its customer-review data for this purpose.

How We Use Your Data

We use your data for the following purposes:

  • To provide the service. Account authentication, page generation, page storage, page publishing, image generation, Shopify publishing, and billing.
  • To improve the service. Aggregated, de-identified usage patterns help us understand which features are valuable and where the product breaks. We do not use your Brand Data or Generated Content to train AI models.
  • To communicate with you. We send three categories of email:
    • Transactional emails — billing receipts, security alerts, trial-end notifications required by California Business and Professions Code §17602 (Auto-Renewal Law), password resets, and other service-essential messages. These are not marketing email and are not subject to opt-in or opt-out. You will receive them as long as you have an account.
    • Service announcements — material changes to the Service, the Terms, or this Privacy Policy. These are also transactional.
    • Marketing email — product-education emails, feature announcements, and similar content. We send these only when you have given explicit opt-in consent at signup (via an unticked checkbox) or via your account settings. Each marketing email includes a one-click unsubscribe header (RFC 8058) and a visible unsubscribe link. You may withdraw consent at any time from your account settings or by emailing hello@getlandra.com.
  • To enforce our terms. Detecting abuse, preventing fraud, and enforcing our Terms of Service.
  • To comply with law. Responding to lawful requests, enforcing court orders, and meeting tax, accounting, and audit requirements.

Where GDPR applies, we rely on the following legal bases:

  • Contract performance — to deliver the service you signed up for, including authenticating you, generating pages, and processing your subscription.
  • Legitimate interests — to secure the service, prevent abuse, debug errors, and run product analytics on de-identified data. You have the right to object to processing based on legitimate interests.
  • Legal obligation — to comply with tax, accounting, and other laws; to respond to valid legal requests.
  • Consent — for marketing communications (where required by law) and any other processing you explicitly opt into. You can withdraw consent at any time.

For incidental processing of third-party reviewer personal data harvested from publicly-displayed customer-review widgets (see Customer review data (VOC)), we rely on legitimate interests (GDPR Art. 6(1)(f)). We have documented a balancing test concluding that the limited, internal-only use is proportionate to the brand owner’s interest in publishing voice-aligned marketing copy and does not override the reasonable expectations of reviewers whose content was already publicly displayed. Reviewers retain Art. 21 objection rights; contact ezra@getlandra.com to exercise them.

Data Processors and Sub-Processors

We use third-party services to operate Landra. Each processor receives only the data necessary for its function. We do not sell or “share” (as defined under the CCPA/CPRA) personal information to any of these providers or to anyone else.

Notice of changes. We may add or replace sub-processors with notice given by updating this page and, where you have an active account, by email. The list below is current as of the effective date of this Policy; the most up-to-date list, along with a description of the data shared and the purpose, is always available on this page.

Third-party data processors Landra uses, listing purpose, data shared, location, and link to each provider’s privacy policy.
ProcessorPurposeData SharedLocationPrivacy Policy
SupabaseAuthentication, database, file storageAccount data, page data, imagesUnited Statessupabase.com/privacy
Anthropic (Claude)AI text analysis and generationBrand URLs and page content submitted for generation. Anthropic's commercial API terms prohibit training on data sent via the API.United Statesanthropic.com/privacy
Google (Gemini)AI image generationImage prompts derived from your page content. No account-level personal data.United Statespolicies.google.com/privacy
ReplicateAI image generation (fallback)Image prompts. No account-level personal data.United Statesreplicate.com/privacy
UnsplashStock photo searchSearch query strings derived from page content. No personal data.United Statesunsplash.com/privacy
VercelApplication hosting and CDNServer request logs (IP, headers, timestamps)United Statesvercel.com/legal/privacy-policy
StripeSubscription billing and payment processingBilling email, payment card details (handled by Stripe directly), subscription statusUnited States (with EU subprocessors)stripe.com/privacy
ShopifyPage publishing (when you connect your store)Page HTML content, page title, page handle. Shared only when you initiate a publish to Shopify.Varies by storeshopify.com/legal/privacy
ResendTransactional and (opt-in) marketing email deliveryYour account email address, the email body, and delivery metadata (opens, bounces). Not used for advertising.United Statesresend.com/legal/privacy-policy
SentryError and performance monitoringServer and browser error stacks, performance metrics, IP address, browser type. Not used for advertising or cross-context behavioral targeting.United Statessentry.io/privacy
PostHogProduct and web analyticsUsage and interaction events (pages and screens viewed, clicks, form submissions, and the text of on-screen interface elements you interact with, which may include content shown within the app), web performance metrics, device and browser information, and IP address (for approximate geolocation).United Statesposthog.com/privacy

AI and Training

We do not use your data to train AI models.We access AI capabilities via commercial API agreements with Anthropic (Claude), Google (Gemini), and Replicate (Flux). Anthropic’s commercial API terms, Google’s Gemini API terms, and Replicate’s API terms all prohibit or disclaim training on customer submissions made through their APIs. We do not have any training-data agreement with any AI vendor.

Aggregated, de-identified signals. We may derive aggregated, de-identified signals from how you use the Service (for example, which features produce errors, which page types are generated most often) to operate, secure, and improve the Service. These signals cannot be used to identify you and are not sold or shared.

Non-uniqueness of AI output. Generative AI produces output that may be substantially similar to output produced for other users from similar inputs. We do not guarantee that any Generated Content is unique.

Upstream training-data documentation. Each AI provider publishes its own training-data documentation; links are in the Data Processors table above. Where California AB 2013 or similar training-data summary laws apply to providers of generative AI, those obligations are met by the upstream model providers (Anthropic, Google, Replicate), not by Landra.

Future AI sub-processors.Before adding or replacing an AI sub-processor, we will verify that the vendor’s API terms do not permit training on customer submissions, or, if they do, we will obtain a contractual opt-out before sending any user data.

Cookies, Tracking & Similar Technologies

Strictly necessary cookies. Supabase sets first-party session cookies to keep you logged in. Stripe sets first-party cookies on the checkout and customer-portal pages it serves. These cookies are required for the Service to function and are not used for advertising or cross-site tracking.

Analytics. We use product and web analytics to understand how the Service is used, measure performance, and improve and develop our products. These tools may capture usage and interaction events (pages and screens viewed, clicks, form submissions, and the content and interface elements you view or interact with), device and browser information, and approximate location derived from IP address.

We currently operate analytics without persistent cross-site identifiers and rely on our legitimate interest under GDPR Art. 6(1)(f). We may expand our analytics — including the use of cookies or similar technologies, persistent identifiers, or session and heatmap recording — and where we do, we will update the Data Processors table and obtain consent where required (see Advertising and conversion tracking below). If we add or replace an analytics provider, we will update the Data Processors table.

Advertising and conversion tracking. We may, in the future, deploy advertising or conversion-measurement technologies — including but not limited to the Meta Pixel, TikTok Pixel, Google Ads conversion tags, LinkedIn Insight Tag, or similar — on our marketing site at getlandra.com. If we do:

  • We will update the Data Processors table and this section before any such tag fires.
  • For visitors in the EEA, UK, or Switzerland, we will present a cookie consent banner that allows you to reject non-essential cookies before any non-essential tag loads, in compliance with the ePrivacy Directive and Article 7 GDPR.
  • For California residents, the operation of these tags may constitute “sharing” of personal information for cross-context behavioral advertising under the CCPA/CPRA, in which case we will display a “Your Privacy Choices” link in the footer and honor the Global Privacy Control.
  • We will not deploy any advertising tag inside the authenticated application at app.getlandra.com without separate notice.

Your choices today.Because we do not currently operate advertising or cross-context tracking tags, no “Do Not Sell or Share My Personal Information” mechanism is presently required. If that changes, we will provide the required link in the footer of every consumer-facing page and honor the Global Privacy Control as an opt-out signal regardless of legal requirement.

Cookie list. A current list of cookies, including their purpose and duration, is available on request to hello@getlandra.com.

Your Rights (All Users)

Regardless of where you live, you can:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and all associated data by contacting us.
  • Export your pages as standalone HTML files at any time from the editor.
  • Object to any processing you believe is unlawful.

To exercise any of these rights, email ezra@getlandra.com. We will verify your identity using the email address on your account and respond within 30 days.

California Residents (CCPA / CPRA)

Under the California Consumer Privacy Act as amended by the California Privacy Rights Act, you have the right to:

  • Know what personal information we collect, the sources, the purposes, and the categories of third parties we disclose it to.
  • Access and portability — receive a copy of your personal information in a portable format.
  • Correct inaccurate personal information.
  • Delete your personal information, subject to limited exceptions (for example, to complete a transaction, comply with law, or resolve a security incident).
  • Opt out of the “sale” or “sharing” of personal information. We do not sell or “share” (as defined under the CPRA) personal information. There is nothing to opt out of.
  • Limit use and disclosure of Sensitive Personal Information. We do not use sensitive personal information for any purpose beyond what is strictly necessary to provide the service.
  • Non-discrimination. We will not deny service, charge different prices, or provide a different service level because you exercised a CPRA right.

We retain personal information only for the periods described in Data Retention. We do not knowingly collect or sell the personal information of consumers under 16. To make a CPRA request, email ezra@getlandra.com with the subject line “CPRA Request.” You may designate an authorized agent to act on your behalf in accordance with CPRA §1798.140(j).

Other US State Residents (VA, CO, CT, UT, TX, OR, MT)

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), or Montana (MCDPA), you have rights substantially similar to those described above, including:

  • The right to confirm whether we process your personal data and to access that data.
  • The right to correct inaccuracies and to delete personal data.
  • The right to data portability.
  • The right to opt out of targeted advertising, the sale of personal data, and profiling with significant effects — none of which we engage in.
  • Where required (CO, CT, OR), we honor opt-out preference signals such as the Global Privacy Control.
  • Where your state law provides, you may appeal any denial of a rights request by replying to our initial response.

To exercise these rights, email ezra@getlandra.com with the subject line “State Privacy Rights Request” and identify your state of residence. We will respond within the period required by your state’s law (typically 45 days, extendable by 45 days when reasonably necessary).

European Economic Area / UK Residents (GDPR)

Under the GDPR and the UK GDPR, you have the right to:

  • Access your personal data.
  • Rectification — correct inaccurate data.
  • Erasure— request deletion of your data (“right to be forgotten”).
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — limit how we process your data in certain circumstances.
  • Object — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner’s Office at ico.org.uk.

Our legal bases for processing are described in Legal Bases. To make a GDPR request, email ezra@getlandra.com with the subject line “GDPR Request.” We will respond within 30 days.

Business Users and Data Processing Agreement

If you use the Service on behalf of a business and the Service processes personal data of your customers or end users (for example, by ingesting a URL that contains customer testimonials or by publishing a page accessible to your customers), you may be a “controller” of that data and we may be a “processor” or “service provider” under applicable law. We offer a Data Processing Agreement (DPA) incorporating the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Request a DPA by emailing ezra@getlandra.com with the subject line “DPA Request.”

Data Retention

  • Account data is retained as long as your account is active. If you delete your account, we delete your personal data and all associated pages within 30 days, except where retention is required by law (e.g., billing records).
  • Generated pages and images are deleted when you delete the page or your account.
  • Brand URLs submitted as inputare retained in an access log for up to 90 days and are otherwise only persisted as part of the associated page’s generation history.
  • Shopify OAuth tokens and store mappings are deleted immediately upon app uninstall or store disconnection; associated mappings within 30 days.
  • Server logs are retained for up to 90 days for debugging and security purposes, then automatically purged.
  • Billing records are retained for 7 years to comply with tax and accounting requirements.
  • Data needed to resolve an active legal claim or to comply with a legal obligation is retained for the duration of that obligation.

Security Incident Notification

If we become aware of a security incident that has resulted in the unauthorized access, disclosure, alteration, or destruction of your personal data, we will notify you without undue delay, and in any event within 72 hours of our confirmation of the incident, to the extent notification is required under applicable law. Where we act as a processor, we will notify the relevant controller on the same timeline so that the controller can meet its own notification obligations (e.g., under GDPR Articles 33 and 34). Notifications will include, to the extent known, the nature of the incident, the categories and approximate number of affected individuals and records, the likely consequences, and the measures we have taken or propose to take in response.

Children’s Privacy

You must be at least 18 years old to create a Landra account. The Service is not directed to anyone under 16 under any circumstances. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at ezra@getlandra.com and we will delete it.

Reviewer data. Our voice-of-customer harvesting (see Customer review data (VOC)) may incidentally retrieve reviews authored by minors when a brand’s customer base includes minor consumers. We do not use this data to target advertising to minors and do not retain reviewer-level personal data beyond 90 days. If you are a parent or guardian and believe a child’s personal data has been collected through our review harvest, please contact ezra@getlandra.com and we will delete it.

International Data Transfers

Landra is hosted in the United States. If you access the service from outside the United States, your data will be transferred to and processed in the United States. For EEA, UK, and Swiss users, we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum) with our sub-processors, and on any additional safeguards required by applicable data-transfer law. Where a sub-processor is certified under the EU–US Data Privacy Framework, we may also rely on that framework. You may request a copy of the transfer safeguards we rely on by emailing ezra@getlandra.com.

Security

We take reasonable measures to protect your data:

  • All data is encrypted in transit (TLS) and at rest.
  • Database access is restricted by row-level security policies — you can only access your own data.
  • Payment card data is handled entirely by Stripe. We never see, store, or process full card numbers.
  • Shopify OAuth tokens are encrypted with AES-256-GCM before storage.
  • API keys and secrets are stored as environment variables, never in client-side code.
  • We restrict employee and contractor access to production data to what is necessary for operations and support.
  • We regularly review our code and infrastructure for security vulnerabilities.

No system is perfectly secure. If you discover a security vulnerability, please report it to ezra@getlandra.com.

Pages you create with Landra may contain links to third-party websites (for example, a brand’s product page or checkout). We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies before providing them with your data.

Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the effective date at the top of this page and, if you have an account, notify you by email. Your continued use of Landra after a change constitutes acceptance of the updated policy.

Contact

If you have questions about this policy, want to exercise your privacy rights, or have a concern about how we handle your data, contact us:

Operator: Pow Organics LLC (d/b/a Landra)
Email: ezra@getlandra.com
Mailing address: 584 Castro St, #3553, San Francisco, CA 94114

We aim to respond to all inquiries within 5 business days.