Privacy Policy

Last updated: December 2024

1. Introduction

Lund Development, LLC, doing business as Support Station ("Support Station," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our customer support platform, website, APIs, embeddable widgets, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Password (stored in hashed form)
  • Profile photo (optional)
  • Organization name and settings
  • Timezone preferences

2.2 Payment Information

When you subscribe to a paid plan, payment information is collected and processed by our payment processor, Stripe. We do not store your full credit card number, CVV, or other sensitive payment card details on our servers. We may receive and store limited information from Stripe, such as the last four digits of your card, card type, expiration date, and billing address.

2.3 Customer Support Data

When you use the Service to manage customer support, we collect and store:

  • Support tickets including subject, messages, and metadata
  • File attachments uploaded to tickets
  • End user information (name, email) submitted through support channels
  • Conversation history between your team and your customers
  • Customer satisfaction ratings and feedback
  • Tags, categories, and routing information

2.4 Knowledge Base Content

Content you create and publish in your Knowledge Base, including:

  • Articles, titles, and descriptions
  • Categories and organization structure
  • SEO metadata
  • Article view counts and helpfulness votes
  • Vector embeddings created for AI-powered search

2.5 AI Conversation Data

When your customers interact with the AI Agent, we collect:

  • Questions submitted to the AI
  • AI-generated responses
  • Session identifiers for conversation continuity
  • Escalation requests and context
  • AI credit usage per interaction

2.6 Usage and Analytics Data

We collect information about how you use the Service:

  • Feature usage and interaction patterns
  • Dashboard views and report generation
  • API calls and webhook deliveries
  • Integration usage (Slack, email, etc.)

3. Information Collected Automatically

When you access the Service, we automatically collect certain information:

3.1 Log Data

  • IP address
  • Browser type and version
  • Operating system
  • Referring URL
  • Pages visited and time spent
  • Date and time of access

3.2 Device Information

  • Device type (desktop, mobile, tablet)
  • Screen resolution
  • Language preferences

3.3 Widget Interaction Data

When end users interact with your embedded Support Station Widget, we collect:

  • Page URL where the widget is displayed
  • Widget open/close events
  • Form submissions and chat interactions
  • Browser and device information

4. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Operate the support platform, process tickets, deliver AI responses, and host your Knowledge Base.
  • Process payments: Manage subscriptions, process payments, and track AI credit usage.
  • Power AI features: Create vector embeddings of your Knowledge Base content to enable semantic search and AI-generated responses.
  • Send communications: Deliver transactional emails (ticket notifications, billing receipts) and, with your consent, marketing communications.
  • Improve the Service: Analyze usage patterns, troubleshoot issues, and develop new features.
  • Ensure security: Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations: Respond to legal requests and enforce our Terms of Service.

5. AI and Machine Learning

5.1 How Our AI Works

The Support Station AI Agent uses Retrieval-Augmented Generation (RAG) to answer questions. When you publish Knowledge Base articles, we:

  • Create vector embeddings (mathematical representations) of your content
  • Store these embeddings in a vector database (Qdrant) for semantic search
  • Use these embeddings to find relevant articles when customers ask questions
  • Send relevant context to an AI model (via OpenRouter) to generate responses

5.2 Data and AI Training

We do not use your Customer Data or Knowledge Base content to train general AI models. Your content is only used to power AI responses within your own Support Station instance. The AI models we use (accessed through OpenRouter) are pre-trained models, and your data is not used to improve or train these models.

5.3 AI Credit Tracking

We track AI credit consumption to manage your subscription limits and billing. This includes counting the number of AI interactions and any overage charges.

6. Information Sharing

We do not sell your personal information. We may share your information in the following circumstances:

6.1 Service Providers

We share information with third-party service providers who assist in operating the Service:

  • Stripe: Payment processing. Stripe receives payment card information and billing details to process subscriptions.
  • OpenRouter: AI model inference. When the AI Agent responds to questions, relevant Knowledge Base context and the user's question are sent to OpenRouter's AI models.
  • Resend: Email delivery. Email addresses and message content are shared to deliver transactional and notification emails.
  • Qdrant: Vector database. Knowledge Base content embeddings are stored in Qdrant to enable AI-powered search.
  • Cloud hosting provider: All Service data is stored on our cloud infrastructure provider's servers.

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

6.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

6.3 Business Transfers

If Support Station is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

6.4 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

6.5 Aggregated or De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you for analytics, research, or other purposes.

7. Data Security

We implement appropriate technical and organizational measures to protect your information:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL.
  • Encryption at rest: Sensitive data is encrypted when stored in our databases.
  • Access controls: We restrict access to personal information to employees and contractors who need it to provide the Service.
  • Secure authentication: We use secure password hashing and support authentication best practices.
  • Regular security reviews: We periodically review and update our security practices.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

8.1 Active Accounts

We retain your information for as long as your account is active and as needed to provide the Service. This includes all Customer Data, Knowledge Base content, tickets, messages, and AI conversation history.

8.2 Account Deletion

When you delete your account or request deletion of your data, we will:

  • Delete your account information and profile
  • Delete your Customer Data, including tickets and messages
  • Delete your Knowledge Base content and vector embeddings
  • Remove AI conversation history associated with your account

Some information may be retained in backups for up to 90 days after deletion and will be purged according to our backup rotation schedule.

8.3 Legal Retention

We may retain certain information as required by law, for legitimate business purposes (such as resolving disputes), or to enforce our agreements.

9. International Data Transfers

Support Station is based in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where the destination country provides adequate data protection
  • Your explicit consent where applicable

10. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate or incomplete information.
  • Deletion: Request that we delete your personal information.
  • Data portability: Request a copy of your data in a structured, machine-readable format.
  • Opt-out of marketing: Unsubscribe from marketing emails at any time using the link in each email or by contacting us.
  • Withdraw consent: Where we rely on consent, withdraw your consent at any time.

To exercise these rights, please contact us at [email protected]. We will respond to your request within:

  • GDPR requests: Within 30 days (extendable by 60 days for complex requests)
  • CCPA/CPRA requests: Within 45 days (extendable by 45 days if reasonably necessary)
  • Other requests: Within a reasonable timeframe based on applicable law

We may need to verify your identity before processing your request.

11. Additional Rights for European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

11.1 Lawful Basis for Processing

We process your personal data based on:

  • Contract: Processing necessary to provide the Service you requested.
  • Legitimate interests: Processing for our legitimate business interests (improving the Service, security, fraud prevention) where these don't override your rights.
  • Consent: Processing based on your explicit consent (marketing communications).
  • Legal obligation: Processing required to comply with applicable laws.

11.2 Additional GDPR Rights

In addition to the rights in Section 10, you have the right to:

  • Restriction: Request that we restrict processing of your personal data in certain circumstances.
  • Object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Lodge a complaint: File a complaint with your local data protection supervisory authority.

11.3 Data Controller and Processor

For the personal data of our customers (account holders), Support Station acts as the data controller. For personal data of your end users that you collect through the Service, you act as the data controller and Support Station acts as the data processor.

11.4 Automated Decision-Making

Our AI Agent provides automated responses to customer questions based on your Knowledge Base content. This automated processing does not produce legal effects or similarly significantly affect individuals, as users can always escalate to human support. You have the right to request human intervention for any AI interaction by using the escalation feature or contacting your support team directly.

11.5 Contact for European Users

For GDPR-related inquiries, please contact us at [email protected] with "GDPR Request" in the subject line.

12. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights:

12.1 Categories of Personal Information

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email address, IP address)
  • Commercial information (subscription history, payment records)
  • Internet or network activity (browsing history, Service usage)
  • Professional information (company name, job title)

12.2 Your California Privacy Rights

  • Right to know: Request information about the categories and specific pieces of personal information we have collected.
  • Right to correct: Request correction of inaccurate personal information we hold about you.
  • Right to delete: Request deletion of your personal information.
  • Right to opt-out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising. You have the right to opt-out of any future sale or sharing.
  • Right to limit use of sensitive PI: We do not collect sensitive personal information categories as defined by CPRA (such as Social Security numbers, precise geolocation, racial or ethnic origin, or health information).
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

12.3 Do Not Sell or Share My Personal Information

We do not sell your personal information or share it for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months and do not intend to do so in the future.

12.4 Exercising Your California Privacy Rights

To exercise your California privacy rights, please contact us at [email protected] with "CCPA Request" in the subject line. You may also designate an authorized agent to make a request on your behalf. We will verify your identity (and your agent's authorization) before processing your request.

13. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will take steps to delete such information.

14. Cookies and Tracking Technologies

14.1 Types of Cookies We Use

  • Essential cookies: Required for the Service to function, including authentication and session management. Cannot be disabled.
  • Functional cookies: Remember your preferences and settings to enhance your experience.
  • Analytics cookies: Help us understand how visitors use the Service so we can improve it.

14.2 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or alert you when cookies are being sent. However, disabling cookies may affect the functionality of the Service.

14.3 Do Not Track

Some browsers include a "Do Not Track" feature. We do not currently respond to Do Not Track signals, but we honor other opt-out mechanisms as described in this Privacy Policy.

15. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

  • Posting the updated policy on this page
  • Sending you an email notification (for material changes)
  • Updating the "Last updated" date at the top of this page

Your continued use of the Service after changes to the Privacy Policy constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Lund Development, LLC
DBA Support Station
Email: [email protected]

For GDPR-related inquiries, please include "GDPR Request" in your subject line.
For CCPA-related inquiries, please include "CCPA Request" in your subject line.