Legal
Privacy Policy
Last updated: May 9, 2026
Lewsearch is a product of Swarmgram, Inc.
1. Introduction
This Privacy Policy describes how Swarmgram, Inc. ("Company," "we," "us," or "our") collects, uses, stores, and protects information when you use Lewsearch (lewsearch.com). By using Lewsearch, you agree to the practices described in this Policy. If you have questions, contact us at jeffrey@lewsearch.com.
2. Information We Collect
Account information: When you register, we collect your name, business name, email address, and an optional phone number. We assign a unique user ID to your account. Payment information: Billing is processed entirely by Stripe, Inc. We never receive, process, or store payment card numbers, CVVs, or bank account details — Stripe returns only a customer ID and subscription status token. Study data: When you run a study, we store the question text, answer options, demographic filters, agent count configuration, and the resulting study output. File uploads (future): If you use document-upload features, uploaded files are processed to extract text context and the resulting text summary is stored; original files are deleted after processing. Usage data: We collect standard web server logs (IP address, browser type, pages visited, timestamps) for security monitoring and aggregate analytics.
3. How We Use Your Data
To provide the service: We process your study inputs through our inference pipeline and return results. Account data is used to authenticate you, manage your subscription, and deliver reports. To communicate with you: We send transactional emails (study completion notifications, billing receipts, account alerts) to the address you provide. We may send product updates with an opt-out option. For aggregate analytics: We use de-identified, aggregate usage statistics (e.g., topic frequency distributions, question volume by region) for internal product development. No individual-level data is shared externally. We do not sell, rent, or trade your personal data to third parties. We do not use your study questions or study results to train or fine-tune any AI model without your explicit written consent.
4. Data Storage Architecture
Primary datastore: Account data, study results, and report metadata are stored in Supabase (PostgreSQL), hosted on AWS us-east-1. Agent panel data: Synthetic agent profiles and belief states are stored in the same Supabase instance. This data does not contain real personal information — agents are entirely synthetic demographic constructs. Report files: PDF reports are stored in Supabase Storage (S3-compatible). Access URLs are signed and expire after 24 hours to prevent unauthorized sharing. Backups: Supabase maintains automated daily backups with point-in-time recovery. Backup data is subject to the same security controls as primary data. Caching: We may cache study results in memory for up to 1 hour to reduce redundant inference costs. Cached data is never written to external systems.
5. Row-Level Security and Data Isolation
Lewsearch enforces per-user data isolation at the database layer using Supabase Row-Level Security (RLS) policies. Every table storing user-generated data (study jobs, study results, accounts, reports) has RLS enabled. Policies are enforced at the PostgreSQL level — not just in application code. This means: (a) no authenticated user can query, read, update, or delete another user's study data, even if they know the relevant record IDs; (b) no application-layer bug or configuration error can bypass row-level access controls; (c) Lewsearch staff with database access operate under the service_role key, which is never exposed to end users and is strictly controlled. An exception: certain anonymized aggregate statistics (e.g., platform-wide accuracy benchmarks) may be computed across the full dataset using the service role, but no individual user data is exposed in those outputs.
6. Third-Party Service Providers
We share data with the following sub-processors solely to provide the service: Supabase, Inc. (database and storage infrastructure); Stripe, Inc. (payment processing — receives only email and billing address); Vercel, Inc. (frontend hosting — receives request logs); and LLM inference providers (study questions are transmitted to inference endpoints for processing — we use contractual data processing agreements where available). We do not share data with advertising networks, data brokers, or analytics platforms that profile users for advertising purposes.
7. AI Model Training and Customer Data
Lewsearch's proprietary Lewis Model is trained on publicly available datasets and licensed benchmark data — not on customer study inputs. We will not use your submitted questions, prompts, demographic filters, or study outputs to train, fine-tune, or evaluate any AI model without your explicit written consent. Aggregate, de-identified behavioral patterns (e.g., frequency of topic categories queried, not the text of individual questions) may be used for internal product improvement analytics. If you have questions about our data practices for model training, contact jeffrey@lewsearch.com.
8. Data Retention
Account data: Retained for the life of your account plus 90 days after cancellation, to allow re-activation. Study results and reports: Retained for the life of your account. After account deletion, study data is deleted within 30 days. Private Panel data (if applicable): Retained for the life of an active Panel Add-On subscription plus a 30-day grace period after cancellation or downgrade. Usage logs: Retained for 90 days for security monitoring, then deleted. Stripe billing records: Retained by Stripe per their own data retention policy. You may request early deletion of your data at any time by emailing jeffrey@lewsearch.com.
9. Security
We implement commercially reasonable technical and organizational security measures: Transport security: All data in transit uses TLS 1.2 or higher. At-rest encryption: Supabase encrypts data at rest using AES-256. Access controls: Supabase service role keys and third-party API keys are stored as environment variables — never in source code or version control. RLS policies (see Section 5) enforce database-layer isolation. Our codebase undergoes periodic review for injection vulnerabilities, authentication flaws, and exposed credentials. We do not conduct penetration testing on production infrastructure without prior scheduling. Despite these measures, no system is impenetrable. In the event of a data breach that affects your personal data, we will notify affected users within 72 hours of becoming aware of the breach.
10. Your Rights
You have the right to: access a copy of the personal data we hold about you; request correction of inaccurate data; request deletion of your account and all associated personal data; export your study results from the dashboard at any time; opt out of non-transactional email communications via the unsubscribe link in any such email. To exercise any of these rights, email jeffrey@lewsearch.com with subject "Privacy Request." We will respond within 30 days. Note: we cannot delete data required to comply with legal obligations or to resolve active billing disputes.
11. Cookies and Tracking
Lewsearch uses only functional cookies strictly necessary to maintain your authenticated session (via Supabase Auth, which sets a session JWT in a secure, HTTP-only cookie). We do not use advertising cookies, third-party tracking pixels, or fingerprinting technologies. We do not participate in ad retargeting networks. Standard server-side request logs (IP, user agent, timestamp) are retained for 90 days for security monitoring and then deleted.
12. Children's Privacy
Lewsearch is intended for users 18 years of age or older. We do not knowingly collect personal data from individuals under 18. If we become aware that a minor has registered an account, we will delete the account and associated data promptly.
13. International Users
Lewsearch is operated from the United States. If you access the service from outside the United States, you consent to the transfer and processing of your data in the United States, which may have different data protection laws than your jurisdiction. For EU/EEA users: we rely on contractual necessity as the legal basis for processing personal data necessary to provide the service. We rely on legitimate interest for security monitoring and aggregate analytics. You may have additional rights under the GDPR — contact jeffrey@lewsearch.com to exercise them.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after a material change constitutes acceptance of the updated Policy.
15. Contact
Privacy questions and data requests: jeffrey@lewsearch.com. Corporate inquiries: hi@swarmgram.com. Swarmgram, Inc., 850 Euclid Ave, Ste 819, Cleveland OH 44114.