Privacy Policy

1. Introduction

Welcome to LUCI ("LUCI," "we," "us," or "our"). LUCI is an intelligent communication and productivity platform powered by AI, designed to help you manage email, calendar, projects, tasks, notes, feeds, and social media integrations in a unified workspace.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you access or use our website at https://getluci.io, our web application, APIs, and any related services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use our Services.

2. Information We Collect

2.1 Information You Provide Directly

• Account Registration: When you create an account, we collect your name, email address, and authentication credentials (e.g., password or OAuth tokens from Google or LinkedIn).
• Profile Information: Any additional information you choose to add to your profile, such as a profile photo, display name, or preferences.
• Communications: Emails, messages, notes, tasks, and other content you create, compose, send, or store within the Services.
• Uploaded Content: Files, documents, images, and attachments you upload to the platform.
• Feedback & Support: Information you provide when you contact our support team, submit feedback, or participate in surveys.

2.2 Information Collected Automatically

• Usage Data: Information about how you interact with the Services, including pages visited, features used, actions taken, timestamps, and session duration.
• Device & Browser Information: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
• Log Data: Server logs recording requests, errors, referring URLs, and diagnostic information.
• Cookies & Similar Technologies: Information collected via cookies, web beacons, and local storage (see Section 7).

2.3 Information from Third-Party Services

When you connect third-party services to LUCI, we may receive information from those services, including:

• Email Providers (e.g., Google Gmail): Email messages, metadata (sender, recipient, subject, timestamps), labels, and threading information you authorize us to access.
• Calendar Services (e.g., Google Calendar): Event details, attendee information, and calendar settings.
• Social Media (e.g., LinkedIn): Profile information, posts, connections, and analytics data you authorize us to access.
• RSS & Feed Sources: Content from feeds you subscribe to within the platform.

3. How We Use Your Information

We use the information we collect to:

• Provide & Operate the Services: Deliver the core functionality of LUCI, including email management, calendar integration, project management, task tracking, note management, and social media features.
• AI-Powered Features: Power our AI assistant (LUCI Voice), smart summarization, content suggestions, and intelligent organization features using your data within the platform.
• Personalization: Customize your experience, including dashboard layouts, notification preferences, and content recommendations.
• Communication: Send you service-related notifications, security alerts, and, with your consent, product updates and marketing communications.
• Security & Fraud Prevention: Detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activities.
• Analytics & Improvement: Analyze usage patterns to improve the Services, develop new features, and optimize performance.
• Legal Compliance: Comply with applicable laws, regulations, and legal processes.

4. Legal Bases for Processing

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following grounds:

• Contract Performance: Processing necessary to perform our agreement with you and provide the Services.
• Legitimate Interests: Processing for our legitimate business interests, such as improving the Services, preventing fraud, and ensuring security, provided these interests do not override your rights.
• Consent: Where you have given explicit consent for specific processing activities, such as marketing communications or optional data sharing.
• Legal Obligation: Processing required to comply with applicable laws and regulations.

5. Data Sharing & Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

• Service Providers: We share data with trusted third-party providers who perform services on our behalf (e.g., hosting, analytics, customer support). These providers are contractually bound to protect your data and use it only for the purposes we specify.
• With Your Consent: When you explicitly direct us to share information with a third party or another user.
• Legal Requirements: When required by law, regulation, subpoena, court order, or other governmental request.
• Protection of Rights: When necessary to protect the rights, property, or safety of LUCI, our users, or others.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change.
• Aggregated or De-identified Data: We may share aggregated or de-identified data that cannot reasonably be used to identify you.

6. Third-Party Services & Integrations

LUCI integrates with various third-party services to provide its functionality. These integrations include, but are not limited to:

• Google APIs (Gmail, Google Calendar) — Governed by Google's Privacy Policy. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• LinkedIn API — Governed by LinkedIn's Privacy Policy.
• OpenAI API — Used for AI-powered features. Content processed through OpenAI is subject to OpenAI's data usage policies. We use the API in a way that does not allow OpenAI to train on your data.

7. Cookies & Tracking Technologies

We use the following types of cookies and similar technologies:

7.1 Strictly Necessary Cookies

These cookies are essential for the operation of the Services. They include session tokens, authentication cookies (e.g., access_token, refresh_token), and CSRF protection tokens. You cannot opt out of these cookies.

7.2 Functional Cookies

These cookies remember your preferences and settings (e.g., theme, layout, language) to provide a personalized experience.

7.3 Analytics Cookies

We may use analytics cookies to understand how users interact with the Services, measure performance, and identify areas for improvement. These cookies collect aggregated, anonymous data.

7.4 Managing Cookies

You can control cookies through your browser settings. Please note that disabling strictly necessary cookies may impair the functionality of the Services.

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Account Data: Retained for the duration of your account. When you delete your account, we will delete or anonymize your data within 30 days, unless we are legally required to retain it.
• Usage & Log Data: Retained for up to 12 months for analytics and security purposes, then aggregated or deleted.
• Communications & Content: Retained as long as your account is active and for a reasonable period afterward to allow for account recovery, unless you explicitly request earlier deletion.
• Backup Data: Backups containing your data may persist for up to 90 days after deletion from active systems.

9. Data Security

We implement industry-standard technical and organizational measures to protect your personal information, including:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Sensitive data stored in our databases is encrypted at rest using AES-256 encryption.
• Access Controls: Role-based access controls limit access to personal data to authorized personnel only.
• Authentication Security: We use JWT-based authentication with short-lived access tokens and secure refresh tokens. Passwords are hashed using bcrypt with appropriate salt rounds.
• Regular Audits: We conduct regular security assessments and vulnerability testing of our infrastructure.

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining robust safeguards.

10. Your Rights & Choices

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to certain legal exceptions.
• Portability: Request a machine-readable copy of your data for transfer to another service.
• Restriction: Request that we restrict the processing of your personal information in certain circumstances.
• Objection: Object to the processing of your personal information based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.

Exercising Your Rights

To exercise any of these rights, please contact us at privacy@getluci.io. We will respond to your request within 30 days (or as required by applicable law). We may ask you to verify your identity before processing your request.

U.S. State Privacy Rights

If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or other states with comprehensive privacy laws, you have additional rights, including:

• The right to know what personal information we collect and why.
• The right to opt out of the sale or sharing of personal information (we do not sell your data).
• The right to non-discrimination for exercising your privacy rights.
• The right to limit the use of sensitive personal information.

EEA, UK & Swiss Residents

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by relevant data protection authorities.
• Other mechanisms permitted under applicable data protection laws.

12. Children's Privacy

The Services are not intended for children under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly.

If you believe a child has provided us with personal information, please contact us at privacy@getluci.io.

13. AI & Machine Learning

LUCI uses artificial intelligence and machine learning to power features such as the LUCI Voice assistant, smart email summarization, content suggestions, and task prioritization.

• How AI Processes Your Data: Your content (emails, notes, tasks, etc.) may be sent to AI service providers (e.g., OpenAI) for processing. This data is sent securely via encrypted APIs and is not used to train third-party AI models.
• No Automated Decision-Making: We do not use AI to make automated decisions that produce legal or similarly significant effects on you without human oversight.
• Opt-Out: You may disable AI-powered features through your account settings without affecting core functionality.
• Transparency: We are committed to being transparent about how AI is used within the platform and will clearly label AI-generated content when applicable.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable laws. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you via email or through an in-app notification at least 30 days before the changes take effect (for material changes).
• Post the revised policy on this page.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all inquiries within 30 days.