Privacy Policy

Lucumo Limited ('Lucumo', 'we', 'us') is the data controller for personal data processed through the Lucumo platform. Lucumo is registered in England and Wales.

If you have questions about this policy or your data, contact us at privacy@lucumo.com.

Account data: when you sign up we collect your name and email address via our authentication provider (Clerk). If you purchase a licence we also collect billing details via Stripe.

Content data: conversations, tasks, notes, feedback items, business profile information, and any other content you submit to the platform. This is your data and you own it.

Usage data: we record token consumption, feature usage counts, and session metadata to operate the service, enforce fair-use limits, and improve the product. Usage data does not contain your conversation content.

Optional sharing: you may choose to share anonymised business context or organisation structure with the AI for more relevant coaching. These are opt-in preferences you control from your profile and can revoke at any time.

Technical data: standard web server logs including IP address, browser type, and referring URL. These are retained for security monitoring and deleted within 90 days.

To provide the service: your content is processed by our AI provider to deliver coaching responses, task management, and signal intelligence. This is the core purpose of Lucumo.

To operate and secure the platform: we use account and technical data for authentication, fraud prevention, abuse detection, and audit logging.

To bill you: billing data is used to process payments, calculate overage charges, and issue receipts.

To communicate with you: we may send transactional emails (receipts, security alerts, material changes to terms or this policy). We do not send marketing emails without your explicit consent.

Lucumo uses OpenAI's API to process your conversations and generate coaching responses. Your data is sent to OpenAI solely for inference. It is not used to train, fine-tune, or improve any AI model.

OpenAI's API terms exclude API inputs and outputs from model training by default. Lucumo does not opt in to any data-sharing or model-improvement programme.

OpenAI may retain API data in abuse-monitoring logs for up to 30 days under its standard terms. Lucumo will pursue zero-data-retention eligibility as it becomes available.

We use a limited set of third-party sub-processors, each contractually bound to handle your data only as necessary to perform its function:

OpenAI: AI inference (conversation processing, summarisation, tool calls). Clerk: authentication and identity management. Stripe: payment processing and billing. Vercel: application hosting, edge delivery, and file storage (Vercel Blob). Upstash: rate limiting and abuse prevention (Redis). Database provider: persistent data storage with encryption at rest.

We will notify you before adding a new category of sub-processor and provide at least 30 days to raise an objection.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). User data is isolated per account with authenticated route protection and row-level ownership checks.

Sensitive product actions are recorded in an audit log visible to you from your profile. We do not permit our personnel to access your content except where required to provide support at your request, to maintain the service, or to comply with a legal obligation.

If we become aware of a security breach affecting your data, we will notify you without undue delay and in any event within 72 hours.

Lucumo uses only essential cookies required to maintain your authenticated session. We do not use advertising cookies, tracking pixels, or third-party analytics that profile your behaviour.

Session cookies are set by our authentication provider (Clerk) and expire when your session ends or after a reasonable inactivity period.

Your account data and content are retained for the duration of your licence. On account deletion, personal data and conversation content are deleted within 30 days. Backup copies are purged within 90 days.

Anonymised, aggregated usage metrics (such as token counts and feature adoption rates) may be retained indefinitely for service improvement. These metrics contain no identifiable customer content.

Access: you can view all data Lucumo holds about you from within the platform at any time.

Export: you can export a complete copy of your data in a structured, machine-readable format (JSON) from your profile page.

Deletion: you can delete your account and all associated data from your profile page. Deletion is permanent and cannot be reversed.

Rectification: you can update your profile, business information, and content at any time through the platform.

Objection and restriction: if you believe we are processing your data unlawfully, contact us at privacy@lucumo.com and we will respond within 30 days.

If you are unsatisfied with our response you have the right to lodge a complaint with the Information Commissioner's Office (ICO) or your local supervisory authority.

Your data may be processed in countries outside the United Kingdom and European Economic Area by our sub-processors. Where this occurs, we ensure appropriate safeguards are in place, including standard contractual clauses and the sub-processor's own privacy commitments.

Lucumo is a professional tool designed for business executives. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has created an account, contact us and we will delete it promptly.

We may update this policy from time to time. Material changes will be communicated via email or an in-product notification at least 30 days before they take effect. Continued use of Lucumo after the effective date constitutes acceptance of the revised policy.