Privacy Policy

Effective 2026-05-13

1. Who we are

Lucy Labs operates this site through two legal entities: Lucy Labs, Inc. (Delaware C-Corp parent, in formation) and Lucy Labs S.L. (Spanish operating subsidiary, in formation). The full Aviso Legal is at /legal.

For matters covered by this policy, the responsible person is Travis Sheppard, founder of Lucy Labs. The operating address is Calle Entrepeñas 5, Bloque B, Piso 5B, 28051 Madrid, Spain. For data-subject requests and privacy inquiries: privacy@lucylabs.ai.

Until both entities are formally registered, data-controller obligations are personal to Travis Scott Sheppard at the Madrid operating address. The page is updated when each entity registers.

2. What we collect

From Lucy Chat: your messages, server-issued session identifier, hashed IP, hashed user-agent, page URL, browser language, timezone, and (only if you provide it) your email. From the contact form: name, email, company, audience, role, message. From every page: aggregate analytics signals through Cloudflare Web Analytics (cookieless).

Lucy Chat (the chat widget)

• Conversation content — the messages you type and the responses Lucy generates, with timestamps. Stored linked to a rotating session identifier, not to a persistent visitor identity.
• Technical metadata — HMAC-hashed IP address, HMAC-hashed user-agent, origin and referer host/path, page host/path, browser language, timezone. The original IP and user-agent are not stored — only HMAC values computed at ingest using a service-side key.
• Session identifier — a server-issued opaque token saved in your browser's localStorage (not a cookie) so the conversation can resume across page reloads in the same session.
• Optional email — only when you invoke the "Email me this conversation" feature. The email and a hashed copy are stored; the email is used to send your transcript and may be used to follow up if you indicate interest.

Contact form

• Name, email, company, audience, role, message, plus the same technical metadata as above.

Sitewide analytics

• Cloudflare Web Analytics in cookieless mode — aggregate visitor counts, referrers, page-load timing. No tracking cookies are set; no individual visitor profile is built. See Cookies and tracking below.

3. Why we collect it (legal bases)

Under GDPR Art. 6(1), our legal bases are contract performance (delivering the chat reply), legitimate interest (product improvement, fraud prevention, service integrity), and consent (only for the optional email + transcript send).

This policy governs the lucylabs.ai marketing-site chat surface only. The deployed Lucy product carries its own data-controller and data-processor commitments described under Trust → EU — those do not apply to this public-website surface.

• Contract performance — Art. 6(1)(b). Delivering the chat reply you ask for. Without your message and a session identifier we cannot produce a reply.
• Legitimate interest — Art. 6(1)(f). Reviewing conversations for product improvement at design-partner stage, preventing fraud and abuse, maintaining service integrity. The interests we balance against your privacy expectations include the design-partner-stage nature of the product (we genuinely improve Lucy from these conversations) and the fact that the surface is a public marketing widget, not a workspace.
• Consent — Art. 6(1)(a). Asked only when you opt in to "Email me this conversation" or submit the contact form. You can withdraw consent at any time by emailing privacy@lucylabs.ai.

4. Where your data goes

Per GDPR Art. 13(1)(e), this section discloses categories of recipients. At-rest visitor data is stored on Lucy Labs' privately hosted server infrastructure in Madrid, Spain — no managed cloud provider for storage, no cross-border transfer for storage.

Category / provider	Role	Data received	Location
AI foundation-model providers	Generates the chat reply	Your message + recent conversation history	United States
Cloudflare	Static-site hosting (Pages), Tunnel transit for the chat backend, Turnstile bot-gate, Web Analytics (cookieless beacon)	HTTP request headers (IP, user-agent, URL), chat payloads in transit, Turnstile challenge data, beacon page metrics	Global edge (EU + US)
Google Workspace (Gmail)	Sends contact-form notifications and transcript emails when you request them	Email subject + body + recipient address	EU / US
CRM provider	Receives contact-form lead data	Name, email, company, audience, role, message	European Union
PostgreSQL — Lucy Labs' privately hosted server infrastructure	At-rest storage for all of the above	Conversation content, technical metadata, contact submissions, email-request records	Madrid, Spain

Names of specific AI foundation-model and CRM providers are not published here — we use category-only disclosure per GDPR Art. 13(1)(e) so that Lucy Labs can evaluate and change providers without re-publishing this policy. If you exercise your Art. 15 right of access in writing, we will identify the specific provider in our response within 30 days.

5. Foundation-model transparency

Lucy depends on a third-party AI foundation-model provider. Your chat messages and the recent conversation history travel via Cloudflare Tunnel to our Madrid backend and from there to the provider's inference servers in the United States. The provider's response returns the same path. Today this transit operates under the provider's consumer subscription terms, not an enterprise-tier agreement with a signed Data Processing Agreement. Lucy Labs has committed to migrating to an enterprise-tier API with a DPA and zero-data-retention controls before the end of Q3 2026.

The full architecture — including the human-oversight commitments that satisfy EU AI Act Art. 14 — is described under Trust → How Lucy uses AI systems.

6. How long we keep it

Identifiable conversation and contact data: minimum time necessary up to 12 months from collection. Pseudonymized technical metadata: up to 24 months. Aggregate and anonymized data: indefinitely. Regulated PII detected at the ingest path is redacted before storage. Deletion within 30 days of a request to privacy@lucylabs.ai.

This applies the same three-tier classification model we use across the Lucy product (Context / Content / Sensitive Data) to the marketing-site chat surface, with Lucy-Labs-set defaults:

Tier	What's in it	How long we keep it
Identifiable	Your messages (linked to a session), contact-form submissions, your email if you provide it	Minimum time necessary; 12-month ceiling. Then permanently deleted.
Pseudonymized metadata	HMAC-hashed IP, HMAC-hashed user-agent, session identifier, origin, referer, browser language, timezone	Up to 24 months. Then permanently deleted.
Aggregate / anonymized	Aggregate visitor counts, anonymized question patterns, de-identified product-improvement signals	Indefinitely, for training and analytics.
Sensitive Data (regulated PII)	Financial-account numbers, medical references, legal identifiers, biometric data, government-ID patterns (credit cards, IBANs, SSNs, DNI, NIE), international phone numbers, embedded emails	Not retained. Detected and redacted at the ingest path before storage; replaced with a category-labelled placeholder (e.g. [REDACTED:CARD]).

Pseudonymization architecture for the chat surface

• Your IP address and user-agent are HMAC-hashed at the application layer the moment they arrive. The original values are not retained anywhere; an attacker with database access cannot reverse the hash to your IP or user-agent without the service-side key, which is held in the application environment, not in the database.
• Conversation content is keyed to a server-issued session identifier that rotates per session and is not tied to a persistent visitor identity.
• Conversation content and visitor contact information are stored separately so they cannot be readily recombined. The table holding visitor contact information has no plaintext foreign key to the conversation; the linkage is an HMAC of the conversation identifier under a service-side secret held in the application environment, not in the database. A database-only attacker cannot resolve a stored email back to a specific conversation without that secret.
• Detection of regulated PII uses check-digit validation where applicable (Luhn for credit cards, mod-97 for IBAN, mod-23 for DNI / NIE) plus context heuristics. Each redaction event is audit-logged with category, position, and length — never the original content.

Visitor-initiated deletion

You can request deletion of your conversation, contact submission, or email at any time by emailing privacy@lucylabs.ai. We complete the deletion within 30 days and confirm in writing. The 12-month and 24-month ceilings are upper bounds — deletion requests are processed sooner.

7. Your rights under GDPR and Spanish LOPDGDD

You have the rights of access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent at any time. You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD).

• Access (Art. 15) — request a copy of what we hold about you.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure (Art. 17, "right to be forgotten") — request deletion. Completed within 30 days.
• Restriction (Art. 18) — restrict processing pending a decision on a related request.
• Portability (Art. 20) — receive your data in a machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interest.
• Withdraw consent (Art. 7) — at any time, for the optional email-transcript feature.
• Lodge a complaint with the Spanish Data Protection Authority (AEPD) or another EU supervisory authority of your habitual residence.

To exercise any of these rights, email privacy@lucylabs.ai. We will respond within 30 days, in writing.

8. How to contact us

Email privacy@lucylabs.ai. Postal: Calle Entrepeñas 5, Bloque B, Piso 5B, 28051 Madrid, Spain. We respond to data-subject requests within 30 days.

For general (non-privacy) inquiries: lucy@lucylabs.ai. The corporate identity is described under the Legal Notice.

9. Cookies and tracking

We do not set tracking cookies. The site uses Cloudflare Web Analytics in cookieless mode, plus a single localStorage entry for chat-session continuity.

• Cloudflare Web Analytics — runs on every page. Cookieless: no first-party cookies are set by the analytics beacon. No consent banner is required under the ePrivacy Directive for this mode.
• Cloudflare bot-management — Cloudflare may set strictly-necessary cookies (__cf_bm, _cfuvid) at the edge for traffic management. These are not optional and not used to track you across sites.
• Chat-session continuity — Lucy Chat sets one localStorage entry (not a cookie) to remember the session identifier so the conversation survives a page reload. Clearing your browser storage clears it.
• Google Fonts — every page loads font files from fonts.googleapis.com and fonts.gstatic.com. Your browser contacts Google directly; Google is an independent controller for this traffic.

10. Changes to this policy

We update this page when our data practices change. Material changes are announced via a banner on the homepage for 30 days, and the "Effective" date at the top of this page is bumped. Version history is preserved internally and available on request.