Trust here isn't compliance theater added after a security review. It's the architecture of the product — what Lucy sees, what Lucy keeps, what Lucy refuses to keep, and what each role inside your company can see, change, and refuse.
The trust architecture is the single source every audience section below it rests on. Use the links to drill into the role you sit in.
V·C·C is the canonical trust contract. Three pillars, each with a technical face (what Lucy is built to do or refuse to do at the code level) and a social face (what that means for the person in the work). Below each pillar, the related user-side controls are named with stage-honest labels. The architecture is the floor; the controls are how each role exercises it. The audience-shaped anchors that follow — manager, works-council, employee — are self-select drill-downs into what V·C·C means for that role.
Lucy reads the Signal layer (application activity patterns) and the Context layer (subject lines, document titles, calendar event names). Lucy does not read the Content layer (body of email, inside of document) without explicit human invocation of a coaching action. The boundary is enforced at the architecture level.
Lucy keeps Signal and Context observations within the cohort-size-gated aggregate. Lucy refuses to keep individual session content beyond the active coaching action. Local-processing roadmap: a posture to keep more processing on-device planned.
Six user-side controls plus five manager-side controls. Refused-capability scene at the contract level. Deletion is structural — exiting Lucy returns the workforce capability and removes individual-scope retention within 30 days.
Pause anytime, no reason required
One click. Stops all collection. Pausing does not log a complaint, does not affect any visible ranking, does not surface to your manager.
Redact what Lucy has observed
Per-item redaction inside the user-side control panel. Redactions are removed from the personal Coaching Plan and the cohort-aggregate within the next gating window.
"Maybe later" costs you nothing
Closing a coaching invitation does not escalate, log, or surface. There is no hidden adoption metric per individual.
Delete your personal profile
Personal Coaching Plan, retained Signal/Context observations, and personal-scope agents — structurally deleted within 30 days of request.
Leave with what you built
The capability and patterns you built with Lucy go with you — exit returns the workforce capability and removes individual-scope retention.
See what Lucy has on you
Personal Coaching Plan visibility — every Signal/Context observation Lucy has retained for personalization is inspectable on demand.
Leaders see capability formation, opportunity maps, approved-tool adoption, software optimization, and spend reallocation — at team and cohort level. Never private prompts or individual rankings.
Executive visibility is bounded by V·C·C. The Executive Dashboard surfaces named on /business — capability formation, opportunity heat map, approved-tool adoption, Tool Gap Intelligence, software optimization, spend reallocation, bottom-up champion view — all sit on top of the same architectural floor.
Manager-side trust is the org-side parallel of the V·C·C architecture above. The same architecture that earns adoption from your people is the architecture that bounds what you see and configure as their manager.
What you see. Capability formation across your team. Opportunity maps showing where AI-leverage patterns are repeating. Approved-tool adoption. Pattern-level signal. Aggregate-only-with-cohort-gating: small teams stay opaque even to you. Never private prompts. Never individual rankings.
What you control. Five manager-side controls, paired structurally with the user-side six. All five are planned for GA, they require multi-tenant administration that ships at general availability. Until then, the substance is governed at the architecture level by the V·C·C commitments.
Asymmetry note. The user-side has six controls; the manager-side has five. The structural pairing is intentional; the count asymmetry is honest — there is no fabricated sixth manager-side control to force numerical parity.
M · 01 · Decide what your team uses
Approved / Restricted / Banned tools shape what Lucy coaches with — your tool policy is the floor, not a layer Lucy works around.
M · 02 · Pause AI pipelines at any level
Org-, team-, or role-level pause and disable, revocable at any time. Admins can override and intervene — Article 14 human oversight by architecture, not bolt-on.
M · 03 · Configure what Lucy can collect
Content types and retention windows are admin-settable; the user-side six is the per-person equivalent layered inside the org's bounds.
M · 04 · See team-level capability trends
Manager-aggregate-only with cohort-size gating; small teams stay opaque even at the aggregate level. The trust posture isn't a setting an admin can flip.
M · 05 · See what you've adjusted
Visibility into your own configuration choices over time — what tools, what retention, what pause states — so the team can ask informed questions and the manager can audit their own decisions.
See V·C·C for the architectural floor, the business executive dashboard for the company-level visibility surface, and the works-council section for the workforce-rep audit rights.
If you represent the workforce — a works council, a union, a Spanish comité de empresa — here's what Lucy commits to in writing.
The works-council audience is paired with the manager + employee anchors and rests on the V·C·C architecture above. The four commitments below cover audit rights, consultation rights, configuration co-determination, and structural deletion-on-departure. The DPA template and the Works-Council Material packet are available on request via the contact form.
The materials are sent on request to verified procurement / legal / works-council representatives.
Audit rights
Workforce representatives have contractual audit rights to confirm Lucy's architectural commitments are met in deployment — manager-aggregate-only enforcement, cohort-size gating thresholds, retention configuration, refusal-scene compliance.
Consultation rights on dashboard rollout
Before the Executive Dashboard surfaces are activated for your company, consultation with the workforce representative is a deployment prerequisite.
Configuration co-determination
Manager-side controls (especially tool policy and collection configuration) are subject to co-determination where the legal jurisdiction requires it (Spain, Germany, Austria, France, others).
Deletion-on-departure default
When an employee leaves, their personal Lucy profile (Personal Coaching Plan, retained Signal/Context observations, personal-scope agents) is structurally deleted by default. The 30-day exit window is architectural.
You didn't choose this — your company did. The most useful thing this section can do for you is name what Lucy actually sees, what it never sees, what your manager can and cannot see, and what you can refuse without anyone knowing.
The default is opt-in. The design is no-cost-to-you. The V·C·C architecture is the floor every commitment below rests on.
Lucy observes the Signal layer (which apps you're in, which patterns repeat) and the Context layer (subject of an email, name of a calendar event). Lucy does not access Content (the body of an email, the inside of a document) without you explicitly invoking a coaching action.
When Lucy spots an AI opportunity in your work, it surfaces it as an invitation. "Maybe later" or "no thanks" closes the invitation without escalating, logging a complaint to your manager, or affecting any visible ranking.
If your team is small enough that aggregate data would identify you (typically <10 people with cohort-size gating thresholds), the architecture refuses to surface that aggregate.
See V·C·C for the architectural detail behind each commitment, and the manager section for what your manager sees and can configure.
EU AI Act Article 13 transparency for the chat surface. Lucy coaches, the human builds, the agent executes — the same V·C·C agency model that governs the deployed product applies to this marketing-site chat.
Lucy is built on a third-party AI foundation-model provider. Lucy does not run its own foundation model; Lucy's intelligence comes from that provider's model, configured with a Lucy-specific system prompt and product guardrails. The specific provider may change over time as Lucy Labs evaluates alternatives.
The public privacy and trust pages disclose AI providers by category only — preserving Lucy Labs' ability to add or change providers without re-publishing. The specific provider identity is available to data subjects on GDPR Art. 15 request and to procurement counterparties via DPA. See the Privacy Policy §4.
Each chat turn:
Current state: this transit operates under the provider's consumer subscription terms, not an enterprise / business-tier API agreement with a signed Data Processing Agreement and zero-data-retention controls. Lucy Labs has committed to migrating to an enterprise-tier API with a DPA and zero-data-retention controls before end of Q3 2026. The full data-flow statement is in the Privacy Policy §5.
Article 14-style human oversight is structural via the V·C·C Control branch (the canonical framing from V·C·C above). For this marketing-site chat surface:
Lucy Labs does not train its own foundation model. The training data Lucy depends on is whatever the current AI foundation-model provider uses to train its model — the provider's public position on training data is the controlling reference; Lucy Labs makes no independent claim about it. Lucy Labs may, in the future, fine-tune a model on de-identified product-improvement data; if and when that happens, this section and the Privacy Policy will be updated and visitors notified.
This section satisfies the EU AI Act transparency obligations applicable to the marketing-site chat surface:
Third-party AI foundation-model provider (category disclosure)
Madrid → US inference path
V·C·C Control branch / Art. 14 human oversight
Enterprise-tier API + DPA + zero-data-retention
End of Q3 2026 working target.
Fine-tuning on de-identified product-improvement data
If pursued, visitors notified before activation.
Full data-flow statement in the Privacy Policy → · Request the DPA template →
Not as bolted-on policy, but as the architecture itself.
Article 4 (AI literacy) is not a one-time training requirement; it's continuous capability that must persist as the AI surface evolves. Lucy's coaching loop is structurally aligned with Article 4, it teaches the underlying patterns in real work on a continuous basis. Each new model generation strengthens the literacy moat instead of resetting the investment.
Article 14 (human oversight). Lucy's agency model is structurally aligned: Lucy coaches, the human builds, the agent executes. The five manager-side controls and the works-council co-determination posture instantiate Article 14 oversight at the org and workforce level.
GDPR + WP29 Opinion 2/2017. Customer = controller. Lucy Labs = processor for Signal + Context only; Content access requires human invocation. Monitoring is bounded by purpose limitation, transparency, and proportionality — Lucy's architecture is each.
Sovereignty. Lucy Labs is European-founded, Madrid-based, with a dual US (Delaware C-Corp parent) / Spain (operating subsidiary) structure. GDPR-native and EU-sovereign by construction.
GDPR alignment
WP29 Opinion 2/2017 alignment
EU AI Act Article 4 + 14 structural alignment
Works-council co-determination
DPA template (sent on request)
ENS HIGH (Spanish public-sector)
Q2 2027 working target.
ISO 27001
SOC 2 Type II
Request the DPA template and Works-Council Material packet → · EU AI Act treatment on /business →
Lucy's architectural posture maps to the four functions: Govern, Map, Measure, Manage.
Read-only by design, manager-aggregate-only with cohort-size gating, refusal-scene at the contract level. Article 14-style human oversight is structural via the V·C·C Control branch.
State-CISO posture documentation is sent on request through the contact form.
The procurement-shaped certifications (FedRAMP, TX-RAMP, StateRAMP, CJIS) are on the roadmap as planned for GA. Sovereign data-residency for the US is on the roadmap.
NIST AI RMF 1.0 — Govern · Map · Measure · Manage
State-CISO posture documentation (sent on request)
SOC 2 Type II
FedRAMP Moderate / High
TX-RAMP / StateRAMP
CJIS Compliance
US sovereign data residency
Request state-CISO posture documentation → · See the parallel EU treatment above →
Trust at the org level isn't compliance theater — it's how the AI investment actually lands. The same V·C·C architecture that earns adoption from your people clears procurement, IT, Legal, and the works council.
IT keeps the keys. Approved-tool policy is yours. Configuration is yours. Pause is yours. Lucy is the layer that runs inside your tool policy, not a layer that asks you to relax it.
Compliance is structural where it can be. The data-controller / data-processor split is explicit. EU AI Act Article 4 + 14 alignment is architectural. NIST AI RMF 1.0 alignment is architectural. The certifications that require external auditors (SOC 2 Type II, ISO 27001, ENS HIGH, FedRAMP family) are on the roadmap with stage-honest labels.
Exit is structural. A Lucy pilot or deployment ends cleanly: data is returned per the data-controller/processor split, individual-scope retention is deleted within 30 days, the workforce capability built during the engagement stays with the workforce.
Design-partner clean-exit terms → · How capability stays portable →
The scene. A prospective customer's representative, typically in Legal, HR, or executive office, asks during an evaluation conversation: "I want to know exactly how much time each employee spends on every task. I need visibility into who's productive and who isn't for staffing decisions." The question may come framed as compliance ("we need this for audit"), as performance ("we need to identify low performers"), or as security ("we need to know what people are typing into AI tools").
"No. Even if it costs us the deal."
The Terms of Service. Lucy's commercial Terms of Service contractually prohibit using Lucy for employee surveillance, individual ranking, or punitive disciplinary action. Aggregate cohort-gated patterns are visible to leadership; per-individual session content, prompts, or rankings are architecturally refused and contractually forbidden. Violation of the surveillance prohibition ends the customer relationship.
A policy can be relaxed under pressure; an architecture cannot. The cohort-size gating, the manager-aggregate-only commitment, the Signal/Context/Content boundary, all enforce the no-surveillance posture at the code level, before any Terms of Service language gets read.
