Privacy Policy

Luceria is the data controller for the personal data described in this policy. That means we decide what data is collected and why, and we are legally responsible for it under UK and EU data-protection law.

Controller details

If anything in this policy is unclear, email privacy@luceria.app and we will explain it.

Under the Data (Use and Access) Act 2025 (DUAA) — and reflecting the data-protection complaints duty that comes into force on 19 June 2026 — you have the right to complain directly to us about how we handle your personal data, and we have a duty to deal with that complaint properly.

This is a separate route from ordinary product support. Use it specifically for privacy and data-protection concerns (for example: you think we have your data wrong, kept it too long, shared it when we shouldn't have, or didn't honour one of your rights).

How to make a data-protection complaint

• By email: privacy@luceria.app with the subject line "Data protection complaint".
• In the app: Settings → Privacy → "Raise a data-protection complaint" [PLACEHOLDER — Sully to complete: confirm the exact in-app/account form path once built; if not yet built, mark as coming and use email in the meantime].

What we promise

• We will acknowledge your complaint within 30 days of receiving it.
• We will give your complaint a reference so its status can be tracked.
• We will investigate and respond without undue delay, and tell you the outcome and what (if anything) we have done.

Complaining to us first does not remove your right to complain to the Information Commissioner's Office (ICO) or your local data-protection authority — see [Complaints to a regulator](#regulator-complaints).

Below is a full inventory of the data categories Luceria handles. For each one we set out the purpose, the UK GDPR Article 6 legal basis, and the retention period. Where the legal basis is legitimate interests, we have considered a balancing test to make sure our interests don't override your rights — see the note under the table.

Retention periods marked [PLACEHOLDER] must be set to concrete values before launch.

Note on legitimate interests. Where we rely on legitimate interests (rows 4, 7, 9, 10, 13), we have weighed our interest (running a safe, working, improvable service and preventing abuse) against your rights and freedoms, and we use the least intrusive data possible (for example, analytics carry no content and rate-limiting data is transient). You can object to legitimate-interests processing — see [Your rights](#your-rights). [PLACEHOLDER — Sully to complete: keep a written Legitimate Interests Assessment (LIA) on file for each.]

Some of the things you can type or upload into Luceria are free text — for example a CV, a cover letter, a reflection, a Coach message, or text pasted into the scam checker. Free text can incidentally contain sensitive information.

Special-category data (UK/EU GDPR Article 9) includes data revealing your health, race or ethnicity, religion or beliefs, political opinions, trade-union membership, sex life or sexual orientation, and genetic/biometric data. Criminal-offence data (Article 10) includes information about offences, allegations, or related proceedings.

Luceria does not ask you for sensitive data and is not designed to collect it. To protect yourself:

• Please do not upload sensitive personal data you don't need to. A good CV or application rarely needs your health history, religion, political views, or details of any criminal record.

Where you voluntarily include such information, Luceria processes it only so far as necessary to provide the specific service you asked for (for example, generating help from the CV you chose to upload). We do not seek it out, profile you on it, or use it for any other purpose.

Before launch, the precise Article 9 / Article 10 lawful condition (and any associated appropriate-policy document under the Data Protection Act 2018) must be confirmed. [PLACEHOLDER — Sully to complete: confirm the Art 9 condition (e.g. explicit consent / manifestly made public) and Art 10 basis, and put an appropriate-policy document in place.]

Nothing in this section gives Luceria a broad right to process sensitive data — it does not. If you would like sensitive content removed, contact privacy@luceria.app or delete it yourself in the app.

Several Luceria features use AI to help you (CV Studio, AI Coach, Mock Interview, Interview Prep, the scam/risk checker, the Fit/suitability check, and Luceria Lens).

• Where the AI runs. When you use an AI feature, the relevant content is transmitted server-side only to Anthropic (Claude). Anthropic acts as our processor — it processes the data on our instructions to return a result. The Anthropic API is never called from your browser.
• Training. According to Anthropic's current commercial/API terms, inputs and outputs are not used to train Anthropic's models. We will re-check this before launch and update this policy if the terms change. [PLACEHOLDER — Sully to complete: re-verify Anthropic commercial/API terms at launch.]
• Assistive only. Luceria's AI is assistive. It helps you draft, prepare, and assess — it does not make decisions about you. There is no solely-automated decision producing legal or similarly significant effects about you (UK GDPR Article 22). A human (you) stays in control of what you do with the output.
• Your judgement matters. AI can be wrong. Always review AI output before relying on it, and don't paste anything into Luceria you're not comfortable sending to a third-party AI provider under the terms above.

The transfer of data to Anthropic (US) is covered in [International transfers](#international-transfers).

We use a small number of trusted service providers (sub-processors) to run Luceria. They process data on our behalf under contract, only for the purposes below. We do not sell your personal data and we do not share it for cross-context advertising.

Not currently active (listed for transparency; not used to process your data today):

We may also disclose data where we are legally required to (for example, a valid court order), or to protect the rights, safety, and security of our users and the service. [PLACEHOLDER — Sully to complete: keep an up-to-date sub-processor list and notify users of material changes.]

Primary residency is the EU. Your core data (account, profile, content, risk checks, uploaded documents) is stored with Supabase (EU) and served via Vercel (Frankfurt/EU).

Transfers outside the UK/EU. The main transfer is to Anthropic in the United States for AI inference. Where we transfer personal data outside the UK or EEA, we rely on an appropriate safeguard so your data keeps an equivalent level of protection.

• Anthropic (US): [PLACEHOLDER — Sully to complete: transfer safeguard — UK International Data Transfer Agreement (IDTA) / UK Addendum to the EU SCCs / EU Standard Contractual Clauses / any applicable adequacy or Data Privacy Framework reliance.]
• Other providers processing outside the UK/EEA: covered by the safeguards listed in the [sub-processor table](#sub-processors).

You can ask us for more detail about the safeguards in place by emailing privacy@luceria.app.

Under UK GDPR (and EU GDPR where it applies to you), you have the following rights over your personal data. We will respond to a valid request within one month (extendable by up to two further months for complex requests — we'll tell you if so).

Honest note on the export. Today the JSON export includes your profile, workflows, tasks, artefacts, documents (via signed URLs), risk checks, and usage counters. It does not yet include Luceria Link content, reflections, or product-events. We are widening the export to cover these; in the meantime you can request any missing categories by emailing privacy@luceria.app and we will provide them.

Identity verification. To protect you, we verify your identity before acting on a rights request — especially requests made by email or any out-of-band route — so your data is never sent to, or deleted by, the wrong person. In-app actions (export/delete) are already authenticated by your sign-in. For email requests we may ask you to confirm details or act from your registered email. [PLACEHOLDER — Sully to complete: confirm the email/out-of-band DSAR verification steps once that route is built; one is not yet in place.]

Using your rights is free in most cases, and we won't penalise you for it.

You can delete your account at any time from Settings → Delete account (you type "DELETE" to confirm). This triggers an immediate cascade that removes your data across roughly 19 tables.

Deleted immediately on account deletion:

• Your authentication record, profile, and onboarding data.
• Your content: workflows, applications/tracker, tasks, artefacts, CV documents, cover letters, risk checks, fit checks, reflections, and Coach/chat history.
• Luceria Link posts and comments — hard-deleted (not just hidden).
• Usage counters tied to your account.

Retained for a limited time or for legal reasons:

• Backups: copies of data may persist temporarily in encrypted backups until those backups rotate out on their normal cycle. [PLACEHOLDER — Sully to complete: backup retention/rotation window.]
• Payment, invoice, and tax records: retained for the statutory accounting period we are legally required to keep them. [PLACEHOLDER — Sully to complete: e.g. 6 years under UK tax law.]
• Legal / security / fraud-prevention records: a minimal set of records may be retained where needed to comply with the law, resolve disputes, or prevent abuse/fraud. [PLACEHOLDER — Sully to complete: categories + concrete periods.]
• Consent record: kept as needed to evidence the terms you agreed to. [PLACEHOLDER]

For users under 18. If you are under 18 and want your public Luceria Link posts or profile removed quickly, you don't have to delete your whole account — email privacy@luceria.app (subject "Under-18 removal") or use the in-app delete/report tools, and we will prioritise the request and remove the public content promptly. [PLACEHOLDER — Sully to complete: confirm the under-18 fast-track handling process and any dedicated in-app control.]

Access to your data by Luceria staff is limited to what is necessary and controlled.

• Staff may access account or content data only where genuinely needed — for example to provide support you asked for, investigate a safety report, debug a fault, or meet a legal obligation.
• Access is role-based and restricted; not everyone can see everything.
• Database access uses Postgres Row-Level Security, and administrative access is limited.
• Administrative access is intended to be logged and treated as confidential. [PLACEHOLDER — Sully to complete: confirm admin-access logging/audit and internal confidentiality policy.]

We do not read your private workflows, documents, or messages for product development without a lawful basis and, where required, your consent.

In short, for younger users: Luceria is for ages 16 and over. We try to collect as little about you as possible, we keep your privacy settings switched to high by default, we do not profile you or send you targeted marketing, and we ask you not to upload sensitive information you don't need to. You can export or delete your data yourself in Settings, and if you're under 18 we'll remove public posts especially quickly.

Because many of our users are 16–18 school-leavers, we treat children's-data obligations (including the ICO Children's Code / Age Appropriate Design Code) as applying throughout the product:

• High-privacy defaults for under-18s.
• No profiling and no targeted marketing to minors without a documented assessment showing it's in their interests. [PLACEHOLDER — Sully to complete: keep that assessment on file if ever considered.]
• Proportionate age assurance — we ask you to confirm you are 16+ and record your date of birth as part of consent (migration 0017). [PLACEHOLDER — Sully to complete: confirm the age-assurance approach is proportionate to the risks.]
• A clear warning not to upload sensitive data (see [Sensitive data](#special-category-data)).
• Data minimisation — we only collect what the feature needs.

EU users. The minimum digital-consent age varies by EU country (13–16). Before any active EU marketing or EU-targeted processing that relies on a child's consent, the relevant per-country age must be checked. [PLACEHOLDER — Sully to complete: confirm EU per-country digital-consent ages before active EU marketing.]

We have not confirmed whether Luceria meets the thresholds that make the California Consumer Privacy Act (CCPA), as amended by the CPRA, legally apply to us. [PLACEHOLDER — Sully to complete: assess CCPA/CPRA applicability and other US state-law thresholds.]

We provide the following voluntarily in a California-style format for transparency. This does not mean we are admitting we are covered by, or subject to, the CCPA/CPRA or any other US state privacy law.

• Categories we collect: identifiers (email, name); account/profile information; user content you create; commercial information (subscription/payment metadata via Stripe); internet/network activity (privacy-conscious analytics, transient IP for rate-limiting); and inferences only insofar as needed to tailor help. See [What data we collect](#data-we-collect) for detail.
• Categories we "disclose": we share data with the service providers listed in the [sub-processor table](#sub-processors), strictly to run the service.
• Sale / sharing: we do not sell your personal information, and we do not "share" it for cross-context behavioural advertising (as those terms are used under California law).
• Sensitive personal information: we do not seek it; see [Sensitive data](#special-category-data).
• Your choices: Californians (and other users) can access, delete, and correct their data using the in-app Settings tools or by emailing privacy@luceria.app, and we will not discriminate against you for exercising these choices.

We use only a small set of cookies and similar technologies — mainly strictly-necessary ones for signing in and security, plus privacy-conscious analytics. We do not use Google Analytics, advertising cookies, cross-site trackers, fingerprinting, tracking pixels, link decoration, or tag managers.

For the full list (including sb-* auth/session cookies, the luc_prc scam-check quota cookie, functional luceria:* device-local storage, Vercel Analytics, and Stripe-set cookies on checkout pages), please see our separate [Cookie Policy](/cookies), which also covers how PECR (the UK cookie rules) applies and how you can manage your choices.

We take proportionate steps to keep your data secure, including:

• Encryption in transit (TLS) between you, Luceria, and our providers.
• Postgres Row-Level Security on user tables, so data rows are scoped to your user ID.
• Role-based, limited administrative access.
• EU hosting for primary data.
• No storage of full card numbers (payments handled by Stripe).
• Rate-limiting (Upstash) to protect against abuse, especially the public scam checker.

No system can be guaranteed 100% secure, but we work to protect your data and to keep these measures under review. [PLACEHOLDER — Sully to complete: keep internal security measures documented and reviewed; avoid publishing exploitable detail.]

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, where we are required to do so.

If the breach is likely to result in a high risk to you, we will also notify you without undue delay and tell you what happened, what we're doing about it, and what you can do to protect yourself.

We'd like the chance to put things right, so please [complain to us first](#complaints-route). But you always have the right to complain to a data-protection regulator.

In the UK — the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• [PLACEHOLDER — Sully to complete: ICO helpline number and postal address, e.g. Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — verify current details.]

In the EU/EEA: you may complain to your local data-protection authority (DPA). [PLACEHOLDER — Sully to complete: confirm whether to list a lead EU DPA / EU representative contact.]

We'll update this policy when something material changes, and we'll update the version and last-updated date shown at the top (both are wired from our single source of truth, lib/legal/versions.ts, so we don't hardcode them).

• Version: [rendered from versions.ts]
• Last updated: [rendered from versions.ts]

If a change meaningfully affects how we handle your data, we'll tell you — for example by email or an in-app notice — and, where appropriate, ask you to re-accept the updated terms. This document is a strong pre-launch draft pending review by a qualified solicitor before it is relied upon.