Privacy Policy

Lucumo Limited ('Lucumo', 'we', 'us') is the data controller for personal data processed through Lucumo.ai, the public AI Systems Consulting enquiry flow, shared board-report links, and hidden operator access. Lucumo is registered in England and Wales.

If you have questions about this policy or your data, contact us at privacy@lucumo.com.

Enquiry contact details: your name, email address, phone number if provided, role, company, company size, and AI adoption stage.

Enquiry content: your chat messages, the prepared brief you review, lead category, AI-generated enquiry summary, compact transcript, structured intake profile JSON, consent text, consent time, and submission metadata.

Consulting intake funnel telemetry: non-content stage events such as session start, visitor reply count and length band, review opened, field-completion booleans, consent checked, submit attempt, submit success, and safe error code. Raw funnel rows use a page-scoped pseudonymous ID and do not store chat text, contact values, IP address, user agent, cookies, browser storage identifiers, full referrers, or enquiry IDs.

Technical and security data: IP address, user agent, referrer, page path, rate-limit events, Turnstile verification status where configured, and server logs needed to operate and protect the site.

Shared board-report access data: share-link identifiers, passcode verification events, access cookies, IP address, user agent, and access times for private board-report links.

Operator account data: if you use hidden sign-in or an existing workspace, we process account, authentication, workspace, audit-log, billing, and support data needed to provide that access.

Cookie preference data: a small consent record storing whether you accepted analytics or functional cookies.

To respond to enquiries: we use your contact details, transcript, prepared brief, and AI summary to understand the situation and decide whether a scoping conversation makes sense.

To operate the AI enquiry chat: we send relevant chat content to our AI provider so the assistant can ask questions, summarise the enquiry, and prepare a reviewable brief.

To improve the enquiry flow: we use minimised consulting intake funnel telemetry to understand aggregate drop-off points, debug safe error states, and improve the review and submission experience without storing abandoned chat transcripts.

To operate and secure the site: we use technical data for rate limiting, abuse prevention, bot checks, troubleshooting, audit logs, and protection of shared board-report links.

To communicate with you: we may send service emails about your enquiry, a potential project, shared reports, security issues, or material changes to these terms or this policy.

To manage operator access and agreed work: where hidden operator accounts or paid project systems are used, we process the data needed to authenticate users, keep records, provide support, and manage billing where applicable.

Consent: we ask for consent before storing and using a submitted consulting enquiry. You can withdraw consent by contacting privacy@lucumo.com, although we may still keep limited records where another lawful basis applies.

Legitimate interests: we use technical, security, minimised funnel telemetry, enquiry, and board-report access data to operate the site, respond to business enquiries, understand aggregate drop-off, protect against abuse, improve reliability, and keep appropriate business records.

Contract: where you use hidden operator access or enter a paid project, we process data needed to provide the agreed service and manage the relationship.

Legal obligation: we may process or keep data where required for legal, tax, accounting, security, or regulatory reasons.

Lucumo uses OpenAI's API to process enquiry chat messages and produce assistant replies or enquiry summaries. We send only the content needed for that task.

OpenAI states that API inputs and outputs are not used to train or improve OpenAI models by default unless the API customer opts in. Lucumo does not opt in to model training or model-improvement data sharing.

OpenAI may retain API abuse-monitoring logs, which can include prompts, responses, and related metadata, for up to 30 days by default unless a different retention control applies or longer retention is required by law or safety needs.

The AI enquiry assistant does not make solely automated decisions with legal or similarly significant effects. A human decides how to respond to an enquiry and whether to offer a paid engagement.

We use a limited set of service providers to operate Lucumo.ai and related systems.

OpenAI: AI inference, assistant replies, and enquiry summarisation. Cloudflare Turnstile: bot and abuse prevention where configured. Clerk: authentication for hidden operator sign-in and existing accounts. Resend: enquiry and transactional email delivery.

Vercel and related hosting services: application hosting, edge delivery, object storage, consent-gated analytics, and performance telemetry. Upstash: rate limiting and abuse prevention. Managed PostgreSQL provider: persistent database storage. Stripe: payment processing and billing only where a paid product or project payment flow is used.

These providers process data only as needed for their role and under contractual, security, or privacy commitments appropriate to the service.

We do not sell your personal data or share enquiry content with third parties for their own marketing.

Lucumo uses three categories of cookies and similar technologies:

Essential: cookies required for the site to work, including cookie preference storage, Turnstile-backed enquiry verification when configured, hidden operator authentication, and shared board-report access cookies.

Analytics: Lucumo uses Vercel Web Analytics and Speed Insights where you consent to analytics cookies. These tools help us understand traffic and performance without advertising cookies or cross-site behavioural profiling.

First-party consulting intake funnel telemetry is separate from consent-gated Vercel analytics. It does not use cookies, localStorage, sessionStorage, pixels, or device fingerprinting. We treat the raw rows as pseudonymous operational telemetry, not anonymous data.

Functional: a referral attribution cookie (lucumo_ref) may be set when you arrive via a referral link. It records the referral code for 30 days so we can attribute your visit. This cookie is set only with your consent.

Cloudflare Turnstile may process technical signals needed to distinguish people from automated abuse. We treat this as necessary security processing for the enquiry flow when it is enabled.

You can manage preferences at any time using the 'Cookie preferences' link in the footer. Declining non-essential cookies does not block the public enquiry flow.

Consulting enquiry records, transcripts, AI summaries, intake profiles, and consent metadata are kept for up to 24 months after our last contact with you, unless a project starts, a legal or accounting duty requires longer retention, or you ask us to delete the data sooner.

Raw consulting intake funnel telemetry is kept for up to 90 days, then deleted. Aggregate anonymous metrics derived from those rows may be retained indefinitely once the raw rows have been deleted.

If a paid project starts, project records are kept for the period set out in the proposal, statement of work, or applicable legal and accounting rules.

Shared board-report access logs and security logs are kept for as long as needed for access control, audit, and abuse prevention.

Operator account and workspace data are kept while the account or agreed service remains active. Account deletion requests are handled in line with the product controls available to that account and any legal retention duties.

Backup copies are purged on the normal backup lifecycle. Aggregated, anonymised metrics that do not identify a person may be retained indefinitely.

We protect data using TLS in transit, encrypted storage provided by our infrastructure, authenticated route protection, rate limiting, bot checks, and access controls.

Lucumo personnel access enquiry or account data only where needed to respond to an enquiry, provide support, maintain the service, secure the system, or comply with law.

If we become aware of a personal data breach affecting your data, we will notify you without undue delay and, where required by law, notify the relevant authority within 72 hours.

You can ask us to access, correct, delete, restrict, or export your personal data. You can also object to processing based on legitimate interests.

Where we rely on consent, you can withdraw that consent at any time by contacting privacy@lucumo.com. Withdrawal does not affect processing that happened before withdrawal.

The right to object: you have the right to object to processing based on legitimate interests, including processing used for non-essential analytics or business-record purposes. We will stop unless we have compelling legitimate grounds or need the data for legal claims.

If you are unsatisfied with our response, you can complain to the Information Commissioner's Office (ICO) in the United Kingdom or your local supervisory authority.

Your data may be processed in countries outside the United Kingdom and European Economic Area by our service providers. Where this happens, we rely on appropriate safeguards such as adequacy regulations, standard contractual clauses, data processing terms, and provider security commitments.

Lucumo.ai is for business users and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has submitted data, contact us and we will take appropriate action.

We may update this policy from time to time as our public offer, service providers, or legal duties change. The version shown on this page is the current public version.