Privacy Policy

Last updated: August 2025

1. Who we are

WITHLUCA LTD ("Luca", "we", "us", "our") provides AI-powered invoice processing software.

• Registered address: 34 Drake Road, Harrow, England, HA2 9EA
• Data Protection Lead: Jack Ryder, Director, CEO & Co-Founder — hello@withluca.ai

Controller vs Processor

• We act as a data controller for: our website, user accounts, billing, support, marketing, product analytics, and vendor management.
• We act as a data processor for: invoice and related financial documents that our customers upload or connect to Luca. In that case, our customer is the data controller and we process data strictly on their documented instructions under our Data Processing Addendum (DPA).

2. What data we collect

2.1 Data you provide

• Account details (name, email, business information)
• Billing and payment information
• Content you upload or connect: invoices, receipts, statements, purchase orders, and metadata
• Support communications and in-product feedback

2.2 Data from connected services (only when you authorise)

If you connect third-party services (e.g., Gmail, Google Drive, Microsoft 365/Outlook/OneDrive), we store only invoice-related messages and attachments and metadata necessary to fetch invoices/receipts and related documents. We do not access unrelated mailbox content.

Google API Services / Limited Use. When you connect Google services, we comply with the Google API Services User Data Policy (Limited Use). Data obtained via Google APIs is used only to provide Luca's features, is not used to develop, improve, or train generalised AI/ML models, and is not sold or shared for advertising.

Microsoft services. When you connect Microsoft services (e.g., Microsoft Graph), we use the data only to provide Luca's features and do not use it to train generalised AI/ML models.

2.3 Data collected automatically

• Usage and diagnostics (feature interactions, performance, crash reports)
• Device/browser information, IP address, approximate location
• Cookies and similar technologies (see "Cookies")

3. How we use your data (purposes & lawful bases)

We process personal data on the following bases under UK GDPR:

• Contract: to create/manage your account, provide the Luca service, process documents, and deliver support.
• Legitimate interests: to keep services secure (fraud/abuse prevention, logging), understand aggregate product usage, and improve features. You can object at any time (email hello@withluca.ai or disable non-essential analytics in your settings/banner, where available).
• Legal obligation: to comply with tax, accounting, and regulatory duties; to respond to lawful requests.
• Consent: for marketing communications and any non-essential cookies/analytics. You may withdraw consent at any time.

We do not use your content to train generalised AI/ML models. When we use third-party model providers (e.g., OpenAI) via API, we do so under a DPA and with configurations that prevent training on our API data by default.

4. Product automations & human review

Luca uses machine learning to extract and classify information from documents and to suggest accounting mappings. These automations do not produce legal or similarly significant effects without human involvement. You can request human review of decisions that affect you.

5. Sharing your data (processors & recipients)

We use vetted service providers who act as subprocessors to help deliver Luca. They only process data under contract and on our instructions.

• Current list: We maintain a live list of our subprocessors, including purposes, data types, regions and transfer mechanisms, at https://withluca.ai/subprocessors.
• Advance notice: For customers under our DPA, we will provide advance notice (typically 30 days) before adding or replacing a subprocessor, giving you the opportunity to object as described in the DPA. The page includes a change log.

We may also share data with professional advisers and regulators where legally required, or with third parties in connection with a corporate transaction (e.g., merger), subject to confidentiality.

6. International transfers

We are UK-based and may process personal data outside the UK/EEA. Where transfers occur, we use appropriate safeguards such as the EU Standard Contractual Clauses with the UK Addendum/IDTA, plus transfer impact assessments and additional technical and organisational measures (e.g., encryption).

Vendor-specific notes:

• Datadog (logging/observability). Our organisation is hosted on Datadog US1. Operational logs/metrics sent to Datadog are processed in the United States. We have executed Datadog's DPA incorporating the SCCs with the UK Addendum/IDTA, and we apply data minimisation and field-level redaction before ingestion.
• OpenAI (model provider). We use OpenAI's API under a DPA. By default, OpenAI does not train on our API data. Where configured, we route traffic through an EU-region Project (in-region processing with zero data retention); otherwise, SCCs with the UK Addendum/IDTA apply.
• Other subprocessors, their purposes and locations are listed at /subprocessors.

7. Security & data minimisation

We employ industry-standard safeguards, including:

• Encryption in transit and at rest
• Role-based access control and least-privilege
• Multi-factor authentication for privileged access
• Audit logging and monitoring
• Vulnerability management and periodic penetration testing
• Documented incident response (including notifying controllers/supervisory authorities within 72 hours where legally required)

Minimisation & redaction. We design our systems to limit personal data in operational telemetry. Before sending logs/metrics to observability tools (e.g., Datadog), we apply server-side scrubbing/redaction to remove common identifiers (e.g., names, emails, document contents, payment references) and we discourage sending document bodies or other unnecessary personal data to logging pipelines.

8. Data retention

We retain personal data only for as long as necessary for the purposes collected or as required by law. Typical periods (unless your organisation instructs otherwise):

• Account & billing records: life of account + 1 year
• Invoice & document content processed via Luca (processor role): controller-configurable; default 2 years
• Support tickets: 24 months after closure
• Application logs: 30 days (operations); security/access logs: up to 90 days

We may retain minimal information to comply with legal obligations or to resolve disputes.

9. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict processing, object to processing, data portability, and not to be subject to solely automated decisions with legal or similarly significant effects.

• If we process your data on behalf of a customer (processor role), we will forward your request to the relevant controller.
• To exercise your rights, contact hello@withluca.ai. We respond within one month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or your local authority. ICO: https://ico.org.uk — Tel: 0303 123 1113.

10. Cookies

We use strictly necessary cookies to operate Luca. We use analytics/marketing cookies only with your consent. See our Cookie Policy and banner for details and to manage preferences.

11. Children's privacy

Luca is not intended for individuals under 18. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy from time to time. We will post updates here and revise the "Last updated" date. For material changes, we will provide additional notice (e.g., in-app or email). Where changes relate to subprocessors, we will update https://withluca.ai/subprocessors and, for customers under our DPA, provide advance notice as described above.

13. Contact

Questions or requests about this policy:
WITHLUCA LTD
Email: hello@withluca.ai
Data Protection Lead: Jack Ryder

Annex A — Additional disclosures for connected services

• We request the minimum necessary scopes to fetch invoices/receipts and related documents from connected services.
• We do not read, store, or process unrelated mailbox content.
• You can disconnect integrations and revoke permissions at any time in Luca or via the third-party provider's security settings.

Annex B — OpenAI usage

• We have signed OpenAI's Data Processing Addendum.
• API requests are configured so that your prompts/outputs are not used to train OpenAI models by default.