The Intelligent Reading Specialist
Privacy Policy
At LUCA ("LUCA," "we," "us," or "our"), we are committed to protecting the privacy and security of personal information of our users ("Users," "you," or "your"). This Privacy Policy ("Policy") describes how we collect, use, disclose, and protect personal information through our websites, the LUCA Reading Platform, and related products and services (collectively, the "Services").
This Policy is intended to be read together with our Terms of Service, which govern your use of the Services. By accessing or using the Services, you acknowledge that you have read and understood this Policy and our Terms of Service.
If you have questions about this Policy, please contact us at privacy@luca.ai or at the address in the "Contact Us" section below.
1. Information We Collect
We collect the following categories of personal information.
Personally Identifiable Information (PII). First and last name, school or district name, postal address, city or state, telephone number, email address, grade or ID number assigned by your school or district, username, and account password. We collect PII when you register for an account, contact us for support, validate an ID number, send us feedback, or otherwise interact directly with us.
Technical and Usage Information. We and our third-party partners automatically collect certain usage information when you use the Services or our websites. This may include IP address, browser type and version, internet service provider, device type, operating system, date and time stamps, unique identifiers associated with your browser, device, or account, the pages you view, links you click, frequency of access, interactions with emails, and other activity. We collect this through cookies and similar technologies, the use of which is governed by our cookie consent banner and the inventory at /cookies (see "Cookies and Tracking Technologies" below).
Reading Information. Books or passages read, the number of items completed, your responses to tasks, and information related to reading progress.
Voice and Audio Data. Audio or speech recordings captured during reading sessions to detect which phonemes and words present challenges, using artificial intelligence and automatic speech recognition technology. Voice and audio data are governed by Section 5 ("Voice and Audio Data") below.
Information from Others. Schools may provide us with student demographic or roster data to set up accounts and measure reading improvement. A parent or legal guardian may provide information about a child when registering an account for that child. Authorized third-party integrations such as student information systems, single sign-on providers (e.g., Google Workspace for Education, Clever, ClassLink), and roster sync services may transmit information to us as authorized by the school or family.
Marketing Website Visitors. When you visit our marketing website (luca.ai and related domains) without creating an account, we collect IP address, device and browser information, pages viewed, time on page, referring URL, and any UTM parameters present in the URL. If you submit a contact, demo, or download form, we collect the information you provide and associate it with the technical and attribution data described above.
Other Voluntarily Provided Information. Responses to surveys, support requests, or other communications you choose to send us.
2. How We Use Your Information
We use information for the following purposes. The legal basis for each is provided in brackets where applicable to residents of jurisdictions with formal lawful-basis requirements.
- To provide, operate, and support the Services, including creating and managing accounts, authenticating users, delivering reading activities, reporting progress, and providing support. [Performance of contract]
- To personalize and improve the Services, including through artificial intelligence, machine learning, analytics, and research, so content, pacing, and feedback are tailored to each User's needs. [Performance of contract; legitimate interests in product improvement]
- To administer and manage accounts, including resetting passwords, responding to questions, and contacting you about your account or service issues. [Performance of contract]
- To communicate with you about your account, updates to the Services, changes to our terms or policies, and other administrative messages. [Legal obligation; performance of contract]
- To send marketing communications about LUCA products and services to adult users such as parents, legal guardians, and educators. You may opt out of these communications at any time by following the unsubscribe instructions in the communication or by contacting us. LUCA does not send marketing communications directly to child users. [Consent]
- To monitor, analyze, and understand usage and performance of the Services, including generating statistics and analytics regarding user engagement and learning outcomes. [Legitimate interests; consent for non-essential analytics cookies]
- To maintain the safety, security, and integrity of the Services, including detecting, preventing, and responding to fraud, security incidents, and misuse. [Legitimate interests; legal obligation]
- To comply with applicable laws, regulations, legal processes, and law enforcement requests, and to protect the rights, property, and safety of LUCA, our users, and others. [Legal obligation]
- To deliver targeted advertising to adult website visitors (parents, educators, administrators) on third-party platforms such as Meta, LinkedIn, Google Ads, and TikTok, when you have consented via our cookie banner or applicable opt-in. We do not use student data, child user information, or any data collected from a logged-in student session for advertising. [Consent]
For Student Data and information collected from child Users under 13, LUCA uses personal information only to provide, maintain, and improve the educational Services requested by the school or parent or legal guardian, to support security and legal compliance, and for internal analytics. LUCA does not use Student Data or child User information to advertise or market to students or their families and does not allow third parties to do so.
3. Cookies and Tracking Technologies
Our Services use cookies, pixels, local storage, and similar technologies ("cookies") to operate the Services, remember your preferences, understand usage, and (with your consent) deliver advertising.
Categories. We classify cookies into three categories:
- Strictly Necessary. Required for the Services to function , for example, session cookies that authenticate logged-in users and keep your form data while you complete a submission. These cannot be disabled and do not require consent under applicable law.
- Analytics. Help us understand how visitors use our Services so we can improve them. These include first-party analytics and providers such as Google Analytics 4 and Microsoft Clarity. Set only with your consent.
- Marketing. Enable us and our advertising partners to deliver relevant advertising on third-party platforms. These include Meta Pixel, LinkedIn Insight Tag, Google Ads conversion tracking, and TikTok Pixel. Set only with your consent.
Managing your preferences. You can review every cookie our Services use, with name, purpose, provider, category, and lifetime, on our Cookie Inventory page at /cookies. You can grant or withdraw consent at any time via the Cookie Settings link in the footer of every page on our marketing website. Your preferences are stored in your browser's local storage and remain in effect for twelve (12) months or until you change them, whichever comes first.
Global Privacy Control. We honor browser-level Global Privacy Control (GPC) signals as required by the laws of California, Colorado, and Connecticut. If your browser sends a GPC signal, we automatically treat it as a request to opt out of analytics and marketing cookies and the sale or sharing of personal information.
4. De-identified and Aggregate Data; Research and Efficacy Reporting
We may use and share de-identified or aggregate information for any lawful purpose, including to improve the Services, conduct research, and demonstrate the effectiveness of the Services. De-identified or aggregate information is information that does not reasonably identify an individual student, parent, legal guardian, family, or school.
Examples include overall reading growth statistics, accuracy rates, and usage metrics across groups of Users. We may use this information in reports, case studies, marketing materials, and presentations to schools and the public.
If we share de-identified or aggregate information with research partners or similar organizations, we require those organizations by contract not to attempt to re-identify the information and to use it only for the agreed research or evaluation purposes.
5. Voice and Audio Data
Voice and audio data are among the most sensitive information we process and are subject to specific protections.
What we collect. During reading sessions, our Services capture audio recordings of the User reading aloud. From these recordings, our automatic speech recognition (ASR) systems derive phoneme-level features used to assess reading mastery and provide individualized feedback.
Where it is processed. Voice and audio data are processed and stored on Microsoft Azure servers in the United States (East US region). Voice data does not leave the United States.
Retention.
- While the User account is active, voice and audio data (both raw audio and derived features) are retained to support the User's progress tracking and the delivery of personalized instruction.
- After account termination, voice and audio data are de-identified within ninety (90) days, after which the data can no longer be linked to an individual User.
- A parent, legal guardian, or school may request earlier deletion at any time by contacting privacy@luca.ai. Requests are honored within thirty (30) days, subject to legal retention obligations.
Use for model improvement. LUCA does not currently use voice or audio data to train or improve our speech recognition models. Voice and audio data are used only to provide reading instruction to the User from whom they were collected.
If we add the ability to use anonymized voice samples for model improvement in the future, we will obtain separate, granular opt-in consent from the parent, legal guardian, or school before doing so, and we will update this Privacy Policy in advance to describe the consent flow. Any such future consent would be:
- Optional. Not required to use the Services.
- Separate. Requested in addition to, not bundled with, consent to use LUCA. For school accounts, the school's authorization would govern and a separate opt-in would be captured at the LEA level via the Student Data Privacy Agreement.
- Recorded. Tied to the parent's or guardian's account with the date, the policy version in effect at the time, and the consent method.
- Withdrawable. Withdrawable at any time by contacting privacy@luca.ai. Withdrawal applies to future use; samples already incorporated into trained models could not be selectively removed but would not influence future training.
- Anonymized. Voice samples used for model improvement would be stripped of identifiers before incorporation into training datasets.
Biometric notice. Voice recordings may be considered biometric information under applicable state laws (e.g., Illinois BIPA, Texas CUBI, Washington biometric laws). LUCA does not use voice data for biometric identification or authentication. We retain voice data only as described in this section.
6. How We Share Your Information
We do not sell User PII or other personal information for monetary value. We disclose personal information only as follows:
- Service providers / sub-processors. We share information with the trusted vendors listed in Section 7 ("Sub-processors"). They are bound by written contracts that limit use of the information to providing services to LUCA.
- Other users associated with an account. Where appropriate to support educational use of the Services, we may share information with a parent, legal guardian, teacher, school administrator, or other authorized school representative.
- Schools and districts. For school and district implementations, we share Student Data with authorized school or district personnel as directed by the school or district and in accordance with our Data Privacy Agreement and applicable law.
- Research using de-identified data. We may share de-identified or aggregate information with universities, research institutions, and similar organizations to support research in literacy and speech recognition. We do not disclose Student Data or other PII for independent research without explicit written authorization from the relevant school or parent or legal guardian.
- Targeted advertising partners (adults only). With your consent, we share certain technical and usage information with advertising partners (Meta, LinkedIn, Google, TikTok) to deliver and measure advertising to adult website visitors. We do not share student data, child user data, or data from logged-in student sessions with advertising partners.
- Legal and safety. We may disclose information when we believe in good faith that disclosure is necessary to comply with laws or legal processes, to enforce our Terms of Service or other agreements, or to protect the rights, property, or safety of LUCA, our Users, or others.
- Business transfers. We may share information in connection with a corporate transaction such as a merger, acquisition, reorganization, sale of assets, or bankruptcy. Any successor will be bound by this Policy or a policy with comparable protections.
- With your consent. We may share information with your consent or at your direction.
- Aggregate or anonymous form. We may use and share information in aggregate or anonymized form that does not reasonably identify an individual or school.
"Sharing" under California law. Some of the disclosures above (notably to analytics and advertising partners) constitute "sharing" of personal information for cross-context behavioral advertising under California's CPRA. California residents may opt out of such sharing as described in Section 11.
7. Sub-processors
LUCA uses the following sub-processors to provide the Services. All sub-processors are bound by written contracts that include confidentiality, security, and data-protection obligations consistent with this Policy.
| Sub-processor | Purpose | Data Categories | Location |
|---|---|---|---|
| Vercel, Inc. | Website hosting, edge delivery | All categories transiting the websites | United States |
| Microsoft Corporation (Azure) | Voice/audio processing, ASR, application backend | Voice/audio, technical, usage, account | United States (East US) |
| Anthropic, PBC | Large language model services for AI-assisted content generation (e.g., personalized story creation) | Generation prompts including reading-context metadata (grade level, skill targets, theme preferences) and a child's first name for personalization; no voice or audio data | United States |
| Microsoft Corporation (Clarity) | Marketing-website analytics and session replay | Technical, usage (consent required) | United States |
| Google LLC | Google Tag Manager, Google Analytics 4, Google Ads | Technical, usage, advertising identifiers (consent required for non-essential) | United States |
| Meta Platforms, Inc. | Meta Pixel, retargeting (adults only) | Technical, usage, advertising identifiers (consent required) | United States |
| LinkedIn Corporation | LinkedIn Insight Tag, retargeting (adults only) | Technical, usage, advertising identifiers (consent required) | United States |
| TikTok Inc. | TikTok Pixel, retargeting (adults only) | Technical, usage, advertising identifiers (consent required) | United States |
| HighLevel Inc. (covering LeadConnector LLC) | Customer relationship management, marketing automation | PII, communications, attribution | United States |
| Stripe, Inc. | Payment processing | Payment information | United States |
| Supabase, Inc. | Application database, authentication | PII, account, reading information | United States |
| Google reCAPTCHA | Anti-bot / spam protection on forms | Technical | United States |
We update this list as we add or change sub-processors. Material changes will be announced in advance to school customers in accordance with the applicable Data Privacy Agreement.
8. International Data Transfers
LUCA is based in the United States. Personal information we collect is processed and stored in the United States. If you access the Services from outside the United States, your information will be transferred to the United States.
For users in the European Economic Area, United Kingdom, or Switzerland, we rely on the following transfer mechanisms, supplemented by appropriate technical and organizational measures:
- EU-US Data Privacy Framework (DPF), UK Extension, and Swiss-US Framework. Used for transfers to sub-processors that are DPF-certified across all three frameworks: Vercel, Inc.; Microsoft Corporation (Azure and Clarity); Anthropic, PBC; Google LLC (covering Tag Manager, Analytics, Ads, and reCAPTCHA); LinkedIn Corporation; Stripe, Inc.; and HighLevel Inc. (covering LeadConnector LLC).
- EU-US DPF and Swiss-US Framework only (UK transfers via UK IDTA / UK Addendum to SCCs). Used for Meta Platforms, Inc., which is certified for the EU and Swiss frameworks but not the UK Extension.
- Standard Contractual Clauses (SCCs). Used for transfers to sub-processors that are not DPF-certified: TikTok Inc. and Supabase, Inc.
9. How We Protect User Information
We maintain administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. Personal information is stored on controlled servers, and access is limited to employees and service providers who require it to perform their job functions and who are bound by confidentiality obligations.
However, no security measures can guarantee complete security. If we learn of a security breach or other unauthorized disclosure of personal information, we will take reasonable steps to investigate and mitigate the incident and, where required by law, will notify affected Users, schools, parents, or legal guardians without undue delay and in accordance with applicable legal requirements.
10. Your Privacy Rights
You have the following rights regarding your personal information. Some are available to all users; others depend on your jurisdiction.
Universal. You can:
- Access and update personal information by logging into your account or by contacting us.
- Request deletion of your account and personal information by contacting us.
- Unsubscribe from marketing emails by clicking the unsubscribe link in any email.
- Manage cookie preferences via the Cookie Settings link in our footer.
Residents of jurisdictions with formal data-subject rights (including the European Economic Area, United Kingdom, and Switzerland) may also have rights to:
- Receive a copy of your personal information in a portable format.
- Correct inaccurate personal information.
- Restrict or object to processing.
- Withdraw consent (where processing is based on consent), without affecting the lawfulness of processing prior to withdrawal.
- Lodge a complaint with your local data protection supervisory authority.
We will respond to verifiable rights requests within thirty (30) days, or longer where permitted by law.
11. California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to know what personal information we have collected, used, disclosed, and shared about you over the past 12 months, and to receive a copy.
- Right to delete personal information we have collected from you, subject to certain exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing of personal information. LUCA does not sell personal information for monetary value, but our use of analytics and advertising cookies may constitute "sharing" for cross-context behavioral advertising under the CPRA. You may opt out by:
- Selecting "Reject All" or disabling Marketing cookies in our cookie banner;
- Clicking the "Do Not Sell or Share My Personal Information" link in our footer;
- Sending a Global Privacy Control signal from your browser (which we honor automatically).
- Right to limit use of sensitive personal information. Voice recordings may be considered sensitive personal information. We use voice data only for the purposes described in Section 5; you may further restrict use by withholding consent for model-improvement use during onboarding.
- Right to non-discrimination. We will not deny services, charge different prices, or provide different quality of service because you exercised your privacy rights.
To exercise these rights, contact us at privacy@luca.ai with the subject line "California Privacy Request" or use the data-request portal described in Section 19. We will verify your identity before fulfilling the request, in accordance with CCPA verification standards.
You may also designate an authorized agent to make a request on your behalf. We require the agent to provide written permission and may require you to verify your own identity directly with us.
12. SMS and Text Message Communications
LUCA may send SMS and text messages to users who opt in. Messages may include account notifications, educational updates and progress reports, and reminders. Message frequency varies.
Consent. By providing your mobile phone number and opting in, you authorize LUCA to send text messages to your mobile number. Consent is not a condition of purchase or use of our Services.
Opt-Out. You can cancel the SMS service at any time. Text "STOP" to 412-365-8164. After you send "STOP," we will send you a confirmation message, and you will no longer receive SMS messages from us unless you opt back in.
Opt Back In. If you want to rejoin after opting out, you can opt in again using the same method you used to enroll originally.
Help. If you are experiencing issues with the messaging program, you can reply with the keyword "HELP" for more assistance, or contact support@luca.ai.
Message and Data Rates. Message and data rates may apply for any messages sent to you from us and to us from you. If you have any questions about your text plan or data plan, contact your wireless provider.
Carrier Disclaimer. Carriers are not liable for delayed or undelivered messages.
Third-Party Sharing of Mobile Information. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
13. Children's Privacy (COPPA)
We do not knowingly collect information from children under age 13 (or the applicable age of consent in a local jurisdiction) without first obtaining verifiable parental consent from a parent or legal guardian, or relying on a school's authorization for narrowly defined educational use as permitted by the FTC's guidance.
School authorization for educational use. When LUCA is provided to children through a school or district, we may rely on the school's authorization to collect personal information from children under 13 in lieu of direct parental consent, but only when all four of the following conditions are met:
- The personal information is used solely for an educational purpose authorized by the school, and never for any commercial purpose such as marketing or advertising to the student.
- The school has authorized LUCA in writing (typically through our Student Data Privacy Agreement) to collect the personal information on behalf of the parents for the school's specified educational use.
- The school has determined that it has the authority under applicable state law to consent on behalf of parents for the use described, and has so represented in its agreement with LUCA.
- The school provides parents with notice of LUCA's use and the parent's rights to review the child's information, request its deletion, and refuse further collection. LUCA supports the school in providing this notice but the school carries the legal duty.
If any of these conditions is not met, the school authorization does not apply and direct verifiable parental consent is required before LUCA collects personal information from the child.
Separate consent for non-integral third-party disclosures. Consistent with the 2025 amendments to the COPPA Rule (16 CFR § 312.5(a)(2)), parents and schools have the right to consent to LUCA's collection and use of a child's personal information without also consenting to disclosure of that information to third parties for purposes that are not integral to providing the Services. LUCA does not disclose children's personal information to third parties for advertising, profiling, or model training without separate, declinable consent obtained in addition to the consent to use the Services.
Direct parental consent. Where LUCA is provided directly to a family rather than through a school, we obtain verifiable parental consent before collecting personal information from a child under 13. The verification methods we use are described in our Terms of Service.
Parent rights. A parent or legal guardian may at any time review the personal information we have collected from their child, request that we delete it, and refuse to permit further collection. Instructions are in Section 19.
If you believe we have collected personal information from a child without appropriate consent, please contact us at privacy@luca.ai so we can investigate and, if confirmed, delete the information promptly.
14. Student Data and FERPA
When we provide Services to schools, school districts, or other educational institutions ("School Users"), we may receive Student Data that is part of a student's education record.
- The relevant school or district (the local education agency or "LEA") owns and controls Student Data and remains responsible for it.
- LUCA acts as a "school official" under the Family Educational Rights and Privacy Act (FERPA), with a legitimate educational interest in the Student Data, and handles Student Data only in accordance with our agreements with the LEA and applicable law.
- LUCA uses Student Data only to provide, maintain, and improve the educational Services for the LEA, to support security and legal compliance, and for de-identified analytics and research as permitted by those agreements and applicable law. We do not use Student Data to advertise or market to students or their families, and we do not sell Student Data.
- The LEA controls access to Student Data and is responsible for responding to parent and eligible student requests to access, review, or correct education records. We will support the LEA in fulfilling those requests by providing access to Student Data we store on the LEA's behalf.
Student Data is further governed by a separate Data Privacy Agreement between LUCA and the LEA. If there is a conflict between this Policy and that agreement regarding Student Data, the Data Privacy Agreement controls. A copy of our standard Data Privacy Agreement is available upon request from privacy@luca.ai.
15. Automated Decision-Making
LUCA uses algorithms and automatic speech recognition to assess phoneme accuracy, identify reading skill gaps, and recommend mastery progression. These determinations are not made solely by automated means. Teachers, school administrators, parents, guardians, and LUCA staff can review, override, roll back, and adjust outcomes at any time. Because human review is built into the process, the heightened protections of GDPR Article 22 (which apply only to decisions made solely by automated means without meaningful human involvement and producing legal or similarly significant effects) do not apply.
If you would like to understand how a decision affecting you or your child was reached, contact privacy@luca.ai.
16. Targeted Advertising and Retargeting
LUCA may use third-party advertising services (Meta, LinkedIn, Google Ads, TikTok) to deliver advertising to adult website visitors (parents, educators, administrators) on those platforms based on prior visits to luca.ai. This activity:
- Is performed only with your consent (collected through our cookie banner) or where consent is not legally required;
- Excludes any data collected from logged-in student sessions, child users, or Student Data;
- Is subject to your right to opt out via the cookie banner, the "Do Not Sell or Share" footer link, or a Global Privacy Control browser signal.
We do not target advertising to children, students, or any user we know to be under 13.
17. Data Retention and Deletion
We retain personal information only for the specific business need described below for each category, and we delete or de-identify it according to the timeframes below. Where law requires a longer retention period (for example, tax records, breach-notification records), we retain only what the law requires and only for the period the law requires.
| Category | Business need | Retention timeframe |
|---|---|---|
| Voice and audio data (raw audio + derived phoneme features) | Provide individualized reading instruction; track that student's progress | While account is active. Within ninety (90) days after account termination, de-identified or deleted. Earlier deletion on request from parent, guardian, or school (Section 5). |
| Student Data (school and district customers) | Provide the educational Services contracted by the LEA | Term of the agreement with the LEA. Upon LEA's written request, returned or transferred in a commonly used electronic format and deleted or de-identified in active systems within sixty (60) days. |
| Account information (parent or guardian managed accounts) | Operate the account and deliver the Services | While account is active. Within thirty (30) days of a deletion request, deleted or de-identified in active systems. |
| Reading information and progress data (parent-managed accounts) | Provide individualized instruction and report progress to the parent | While account is active. Deleted or de-identified within thirty (30) days of a deletion request. |
| Marketing-website visitor data (IP, device, page-view, UTM) | Measure marketing effectiveness; respond to forms; protect against abuse | Twelve (12) months from collection, unless tied to an active marketing-list contact (in which case retained for the duration of that contact relationship plus 90 days). |
| Lead form contact information (CRM contacts) | Respond to inquiries; deliver requested resources; nurture marketing leads who have opted in | Active marketing-list duration. Deleted within thirty (30) days of unsubscribe or deletion request. |
| Cookie consent records | Demonstrate compliance with consent requirements (GDPR, CPRA, state privacy laws) | Twelve (12) months from each consent decision, refreshed each time the consent is updated. |
| Persistent identifiers used solely for internal operations (security, fraud prevention, debugging) | Maintain the safety, security, and integrity of the Services | Up to thirteen (13) months from collection, then automatically purged. |
| Communication and support records | Respond to support requests; demonstrate response history; resolve disputes | Three (3) years from the date of the communication, then deleted. |
| Legal-hold or breach-notification records | Comply with legal retention obligations | Period required by applicable law. |
After the retention timeframe, we delete or de-identify the data in our active systems. Copies of personal information may remain in routine system backups for up to thirty (30) days after active-system deletion. Backup copies are overwritten in the ordinary course of business and are not used to restore deleted records except where required to recover from a system failure.
18. State-Specific Privacy Rights
In addition to California (Section 11), residents of the following states with comprehensive consumer privacy laws may have rights to access, correct, delete, and obtain a copy of their personal information, and to opt out of targeted advertising, the sale of personal information, and certain profiling activities:
- Colorado (Colorado Privacy Act, including the SB24-041 amendments effective October 1, 2025)
- Connecticut (Connecticut Data Privacy Act, including the Public Act 23-56 minor-protection amendments effective October 1, 2024)
- Virginia (Virginia Consumer Data Protection Act, including the 2025 minor-protection amendments)
- Utah (Utah Consumer Privacy Act)
- Texas (Texas Data Privacy and Security Act)
- Oregon (Oregon Consumer Privacy Act)
- Montana (Montana Consumer Data Privacy Act)
- Iowa (Iowa Consumer Data Protection Act)
- Indiana (Indiana Consumer Data Protection Act)
- Tennessee (Tennessee Information Protection Act)
- Delaware (Delaware Personal Data Privacy Act)
- New Jersey (New Jersey Data Privacy Act)
- New Hampshire (New Hampshire Data Privacy Act)
- Kentucky (Kentucky Consumer Data Protection Act)
- Maryland (Maryland Online Data Privacy Act)
- Minnesota (Minnesota Consumer Data Privacy Act)
- Rhode Island (Rhode Island Data Transparency and Privacy Protection Act)
- Nebraska (Nebraska Data Privacy Act)
Of these, Maryland's Online Data Privacy Act applies the strictest data-minimization standard and prohibits the sale of personal data of residents under age 18 outright; we apply Maryland's standard as our internal compliance ceiling for all U.S. residents.
To exercise any rights available to you under your state's law, contact privacy@luca.ai. We will respond consistent with applicable law and the procedures described in Section 19.
When we provide Services to schools, we also comply with applicable state student-data-privacy statutes that may apply to those institutions, including laws that restrict targeted advertising based on student data, prohibit the sale of student data, and regulate the creation of profiles for non-educational purposes.
19. How to Exercise Your Privacy Rights
You have rights to access, correct, delete, opt out, and exercise the other privacy rights described above. Here is how to do it.
Step 1: Send your request to LUCA
Email: privacy@luca.ai Subject line: Privacy Request
Step 2: Include the following in your message
- Your full name
- The email address associated with your account (if any)
- The specific right you wish to exercise
- For requests on behalf of a child, the child's name and your relationship to the child
- For California residents, a statement that you are a California resident
Step 3: What happens next
| Step | Timeline |
|---|---|
| LUCA acknowledges your request | Within 10 business days |
| LUCA responds substantively (GDPR / UK GDPR) | Within 30 days |
| LUCA responds substantively (CCPA) | Within 45 days |
| Identity verification (sensitive requests) | Before any data is released |
Extensions are available as permitted by law and you will be notified if one is required.
School-managed accounts
If your child uses LUCA through a school or district, requests relating to Student Data should generally be directed to that school or district, which controls access to the Student Data. LUCA will assist the school or district in responding consistent with FERPA, applicable state law, and our Data Privacy Agreement.
20. Changes to This Privacy Policy
We may modify this Policy from time to time. When we make material changes, we will update the version number and last-updated date at the top of this Policy and provide additional notice (such as an email to account holders or a banner on the Services) where appropriate. Continued use of the Services after the effective date of an update constitutes acceptance of the updated Policy.
Earlier versions of this Policy are available upon request from privacy@luca.ai.
21. Contact Us
If you have any questions or concerns about this Privacy Policy or wish to exercise privacy rights:
LUCA AI, LLC 651 N. Broad Street, Suite 201 Middletown, DE 19709
Phone: (412) 346-8872 Email: privacy@luca.ai Support: support@luca.ai
Version: 2026-05
Last Updated: May 11, 2026