Skip to main content
Legal

Privacy Policy

At LUCA ("LUCA," "we," "us," or "our"), we are committed to protecting the privacy and security of personal information of our users ("Users," "you," or "your"). This Privacy Policy ("Policy") describes how we collect, use, disclose, and protect personal information through our websites, the LUCA Reading Platform, and related products and services (collectively, the "Services").

This Policy is intended to be read together with our Terms of Service, which govern your use of the Services. By accessing or using the Services, you acknowledge that you have read and understood this Policy and our Terms of Service.

If you have questions about this Policy, please contact us at [email protected] or at the address in the "Contact Us" section below.

1. Information We Collect

We collect the following categories of personal information.

Personally Identifiable Information (PII). First and last name, school or district name, postal address, city or state, telephone number, email address, grade or ID number assigned by your school or district, username, and account password. We collect PII when you register for an account, contact us for support, validate an ID number, send us feedback, or otherwise interact directly with us.

Technical and Usage Information. We and our third-party partners automatically collect certain usage information when you use the Services or our websites. This may include IP address, browser type and version, internet service provider, device type, operating system, date and time stamps, unique identifiers associated with your browser, device, or account, the pages you view, links you click, frequency of access, interactions with emails, and other activity. We collect this through cookies and similar technologies, which are active by default and described in the inventory at /cookies (see "Cookies and Tracking Technologies" below). You may opt out by emailing [email protected].

Reading Information. Books or passages read, the number of items completed, your responses to tasks, and information related to reading progress.

Voice and Audio Data. Audio or speech recordings captured during reading sessions to detect which phonemes and words present challenges, using artificial intelligence and automatic speech recognition technology. Voice and audio data are governed by Section 5 ("Voice and Audio Data") below.

Information from Others. Schools may provide us with student demographic or roster data to set up accounts and measure reading improvement. A parent or legal guardian may provide information about a child when registering an account for that child. Authorized third-party integrations such as student information systems, single sign-on providers, and roster sync services may transmit information to us as authorized by the school or family.

Marketing Website Visitors. When you visit our marketing website (luca.ai and related domains) without creating an account, we collect IP address, device and browser information, pages viewed, time on page, referring URL, and any UTM parameters present in the URL. If you submit a contact, demo, or download form, we collect the information you provide and associate it with the technical and attribution data described above.

Other Voluntarily Provided Information. Responses to surveys, support requests, or other communications you choose to send us.

2. How We Use Your Information

We use information for the following purposes. The legal basis for each is provided in brackets where applicable to residents of jurisdictions with formal lawful-basis requirements.

  1. To provide, operate, and support the Services, including creating and managing accounts, authenticating users, delivering reading activities, reporting progress, and providing support. [Performance of contract]
  2. To personalize and improve the Services, including through artificial intelligence, machine learning, analytics, and research, so content, pacing, and feedback are tailored to each User's needs. [Performance of contract; legitimate interests in product improvement]
  3. To administer and manage accounts, including resetting passwords, responding to questions, and contacting you about your account or service issues. [Performance of contract]
  4. To communicate with you about your account, updates to the Services, changes to our terms or policies, and other administrative messages. [Legal obligation; performance of contract]
  5. To send marketing communications about LUCA products and services to adult users such as parents, legal guardians, and educators. You may opt out of these communications at any time by following the unsubscribe instructions in the communication or by contacting us. LUCA does not send marketing communications directly to child users. [Consent]
  6. To monitor, analyze, and understand usage and performance of the Services, including generating statistics and analytics regarding user engagement and learning outcomes. [Legitimate interests; consent for non-essential analytics cookies]
  7. To maintain the safety, security, and integrity of the Services, including detecting, preventing, and responding to fraud, security incidents, and misuse. [Legitimate interests; legal obligation]
  8. To comply with applicable laws, regulations, legal processes, and law enforcement requests, and to protect the rights, property, and safety of LUCA, our users, and others. [Legal obligation]
  9. To deliver LUCA's own advertising to adult website visitors (parents, educators, administrators), including by sharing technical and usage information with advertising platforms (Meta and Google) to build audiences and to measure and retarget our ads. This tracking is active by default; you may opt out at any time by emailing [email protected] or as described in Section 11. We do not use student data, child user information, or any data collected from a logged-in student session for advertising.

For Student Data and information collected from child Users under 13, LUCA uses personal information only to provide, maintain, and improve the educational Services requested by the school or parent or legal guardian, to support security and legal compliance, and for internal analytics. LUCA does not use Student Data or child User information to advertise or market to students or their families and does not allow third parties to do so.

3. Cookies and Tracking Technologies

Our Services use cookies, pixels, local storage, and similar technologies ("cookies") to operate the Services, remember your preferences, understand usage, and (with your consent) deliver advertising.

Categories. We classify cookies into three categories:

  • Strictly Necessary. Required for the Services to function , for example, session cookies that authenticate logged-in users and keep your form data while you complete a submission. These cannot be disabled and do not require consent under applicable law.
  • Analytics. Help us understand how visitors use our Services so we can improve them. These include first-party analytics and third-party analytics and session-replay providers. Active by default; you may opt out by emailing [email protected].
  • Marketing. Enable us and our advertising platforms to deliver LUCA's own advertising. These include Meta Pixel and Google Ads conversion and retargeting tags. Active by default; you may opt out by emailing [email protected].
  • Visitor identification. We use a third-party service that processes technical and usage information from our marketing website to identify business and individual visitors for LUCA's own sales and marketing follow-up. Active by default; you may opt out by emailing [email protected].

Managing your preferences. You can review every cookie our Services use, with name, purpose, provider, category, and lifetime, on our Cookie Inventory page at /cookies. Analytics and marketing technologies are active by default. To opt out of them, or to request that we remove your personal information from our systems, email [email protected]. See also our Do Not Sell or Share page.

4. De-identified and Aggregate Data; Research and Efficacy Reporting

We may use and share de-identified or aggregate information for any lawful purpose, including to improve the Services, conduct research, and demonstrate the effectiveness of the Services. De-identified or aggregate information is information that does not reasonably identify an individual student, parent, legal guardian, family, or school.

Examples include overall reading growth statistics, accuracy rates, and usage metrics across groups of Users. We may use this information in reports, case studies, marketing materials, and presentations to schools and the public.

If we share de-identified or aggregate information with research partners or similar organizations, we require those organizations by contract not to attempt to re-identify the information and to use it only for the agreed research or evaluation purposes.

5. Voice and Audio Data

Voice and audio data are among the most sensitive information we process and are subject to specific protections.

What we collect. During reading sessions, our Services capture audio recordings of the User reading aloud. From these recordings, our automatic speech recognition (ASR) systems derive phoneme-level features used to assess reading mastery and provide individualized feedback.

Where it is processed. Voice and audio data are processed and stored on cloud servers located in the United States (East US region). Voice data does not leave the United States.

Retention.

  • While the User account is active, voice and audio data (both raw audio and derived features) are retained to support the User's progress tracking and the delivery of personalized instruction.
  • After account termination, voice and audio data are de-identified within ninety (90) days, after which the data can no longer be linked to an individual User.
  • A parent, legal guardian, or school may request earlier deletion at any time by contacting [email protected]. Requests are honored within thirty (30) days, subject to legal retention obligations.

Use for model improvement. LUCA does not currently use voice or audio data to train or improve our speech recognition models. Voice and audio data are used only to provide reading instruction to the User from whom they were collected.

If we add the ability to use anonymized voice samples for model improvement in the future, we will obtain separate, granular opt-in consent from the parent, legal guardian, or school before doing so, and we will update this Privacy Policy in advance to describe the consent flow. Any such future consent would be:

  • Optional. Not required to use the Services.
  • Separate. Requested in addition to, not bundled with, consent to use LUCA. For school accounts, the school's authorization would govern and a separate opt-in would be captured at the LEA level via the Student Data Privacy Agreement.
  • Recorded. Tied to the parent's or guardian's account with the date, the policy version in effect at the time, and the consent method.
  • Withdrawable. Withdrawable at any time by contacting [email protected]. Withdrawal applies to future use; samples already incorporated into trained models could not be selectively removed but would not influence future training.
  • Anonymized. Voice samples used for model improvement would be stripped of identifiers before incorporation into training datasets.

Biometric notice. Voice recordings may be considered biometric information under applicable state laws (e.g., Illinois BIPA, Texas CUBI, Washington biometric laws). LUCA does not use voice data for biometric identification or authentication. We retain voice data only as described in this section.

6. How We Share Your Information

We do not sell User PII or other personal information for monetary value. We disclose personal information only as follows:

  1. Service providers / sub-processors. We share information with the trusted vendors listed in Section 7 ("Sub-processors"). They are bound by written contracts that limit use of the information to providing services to LUCA.
  2. Other users associated with an account. Where appropriate to support educational use of the Services, we may share information with a parent, legal guardian, teacher, school administrator, or other authorized school representative.
  3. Schools and districts. For school and district implementations, we share Student Data with authorized school or district personnel as directed by the school or district and in accordance with our Data Privacy Agreement and applicable law.
  4. Research using de-identified data. We may share de-identified or aggregate information with universities, research institutions, and similar organizations to support research in literacy and speech recognition. We do not disclose Student Data or other PII for independent research without explicit written authorization from the relevant school or parent or legal guardian.
  5. Advertising platforms (adults only). We share certain technical and usage information with advertising platforms (Meta and Google) to deliver, measure, and retarget LUCA's own advertising to adult website visitors. This is active by default; you may opt out as described in Section 11. We do not share student data, child user data, or data from logged-in student sessions with advertising platforms.
  6. Visitor identification (adults only). We share technical and usage information from our marketing website with a third-party visitor-identification service that identifies business and individual visitors for LUCA's own sales and marketing follow-up. This applies only to marketing-website visitors; we do not use it on logged-in student sessions, child users, or Student Data. Active by default; you may opt out as described in Section 11.
  7. Legal and safety. We may disclose information when we believe in good faith that disclosure is necessary to comply with laws or legal processes, to enforce our Terms of Service or other agreements, or to protect the rights, property, or safety of LUCA, our Users, or others.
  8. Business transfers. We may share information in connection with a corporate transaction such as a merger, acquisition, reorganization, sale of assets, or bankruptcy. Any successor will be bound by this Policy or a policy with comparable protections.
  9. With your consent. We may share information with your consent or at your direction.
  10. Aggregate or anonymous form. We may use and share information in aggregate or anonymized form that does not reasonably identify an individual or school.

"Sharing" under California law. Some of the disclosures above (notably to analytics and advertising partners) constitute "sharing" of personal information for cross-context behavioral advertising under California's CPRA. California residents may opt out of such sharing as described in Section 11.

7. Service Providers and Sub-processors

To provide the Services, LUCA uses third-party service providers (sub-processors) in the following categories. All are bound by written contracts that include confidentiality, security, and data-protection obligations consistent with this Policy:

  • Website hosting and content delivery
  • Application backend, database, and authentication
  • Voice and audio processing and automatic speech recognition
  • AI services for content generation (e.g., personalized story creation); no voice or audio data
  • Analytics and session replay
  • Advertising platforms (Meta and Google; adults only)
  • Customer relationship management and marketing automation
  • Payment processing
  • Anti-bot and spam protection

All sub-processors process personal information in the United States. A current list of the specific named sub-processors is available on request at [email protected]. For school and district customers, sub-processors and any material changes are governed by the applicable Data Privacy Agreement.

8. International Data Transfers

LUCA is based in the United States. Personal information we collect is processed and stored in the United States. If you access the Services from outside the United States, your information will be transferred to the United States.

For users in the European Economic Area, United Kingdom, or Switzerland, where we transfer personal information to a sub-processor we rely on a lawful transfer mechanism, such as the EU-US Data Privacy Framework (with its UK Extension and the Swiss-US Framework) or Standard Contractual Clauses, supplemented by appropriate technical and organizational measures.

9. How We Protect User Information

We maintain administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. Personal information is stored on controlled servers, and access is limited to employees and service providers who require it to perform their job functions and who are bound by confidentiality obligations.

However, no security measures can guarantee complete security. If we learn of a security breach or other unauthorized disclosure of personal information, we will take reasonable steps to investigate and mitigate the incident and, where required by law, will notify affected Users, schools, parents, or legal guardians without undue delay and in accordance with applicable legal requirements.

10. Your Privacy Rights

You have the following rights regarding your personal information. Some are available to all users; others depend on your jurisdiction.

Universal. You can:

  • Access and update personal information by logging into your account or by contacting us.
  • Request deletion of your account and personal information by contacting us.
  • Unsubscribe from marketing emails by clicking the unsubscribe link in any email.
  • Opt out of analytics and marketing technologies, or request removal of your personal information, by emailing [email protected].

Residents of jurisdictions with formal data-subject rights (including the European Economic Area, United Kingdom, and Switzerland) may also have rights to:

  • Receive a copy of your personal information in a portable format.
  • Correct inaccurate personal information.
  • Restrict or object to processing.
  • Withdraw consent (where processing is based on consent), without affecting the lawfulness of processing prior to withdrawal.
  • Lodge a complaint with your local data protection supervisory authority.

We will respond to verifiable rights requests within thirty (30) days, or longer where permitted by law.

11. California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know what personal information we have collected, used, disclosed, and shared about you over the past 12 months, and to receive a copy.
  • Right to delete personal information we have collected from you, subject to certain exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information. LUCA does not sell personal information for monetary value, but our use of analytics and advertising technologies may constitute "sharing" for cross-context behavioral advertising under the CPRA. This tracking is active by default; you may opt out by:
  • Emailing [email protected] with the subject line "Do Not Sell"; or
  • Using the request methods on our "Do Not Sell or Share My Personal Information" page.
  • Right to limit use of sensitive personal information. Voice recordings may be considered sensitive personal information. We use voice data only for the purposes described in Section 5; you may further restrict use by withholding consent for model-improvement use during onboarding.
  • Right to non-discrimination. We will not deny services, charge different prices, or provide different quality of service because you exercised your privacy rights.

To exercise these rights, contact us at [email protected] with the subject line "California Privacy Request" or use the data-request portal described in Section 19. We will verify your identity before fulfilling the request, in accordance with CCPA verification standards.

You may also designate an authorized agent to make a request on your behalf. We require the agent to provide written permission and may require you to verify your own identity directly with us.

12. SMS and Text Message Communications

LUCA may send SMS and text messages to users who opt in. Messages may include account notifications, educational updates and progress reports, and reminders. Message frequency varies.

Consent. By providing your mobile phone number and opting in, you authorize LUCA to send text messages to your mobile number. Consent is not a condition of purchase or use of our Services.

Opt-Out. You can cancel the SMS service at any time. Text "STOP" to 412-365-8164. After you send "STOP," we will send you a confirmation message, and you will no longer receive SMS messages from us unless you opt back in.

Opt Back In. If you want to rejoin after opting out, you can opt in again using the same method you used to enroll originally.

Help. If you are experiencing issues with the messaging program, you can reply with the keyword "HELP" for more assistance, or contact [email protected].

Message and Data Rates. Message and data rates may apply for any messages sent to you from us and to us from you. If you have any questions about your text plan or data plan, contact your wireless provider.

Carrier Disclaimer. Carriers are not liable for delayed or undelivered messages.

Third-Party Sharing of Mobile Information. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

13. Children's Privacy (COPPA)

We do not knowingly collect information from children under age 13 (or the applicable age of consent in a local jurisdiction) without first obtaining verifiable parental consent from a parent or legal guardian, or relying on a school's authorization for narrowly defined educational use as permitted by the FTC's guidance.

School authorization for educational use. When LUCA is provided to children through a school or district, we may rely on the school's authorization to collect personal information from children under 13 in lieu of direct parental consent, but only when all four of the following conditions are met:

  1. The personal information is used solely for an educational purpose authorized by the school, and never for any commercial purpose such as marketing or advertising to the student.
  2. The school has authorized LUCA in writing (typically through our Student Data Privacy Agreement) to collect the personal information on behalf of the parents for the school's specified educational use.
  3. The school has determined that it has the authority under applicable state law to consent on behalf of parents for the use described, and has so represented in its agreement with LUCA.
  4. The school provides parents with notice of LUCA's use and the parent's rights to review the child's information, request its deletion, and refuse further collection. LUCA supports the school in providing this notice but the school carries the legal duty.

If any of these conditions is not met, the school authorization does not apply and direct verifiable parental consent is required before LUCA collects personal information from the child.

Separate consent for non-integral third-party disclosures. Consistent with the 2025 amendments to the COPPA Rule (16 CFR § 312.5(a)(2)), parents and schools have the right to consent to LUCA's collection and use of a child's personal information without also consenting to disclosure of that information to third parties for purposes that are not integral to providing the Services. LUCA does not disclose children's personal information to third parties for advertising, profiling, or model training without separate, declinable consent obtained in addition to the consent to use the Services.

Direct parental consent. Where LUCA is provided directly to a family rather than through a school, we obtain verifiable parental consent before collecting personal information from a child under 13. The verification methods we use are described in our Terms of Service.

Parent rights. A parent or legal guardian may at any time review the personal information we have collected from their child, request that we delete it, and refuse to permit further collection. Instructions are in Section 19.

If you believe we have collected personal information from a child without appropriate consent, please contact us at [email protected] so we can investigate and, if confirmed, delete the information promptly.

14. Student Data and FERPA

When we provide Services to schools, school districts, or other educational institutions ("School Users"), we may receive Student Data that is part of a student's education record.

  1. The relevant school or district (the local education agency or "LEA") owns and controls Student Data and remains responsible for it.
  2. LUCA acts as a "school official" under the Family Educational Rights and Privacy Act (FERPA), with a legitimate educational interest in the Student Data, and handles Student Data only in accordance with our agreements with the LEA and applicable law.
  3. LUCA uses Student Data only to provide, maintain, and improve the educational Services for the LEA, to support security and legal compliance, and for de-identified analytics and research as permitted by those agreements and applicable law. We do not use Student Data to advertise or market to students or their families, and we do not sell Student Data.
  4. The LEA controls access to Student Data and is responsible for responding to parent and eligible student requests to access, review, or correct education records. We will support the LEA in fulfilling those requests by providing access to Student Data we store on the LEA's behalf.

Student Data is further governed by a separate Data Privacy Agreement between LUCA and the LEA. If there is a conflict between this Policy and that agreement regarding Student Data, the Data Privacy Agreement controls. A copy of our standard Data Privacy Agreement is available upon request from [email protected].

15. Automated Decision-Making

LUCA uses algorithms and automatic speech recognition to assess phoneme accuracy, identify reading skill gaps, and recommend mastery progression. These determinations are not made solely by automated means. Teachers, school administrators, parents, guardians, and LUCA staff can review, override, roll back, and adjust outcomes at any time. Because human review is built into the process, the heightened protections of GDPR Article 22 (which apply only to decisions made solely by automated means without meaningful human involvement and producing legal or similarly significant effects) do not apply.

If you would like to understand how a decision affecting you or your child was reached, contact [email protected].

16. Targeted Advertising and Retargeting

LUCA may use third-party advertising services (Meta and Google) to deliver LUCA's own advertising to adult website visitors (parents, educators, administrators) on those platforms based on prior visits to luca.ai. This activity:

  • Is active by default; you may opt out at any time by emailing [email protected] or as described in Section 11;
  • Excludes any data collected from logged-in student sessions, child users, or Student Data.

We do not target advertising to children, students, or any user we know to be under 13.

17. Data Retention and Deletion

We retain personal information only for the specific business need described below for each category, and we delete or de-identify it according to the timeframes below. Where law requires a longer retention period (for example, tax records, breach-notification records), we retain only what the law requires and only for the period the law requires.

CategoryBusiness needRetention timeframe
Voice and audio data (raw audio + derived phoneme features)Provide individualized reading instruction; track that student's progressWhile account is active. Within ninety (90) days after account termination, de-identified or deleted. Earlier deletion on request from parent, guardian, or school (Section 5).
Student Data (school and district customers)Provide the educational Services contracted by the LEATerm of the agreement with the LEA. Upon LEA's written request, returned or transferred in a commonly used electronic format and deleted or de-identified in active systems within sixty (60) days.
Account information (parent or guardian managed accounts)Operate the account and deliver the ServicesWhile account is active. Within thirty (30) days of a deletion request, deleted or de-identified in active systems.
Reading information and progress data (parent-managed accounts)Provide individualized instruction and report progress to the parentWhile account is active. Deleted or de-identified within thirty (30) days of a deletion request.
Marketing-website visitor data (IP, device, page-view, UTM)Measure marketing effectiveness; respond to forms; protect against abuseTwelve (12) months from collection, unless tied to an active marketing-list contact (in which case retained for the duration of that contact relationship plus 90 days).
Lead form contact information (CRM contacts)Respond to inquiries; deliver requested resources; nurture marketing leads who have opted inActive marketing-list duration. Deleted within thirty (30) days of unsubscribe or deletion request.
Cookie consent recordsDemonstrate compliance with consent requirements (GDPR, CPRA, state privacy laws)Twelve (12) months from each consent decision, refreshed each time the consent is updated.
Persistent identifiers used solely for internal operations (security, fraud prevention, debugging)Maintain the safety, security, and integrity of the ServicesUp to thirteen (13) months from collection, then automatically purged.
Communication and support recordsRespond to support requests; demonstrate response history; resolve disputesThree (3) years from the date of the communication, then deleted.
Legal-hold or breach-notification recordsComply with legal retention obligationsPeriod required by applicable law.

After the retention timeframe, we delete or de-identify the data in our active systems. Copies of personal information may remain in routine system backups for up to thirty (30) days after active-system deletion. Backup copies are overwritten in the ordinary course of business and are not used to restore deleted records except where required to recover from a system failure.

18. State-Specific Privacy Rights

In addition to California (Section 11), residents of the following states with comprehensive consumer privacy laws may have rights to access, correct, delete, and obtain a copy of their personal information, and to opt out of targeted advertising, the sale of personal information, and certain profiling activities:

  • Colorado (Colorado Privacy Act, including the SB24-041 amendments effective October 1, 2025)
  • Connecticut (Connecticut Data Privacy Act, including the Public Act 23-56 minor-protection amendments effective October 1, 2024)
  • Virginia (Virginia Consumer Data Protection Act, including the 2025 minor-protection amendments)
  • Utah (Utah Consumer Privacy Act)
  • Texas (Texas Data Privacy and Security Act)
  • Oregon (Oregon Consumer Privacy Act)
  • Montana (Montana Consumer Data Privacy Act)
  • Iowa (Iowa Consumer Data Protection Act)
  • Indiana (Indiana Consumer Data Protection Act)
  • Tennessee (Tennessee Information Protection Act)
  • Delaware (Delaware Personal Data Privacy Act)
  • New Jersey (New Jersey Data Privacy Act)
  • New Hampshire (New Hampshire Data Privacy Act)
  • Kentucky (Kentucky Consumer Data Protection Act)
  • Maryland (Maryland Online Data Privacy Act)
  • Minnesota (Minnesota Consumer Data Privacy Act)
  • Rhode Island (Rhode Island Data Transparency and Privacy Protection Act)
  • Nebraska (Nebraska Data Privacy Act)

Of these, Maryland's Online Data Privacy Act applies the strictest data-minimization standard and prohibits the sale of personal data of residents under age 18 outright; we apply Maryland's standard as our internal compliance ceiling for all U.S. residents.

To exercise any rights available to you under your state's law, contact [email protected]. We will respond consistent with applicable law and the procedures described in Section 19.

When we provide Services to schools, we also comply with applicable state student-data-privacy statutes that may apply to those institutions, including laws that restrict targeted advertising based on student data, prohibit the sale of student data, and regulate the creation of profiles for non-educational purposes.

19. How to Exercise Your Privacy Rights

You have rights to access, correct, delete, opt out, and exercise the other privacy rights described above. Here is how to do it.

Step 1: Send your request to LUCA

Email: [email protected] Subject line: Privacy Request

Step 2: Include the following in your message

  • Your full name
  • The email address associated with your account (if any)
  • The specific right you wish to exercise
  • For requests on behalf of a child, the child's name and your relationship to the child
  • For California residents, a statement that you are a California resident

Step 3: What happens next

StepTimeline
LUCA acknowledges your requestWithin 10 business days
LUCA responds substantively (GDPR / UK GDPR)Within 30 days
LUCA responds substantively (CCPA)Within 45 days
Identity verification (sensitive requests)Before any data is released

Extensions are available as permitted by law and you will be notified if one is required.

School-managed accounts

If your child uses LUCA through a school or district, requests relating to Student Data should generally be directed to that school or district, which controls access to the Student Data. LUCA will assist the school or district in responding consistent with FERPA, applicable state law, and our Data Privacy Agreement.

20. Changes to This Privacy Policy

We may modify this Policy from time to time. When we make material changes, we will update the version number and last-updated date at the top of this Policy and provide additional notice (such as an email to account holders or a banner on the Services) where appropriate. Continued use of the Services after the effective date of an update constitutes acceptance of the updated Policy.

Earlier versions of this Policy are available upon request from [email protected].

21. Contact Us

If you have any questions or concerns about this Privacy Policy or wish to exercise privacy rights:

LUCA AI, LLC 651 N. Broad Street, Suite 201 Middletown, DE 19709

Phone: (412) 346-8872 Email: [email protected] Support: [email protected]

Version: 2026-05

Last Updated: June 6, 2026