Security & privacy

Private by default. Visible only when you want.

Lucy was built with privacy as the default stance — not an afterthought. Personal mode is invisible, audio is never stored, and you control every aspect of data retention.

No bot joins the call

In personal mode — the default — Lucy runs entirely within your browser as a side panel. There is no bot participant, no avatar, and no visible AI presence in the call. Other participants cannot tell you are using Lucy.

Audio is never recorded

Lucy processes audio transiently to understand what is being said and generate the canvas. Audio is not stored, saved, or transferred to any server in raw form. Only the structured canvas output is retained.

AI input mode toggle

When AI input mode is off, Lucy only organises and structures what your team says — it contributes nothing of its own. Turn it on to allow Lucy to add its own questions, suggestions, and alternative angles. You control this before every session.

Data retention controls

Set session data to auto-delete after 24 hours, 7 days, or 30 days. Or keep it indefinitely. You can export and delete any session data at any time from your dashboard.

Encryption at rest and in transit

All session data is encrypted using AES-256 at rest and TLS 1.3 in transit. We use AWS infrastructure with industry-standard security practices. No data is sold or used to train third-party models.

SOC 2 Type II audit

In progress

We are currently undergoing SOC 2 Type II compliance audit. Enterprise customers can request our current security posture documentation, DPA, and sub-processor list.

Technical summary

Encryption in transit
TLS 1.3
Encryption at rest
AES-256
Audio storage
None — transient processing only
Data residency
EU (AWS eu-west-2)
Sub-processors
Available on request
Data retention default
30 days (configurable)
Compliance
GDPR compliant · SOC 2 in progress
Access controls
Role-based, audit-logged

Enterprise or compliance questions?

We're happy to provide our security documentation, DPA, sub-processor list, and SOC 2 audit status to enterprise customers.