Privacy Policy · Lucy AI

★ At a glance

If you only read one section, read this. The rest of the policy explains everything below in more detail.

What we collect: Your account info (name, email, business name), Amazon listing data (titles, descriptions, images, prices, change history), and basic technical data (IP, browser, usage events).
What we don't collect: Amazon customer PII, financial settlement data, order-level customer details. Lucy never sells your data.
Why we collect it: To monitor your listings, auto-fix unauthorized changes, secure your account, send service-related emails, and improve Lucy.
Where it's stored: Encrypted at rest on cloud infrastructure (primary region: Canada). Some service providers we use are based in the United States and the European Union — see Section 5.
How long we keep it: While your account is active, plus a short period after deletion for legal and operational reasons. See Section 7.
Your rights: Access, correct, delete, port, withdraw consent, and object to processing of your personal data. See Section 9.
Contact us: privacy@golucyai.com

1 Scope of this policy

This Privacy Policy applies to The Lucy AI Corporation ("Lucy," "we," "us"), a company headquartered in Quebec, Canada, and to all of our customer-facing properties, including the website at golucyai.com, the Lucy dashboard, the Lucy AI agent, and any related services (collectively, the "Service").

This policy covers personal information we collect from customers (the people and businesses who sign up for Lucy) and website visitors. It does not cover data we process on behalf of our customers as part of providing the Service — for that, the customer's own privacy policies apply, with Lucy acting as a data processor.

2 Information we collect

Information you provide directly

Account details

First and last name, email address, business or store name, password (hashed), account type (Seller or Agency).

SSO identity

If you sign in with Google or Microsoft: your verified email, name, profile picture URL, and the OAuth identifier issued by the provider.

Billing details

Billing name, billing address, and tax ID where applicable. Payment card data is collected and stored by our payment processor (Stripe); we never see or store your full card number.

Support correspondence

Anything you send us through the support form, by email, or in chat.

Information from your Amazon Seller Central account

When you authorize Lucy via Amazon's SP-API, we receive and store:

OAuth refresh and access tokens (encrypted at rest)
Listing content: titles, descriptions, bullet points, images, prices, search terms, and other product attributes
Snapshots of your listings over time, so we can detect changes and restore previous versions
Metadata about events: who or what changed a listing and when, the action Lucy took, and the outcome
Notifications subscriptions and SP-API report metadata

Lucy does not request or store: customer-level personally identifiable information (such as buyer names, addresses, or contact details), settlement or payment data, or order details beyond what is necessary for inventory accuracy.

Information collected automatically

Usage data: Pages visited, features used, actions taken in the dashboard, timestamps.
Device & technical data: IP address, browser type and version, operating system, language, time zone, screen size.
Cookies and similar technologies: See Section 11.

3 How we use information

We use personal information for the following purposes:

Provide the Service: Authenticate you, monitor your listings, detect and remediate unauthorized changes, deliver notifications, and operate the dashboard.
Customer support: Respond to your questions, troubleshoot issues, and keep records of our communications.
Service emails: Send transactional notifications (e.g., security alerts, listing-change notifications, service incidents). These are not marketing emails.
Marketing (with your consent): If you have opted in, send product updates, tips, and announcements. You can unsubscribe at any time via the link in any marketing email.
Improve the Service: Analyze how Lucy is used in aggregate to identify issues and improve the product. Where feasible, we use aggregated or de-identified data for this purpose.
Train AI models: Improve Lucy's listing-detection and remediation models. We do not use your data to train third-party AI models.
Security & fraud prevention: Detect, investigate, and prevent fraudulent activity, abuse, and security incidents.
Legal obligations: Comply with applicable law, respond to lawful requests from authorities, enforce our Terms, and protect our rights and the rights of others.

4 Legal bases for processing EU/UK

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and related laws require us to identify a legal basis for each processing activity. We rely on:

Performance of a contract (Article 6(1)(b)): Most processing related to providing the Service falls under this basis, since you have entered into a contract with us by accepting our Terms.
Legitimate interests (Article 6(1)(f)): For security, fraud prevention, basic analytics, and product improvement, where these interests are not outweighed by your fundamental rights and freedoms.
Consent (Article 6(1)(a)): For marketing emails and any non-essential cookies. You may withdraw consent at any time.
Legal obligation (Article 6(1)(c)): For tax, accounting, and regulatory record-keeping.

5 How we share data

We do not sell your personal information. We share data only in the following limited circumstances:

Service providers (data processors)

We use trusted third-party providers to run Lucy. Each provider is bound by a written data-processing agreement and is permitted to use the data only to provide services to us. Our main providers fall into these categories:

Cloud hosting & database: Cloud infrastructure provider hosting the Lucy application and its database.
Authentication: Google (for Google Sign-In) and Microsoft (for Microsoft Sign-In), if you choose to use them.
Payment processing: Stripe, for billing and subscription management.
Email delivery: Email-sending provider for transactional and marketing emails.
Analytics & product telemetry: Privacy-focused analytics provider; we do not use Google Analytics or comparable advertising-network tools on the dashboard.
Customer support tooling: Helpdesk and ticketing software for managing support correspondence.
Error monitoring: Service that captures application errors so we can fix bugs.

A current list of our subprocessors, including their names and locations, is available on request at privacy@golucyai.com. We provide reasonable advance notice of any new subprocessor.

Amazon

Lucy interacts with Amazon's Selling Partner API to provide the Service. The data we read from and write to your Seller Central account is governed by your contract with Amazon and Amazon's own privacy practices.

Legal & safety

We may disclose information if required to do so by law, valid legal process, or a government request, or if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation, (b) protect the rights or safety of Lucy, our users, or the public, or (c) detect, prevent, or address fraud, security, or technical issues.

Business transfers

If Lucy is involved in a merger, acquisition, financing, restructuring, or sale of assets, your information may be transferred as part of the transaction. We will notify you (e.g., by email and a notice on our website) of any such change in ownership or control of your personal information.

6 International data transfers

Lucy is headquartered in Canada and stores most data on cloud infrastructure in Canada. Some of our service providers (such as Google, Microsoft, Stripe, and our email provider) operate globally and may process data in the United States, the European Union, or other regions.

When we transfer personal information across borders, we rely on appropriate safeguards as required by applicable law, including:

Adequacy decisions where the destination country has been recognized as providing adequate protection (e.g., the European Commission's adequacy decision for Canada in respect of commercial organizations).
Standard Contractual Clauses approved by the European Commission, where adequacy decisions do not apply.
Equivalent contractual protections for transfers outside the EU/UK, including Quebec's Law 25 disclosure requirements.

You can request more information about the specific safeguards in place for your data by contacting privacy@golucyai.com.

7 Retention

We retain personal information for as long as needed to provide the Service and for the periods described below. After that, we either delete or anonymize the data.

Account & profile data: Retained while your account is active. Deleted within 30 days after account closure, except as required for legal, tax, or audit reasons.
Listing snapshots & change history: Retained while your account is active. After account closure, deleted or anonymized within 30 days.
SP-API tokens: Deleted immediately upon account closure or when you revoke Lucy's access in Seller Central.
Billing records: Retained for the period required by tax and accounting law in our home jurisdiction (currently up to 7 years).
Support correspondence: Retained for up to 3 years to maintain a record of past issues and improve our support.
Aggregated, de-identified data: May be retained indefinitely, since it does not identify you.

8 Security

We take security seriously and implement industry-standard technical and organizational measures to protect personal data. These include:

Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
SP-API tokens encrypted with envelope encryption
Role-based access control and the principle of least privilege within our team
Continuous monitoring, automated alerting, and audit logging
Routine vulnerability scanning and dependency review
Mandatory two-factor authentication for staff with production access

No system is perfectly secure. In the event of a personal data breach that is reasonably likely to result in a risk to your rights, we will notify you and the relevant supervisory authority in accordance with applicable law (typically within 72 hours of discovery for GDPR-applicable incidents).

9 Your rights

You have rights over the personal information we hold about you. The exact list depends on where you live, but at a minimum we honour the following rights for all users worldwide:

Right to access: Request a copy of the personal information we hold about you.
Right to correction: Ask us to correct information that is inaccurate or incomplete.
Right to deletion: Ask us to delete your personal information, subject to legal exceptions.
Right to portability: Receive a copy of certain data in a structured, machine-readable format.
Right to withdraw consent: Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
Right to object & restrict: Object to or restrict certain processing, particularly where we rely on legitimate interests.
Right to lodge a complaint: File a complaint with a data-protection authority — see Section 10 for region-specific authorities.

To exercise any of these rights, email privacy@golucyai.com. We may need to verify your identity before responding. We will respond within the time required by applicable law (typically 30 days).

10 Regional disclosures

Some regions have specific privacy laws that apply in addition to the rest of this policy.

Quebec, Canada Law 25

If you are a resident of Quebec, the Act respecting the protection of personal information in the private sector ("Law 25") applies. In addition to the rights in Section 9:

Lucy's Privacy Officer is the contact for privacy questions: email privacy@golucyai.com.
You have the right to be informed of automated decision-making and to request human review of decisions made solely by automated means.
You can complain to the Commission d'accès à l'information du Québec at cai.gouv.qc.ca.

Canada (other provinces) PIPEDA

For Canadian residents outside Quebec, the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") applies. You can lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

European Union, United Kingdom & Switzerland GDPR

If you are located in the EEA, UK, or Switzerland, the rights described in Section 9 apply with the specific protections of the GDPR (and UK GDPR or Swiss FADP, as applicable). You also have the right to lodge a complaint with your local supervisory authority. For EU residents, you can find your supervisory authority at edpb.europa.eu. For UK residents, contact the ICO at ico.org.uk.

Where required, our EU representative can be contacted via privacy@golucyai.com.

California, USA CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), grants you specific rights:

Right to know: The categories and specific pieces of personal information we have collected about you, the sources, purposes, and recipients.
Right to delete: Request deletion of personal information we have collected, subject to exceptions.
Right to correct: Correct inaccurate personal information.
Right to opt out of "sale" or "sharing": Lucy does not sell or share personal information as those terms are defined under the CCPA/CPRA.
Right to limit use of sensitive personal information: Lucy does not use sensitive personal information for purposes beyond providing the Service.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, email privacy@golucyai.com. You may designate an authorized agent to make a request on your behalf; we will require verification.

Other regions

If you reside in a region with privacy laws not specifically listed above (e.g., Brazil's LGPD, Australia's Privacy Act), we honour the equivalent rights in good faith. Contact us at privacy@golucyai.com with any questions.

11 Cookies & similar technologies

We use a small number of cookies and similar technologies to operate the Service. These fall into the following categories:

Strictly necessary: Required for the dashboard to function (session cookies, authentication, CSRF protection). These cannot be disabled.
Functional: Remember your preferences, such as theme or language. Set only when you indicate a preference.
Analytics: Help us understand aggregate usage of the Service. We use a privacy-focused analytics provider that does not use third-party cookies for cross-site tracking.

We do not use advertising cookies or third-party trackers for cross-site profiling. Where required (e.g., for EU/UK visitors), we display a cookie banner so you can manage non-essential cookies.

12 Children's privacy

Lucy is intended for business users aged 18 or older (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected information from a child, please contact us at privacy@golucyai.com and we will delete it promptly.

13 Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to your account email address and posted in your dashboard at least 30 days before they take effect. Non-material changes (such as clarifications, formatting fixes, or contact-info updates) may take effect upon posting.

We will always update the "Last updated" date at the top of this policy when changes are made.

14 Contact us

If you have questions, concerns, or requests related to your privacy, contact us at:

Privacy Officer, The Lucy AI Corporation
Email: privacy@golucyai.com
Quebec, Canada
golucyai.com

For general support questions, please use the support form on this page or email support@golucyai.com.

Privacy Policy.