Privacy Policy

Information You Provide

• Account Information: Email address and name, provided during registration. Authentication is handled via passwordless methods (magic link or one-time passcode) through our authentication provider, Clerk.
• Profile & Preferences: Focus area selections (e.g., Biomimicry, Computational Design, Grasshopper) and other preferences you configure.
• Project Data: Design files, workspace content, and other materials you create or upload while using the Service.
• AI Query Inputs: Queries, prompts, and contextual information you submit to AI-powered features such as search and analysis tools.
• Communications: Messages you send to us via email or support channels.

Information Collected Automatically (Members Only)

We do not track or collect data from visitors who have not created an account. For signed-in members, we collect:

• Usage Data: Feature usage, queries submitted, and interaction patterns within the Service.
• Technical Data: IP address, browser type, and device type (collected as part of authentication by Clerk).

Payment Information

If you subscribe to a paid plan, payment information (such as credit card details) is collected and processed directly by our payment processor, Stripe. We do not receive, store, or have access to your full payment card details. We receive only a confirmation of payment, subscription status, and the last four digits of your card for display purposes.

We use your information for the following purposes:

When you use AI-powered features (such as biomimicry search, research analysis, or design tools), your inputs are transmitted to one or more of the following third-party AI providers for processing:

What Data Is Sent

When you submit a query, we transmit the query text and any contextual information you provide to the relevant AI provider. We do not send your name, email address, or account information to AI providers.

Model Training

Under their current API terms, none of these providers use data submitted via their APIs to train their models. We will update this policy and notify you if any provider changes this practice.

Data Location

All three providers primarily process data in the United States. For EU users, data transfers are covered by Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

We use Clerk to handle account creation and authentication. Clerk receives and processes your email address and authentication tokens. Clerk is an independent data processor and maintains its own security certifications and compliance measures.

Clerk's privacy policy: clerk.com/legal/privacy

We use Stripe to process payments. Stripe collects and processes payment data as an independent data controller. Stripe is PCI-DSS Level 1 certified, the highest level of payment security compliance.

Stripe's privacy policy: stripe.com/privacy

We do not sell your personal information. We share your information only in the following circumstances:

• Service Providers: With the third-party providers described above (AI providers, Clerk, Stripe, hosting providers) to operate the Service.
• Legal Requirements: When required by law, court order, or governmental request, or to protect our rights, privacy, safety, or property.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case your information may be transferred to the successor entity. We will notify you before your information becomes subject to a different privacy policy.
• Aggregated Data: We may share anonymized, aggregated data (such as overall usage statistics) that cannot reasonably be used to identify you.

We take a minimal approach to cookies. We do not use analytics, advertising, or tracking cookies. We do not track visitors who have not created an account.

What We Use

Because we only use strictly necessary cookies, no cookie consent banner is required. We do not set any cookies that require your prior consent under the GDPR ePrivacy Directive or any other applicable law.

• Account Data: Retained while your account is active, and for up to 30 days after account deletion to allow for recovery.
• Project Data: Deleted within 30 days of account deletion. You may export your data before closing your account.
• Usage & Analytics Data: Anonymized and retained in aggregate form. Individual-level data is deleted within 12 months.
• Payment Records: Retained as required by financial regulations (typically 7 years for tax and accounting purposes).
• AI Query Logs: Individual query logs are retained for up to 90 days for debugging and service improvement, then deleted.

For All Users

You have the right to:

• Access the personal information we hold about you
• Correct inaccurate personal information
• Delete your account and personal data
• Export your data in a portable format

Additional Rights for EU/EEA Users (GDPR)

If you are in the European Union or European Economic Area, you also have the right to:

• Restrict processing of your personal data
• Object to processing based on legitimate interest
• Withdraw consent at any time (where processing is based on consent)
• Data portability (receive your data in a structured, machine-readable format)
• Lodge a complaint with your local data protection supervisory authority

Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect about you and why
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising your privacy rights
• Opt out of automated decision-making and profiling

We do not sell personal information as defined under the CCPA.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).

nuLUCA is based in the United States. If you are accessing the Service from outside the United States, your personal information will be transferred to and processed in the United States and other countries where our service providers operate.

For transfers from the EU/EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU-US Data Privacy Framework, where applicable

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of data at rest
• Passwordless authentication (reducing credential theft risk)
• Regular security reviews and updates
• Access controls limiting employee access to personal data

No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at [email protected].

nuLUCA uses AI systems to process your queries and generate content. In accordance with the EU AI Act and transparency best practices:

• AI-generated content is clearly identified as such within the Service
• You are always interacting with an AI system when using our search, analysis, and content generation features
• AI outputs are not reviewed by humans before being presented to you
• We do not use AI for automated decision-making that produces legal effects or similarly significant effects on you

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect.

We will indicate the date of the most recent update at the top of this page. Previous versions are available upon request.

If you have questions about this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: [email protected]
• General inquiries: [email protected]
• Website: www.nuluca.com

The following third-party service providers process personal data on our behalf: