Privacy Policy

Document reference

LUC-LEG-001

Effective date

24 April 2026

Last updated

24 April 2026

This Privacy Policy explains how Lucevo (“Lucevo”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects personal data. It applies to visitors to our website at lucevo.io, to prospective and current clients, to authorised users of our services, and — in certain circumstances described in Section 06 — to individuals whose data our clients process using our platform.

We take your privacy seriously. This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025 (DUAA), the Privacy and Electronic Communications Regulations (PECR), and, where applicable, the EU General Data Protection Regulation (EU GDPR). We also follow relevant guidance from the UK Information Commissioner’s Office (ICO) on artificial intelligence, automated decision-making, and agentic AI.

If you do not agree with this policy, please do not use our website or our services.

Lucevo is a bespoke AI agent architecture company that designs, builds, and manages autonomous agentic workflows for hotels and other hospitality businesses.

Trading name

Lucevo

Legal entity

LUCEVO LTD

Company Number

17136759

Registered Address

124–128 City Road, London, England, EC1V 2NX

ICO Registration Number

ZC131494

General contact

[email protected]

Data protection contact

[email protected]

Website

https://lucevo.io

For the purposes of UK data protection law, Lucevo acts as:

• A data controller for personal data we collect directly from website visitors, prospective clients, clients, and our own contacts.
• A data processor when we process personal data on behalf of our clients (for example, when our agents handle hotel guest enquiries, bookings, or communications on a client’s behalf). In those cases, the client is the data controller and our contractual Data Processing Addendum governs how we handle that data.

If you are a guest of a hotel that uses Lucevo and you have questions about how your personal data is used, please contact the hotel directly — they are the data controller for your data. We will support the hotel in responding to your request.

This policy covers:

• Our website (lucevo.io) and any subdomains
• Enquiries, discovery calls, audits, proposals, and onboarding communications
• Use of our services by authorised client users
• Marketing activity such as emails, LinkedIn outreach, phone calls, and other direct communications

It does not cover third-party websites we link to. Please read their own privacy policies before providing them with personal data.

4.1 Information you provide directly

Depending on how you interact with us, we may collect:

• Identity data: full name, job title, role.
• Contact data: business email address, business phone number, company name, business address, LinkedIn profile URL.
• Commercial data: details about the hotel or business you represent, including property size, operational details, pain points you share during discovery calls, goals, and budget information.
• Communication data: the content of emails, messages, call recordings (where we tell you a call is being recorded and you consent), meeting notes, and any documents you send us.
• Audit and onboarding data: information about your existing systems, workflows, staff structure, and any data or credentials you choose to share so we can build agents for you. We will never ask you to share passwords or payment credentials, and we do not request guest data beyond what is strictly necessary. Anything you do share is handled under a signed agreement.

4.2 Information we collect automatically

When you visit lucevo.io, we (and our service providers) may automatically collect:

• Technical data: IP address, browser type and version, operating system, device type, time zone setting, approximate location (derived from IP).
• Usage data: pages visited, time spent on pages, referring URL, clicks, scroll behaviour, and general navigation patterns.
• Cookie and similar technology data: see Section 10.

4.3 Information we collect from third parties

We may receive limited information about you from:

• Publicly available sources such as your company website, LinkedIn, Companies House, hotel directories, and similar business intelligence platforms, where we source prospective client contacts.
• Our analytics, advertising, and communication providers (for example, website analytics platforms and email delivery services).
• Referrals from existing clients or partners who recommend us to you.

4.4 Information processed on behalf of our clients

When our agents operate for a client, they may process personal data belonging to the client’s own customers, guests, employees, or suppliers — for example, names, contact details, booking details, dietary or accessibility requirements, or content of messages. In all such cases:

• The client (for example, the hotel) is the data controller.
• Lucevo is the data processor.
• Our processing is governed by a written Data Processing Addendum that defines the scope, purpose, retention, and security requirements.
• We only process that data on the client’s documented instructions.

4.5 Sensitive (special category) data

We do not actively seek out special category data (for example, health, religious, or biometric data). If you or a client inadvertently share such data, we will handle it with heightened care and delete it if it is not needed.

Under UK GDPR we must have a lawful basis for every use of personal data. The table below summarises how we use data and why we are allowed to.

Respond to enquiries & deliver audits

Our legitimate interests in responding to business enquiries; performance of a contract (or steps before entering a contract).

Provide, operate & improve services

Performance of our contract with you; our legitimate interests in running and improving Lucevo.

Service-related communications

Account, billing, support, incident notifications, changes to terms. Performance of our contract; legal obligation; our legitimate interests.

Direct marketing (B2B)

Cold outreach to hotel decision-makers via email, LinkedIn, or phone. Our legitimate interests in growing our business, in line with PECR. You can opt out at any time (see Section 09).

Sales pipeline & forecasting

Manage prospects, track sales activity, forecast revenue. Our legitimate interests in running a commercial business.

Website operation & analytics

Operate our website, analyse usage, detect abuse, improve user experience. Our legitimate interests; consent for non-essential cookies (see Section 10).

Legal & regulatory compliance

Tax, accounting, responding to lawful requests. Legal obligation.

Legal claims

Establish, exercise, or defend legal claims. Our legitimate interests; legal obligation.

Where we rely on legitimate interests, we have carried out a balancing assessment to make sure your rights and freedoms do not override those interests. You can contact us at [email protected] for more detail on any specific balancing test.

Automated decision-making affecting hotel guests

Where our agents contribute to decisions that may significantly affect a hotel guest or other end user of a client (for example, automated booking acceptance or declines, upgrade decisions, or complaint routing), our Data Processing Addendum requires the client — as data controller — to maintain the automated-decision-making safeguards set out in the UK GDPR as amended by the Data (Use and Access) Act 2025 (including the framework at Articles 22A–22D), covering meaningful human review, the right to be informed about and to contest the decision, and the right to express a point of view. Lucevo configures its agents to support these safeguards, but the client is ultimately responsible for their implementation in the guest relationship.

Lucevo itself does not use your personal data to take solely automated decisions that produce legal or similarly significant effects on you, unless this is permitted under UK law and we put in place the safeguards required by law, which may include human review, the ability to contest the decision, and, where required, your explicit consent.

We share personal data only where it is necessary and lawful. Recipients include:

Each under written contracts that require them to protect personal data. These include:

• cloud hosting, infrastructure, and workflow automation providers (currently Railway for application hosting and Cloudflare for DNS, CDN, and security — including privacy-preserving, cookieless audience measurement via Cloudflare Web Analytics)
• large language model and AI providers (such as Anthropic and, where applicable, OpenAI) used under commercial or enterprise terms that prohibit the use of customer inputs and outputs for model training and limit retention to operational and legal needs
• email, communication, and call-handling platforms
• analytics and product intelligence providers
• payment processors (such as Stripe)
• CRM, scheduling, and online form tools
• collaboration and productivity tools (such as Google Workspace and Miro)
• professional advisers such as accountants, lawyers, and insurers

• Our clients, where we act as their processor and return data to them as part of providing the service.
• Government, regulatory, and law enforcement bodies, where we are legally required to do so or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Potential acquirers, investors, or successors in the event of a merger, acquisition, restructuring, or sale of assets — in which case we will ensure your data remains protected and you are informed where required by law.

A current list of key sub-processors is available on request by emailing [email protected].

We do not sell your personal data.

Lucevo is based in the United Kingdom. Some of our sub-processors are located outside the UK and the European Economic Area (EEA), including in the United States.

Where we transfer personal data outside the UK or EEA, we rely on one of the following safeguards:

• Transfers to countries covered by a UK or EU adequacy decision
• The UK International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses
• EU Standard Contractual Clauses with any additional supplementary measures required

You can request a copy of the safeguards in place for a specific transfer by emailing [email protected].

We keep personal data only for as long as is necessary for the purpose we collected it for, including to meet legal, accounting, or reporting requirements.

Prospect data

People we are contacting but who have not become clients: up to 24 months from last meaningful contact, unless you ask us to delete it sooner.

Client relationship data

For the duration of the contract and up to 7 years after termination, to meet tax, accounting, and limitation-period requirements.

Client-processed data

Data processed on behalf of clients: as defined in the Data Processing Addendum with the client.

Website analytics

Website analytics and cookie data: generally up to 26 months.

Marketing unsubscribes

Retained indefinitely, so that we do not contact you again.

When we no longer need your personal data, we delete it or securely anonymise it.

Under UK GDPR and the Data (Use and Access) Act 2025 you have the following rights, free of charge, in relation to personal data we hold about you as a controller:

• Right to be informed — through this policy and our other communications.
• Right of access — to a copy of your personal data.
• Right to rectification — to have inaccurate data corrected.
• Right to erasure — to have your data deleted in certain circumstances.
• Right to restrict processing — to limit how we use your data in certain circumstances.
• Right to data portability — to receive your data in a structured, commonly used format.
• Right to object — including an absolute right to object to direct marketing.
• Rights in relation to automated decision-making and profiling — as updated by the DUAA 2025. Where the law gives you these protections, this includes the right to obtain human intervention, to express your point of view, and to contest the decision. We do not carry out such processing in a way that legally or significantly affects you without meeting the conditions of UK law and applying appropriate safeguards.
• Right to withdraw consent — where we rely on consent, at any time.

To exercise any of these rights, email [email protected]. We will respond within one month (we may extend this by a further two months for complex requests, and will tell you if we do).

We may need to verify your identity before acting on your request.

If you believe we have not handled your personal data properly, you can complain to the UK Information Commissioner’s Office (ICO):

Website

ico.org.uk

Helpline

0303 123 1113

We would appreciate the chance to resolve the issue with you first, so please consider contacting us before approaching the ICO.

Our website uses cookies and similar technologies to make the site work, to understand how visitors use it, and to support our marketing activity.

We use:

• Strictly necessary cookies — required for the website to function. These do not require your consent.
• Low-risk analytics cookies — as permitted by the Data (Use and Access) Act 2025, certain low-risk first-party analytics cookies used solely to measure audience and improve our site may be deployed without prior consent, provided you are clearly informed and offered a simple way to opt out. Details are set out in our cookie notice.
• Functional cookies — to remember your preferences. Used only with your consent.
• Marketing cookies — where applicable, to measure the effectiveness of campaigns and advertising. Used only with your consent.

When you first visit lucevo.io, we show a cookie notice that lets you accept, reject, or manage non-essential cookies and opt out of analytics. You can change your preferences at any time through the cookie settings link in the site footer, or by clearing cookies in your browser settings.

Blocking cookies may affect how parts of the website work.

Because Lucevo builds and operates AI agents, we want to be explicit about how those systems handle personal data.

11.1 AI inference and model governance

We do not use your personal data, or your guests’ personal data, to train our own foundational AI models. Where Large Language Model (LLM) providers (such as Anthropic or OpenAI) are used for inference, we aim to use provider configurations that support no-training modes wherever supported under the relevant provider contract. Retention with those providers is limited to operational, abuse-monitoring, security, and legal-compliance needs.

11.2 How our agents are designed

Our agents are designed to follow the principles set out in ICO guidance on artificial intelligence and agentic AI, including:

• Purpose limitation — each agent is built for a defined, scoped purpose (for example, handling inbound reservation enquiries), and its tools and permissions are restricted to what is necessary for that purpose.
• Data minimisation — agents only access the data and systems they need, and sensitive fields are masked or excluded where not required.
• Human oversight — agents escalate to a human for defined categories of decision, and clients can review, override, or disable any agent at any time.
• Monitoring and logging — agent actions are logged so we and our clients can review them for compliance, quality, and error detection.
• No covert profiling — agents do not build hidden profiles of guests or staff beyond what is necessary to perform the agreed task.

Because large language models are probabilistic systems, responses generated by our agents may occasionally be inaccurate or incomplete. Where this involves personal data, you may request correction under Section 09.

11.3 Data Protection Impact Assessments (DPIAs)

Under Article 35 UK GDPR, a Data Protection Impact Assessment is required before deploying processing that is likely to result in a high risk to individuals, which will often be the case for AI systems processing personal data at scale.

For each new client engagement that involves personal data, Lucevo will:

• Support the client (as data controller) in carrying out a DPIA before agents go live
• Contribute a DPIA template and technical input covering the agents being deployed, the data flows, the risks identified, and the mitigations in place
• Record our conclusions and revisit the DPIA whenever agents, data flows, or risks change materially

Where the DPIA indicates a residual high risk that cannot be mitigated, the client is required to consult the ICO before proceeding, and we will not activate the affected agents until the issue is resolved.

11.4 Client responsibilities

Clients remain responsible for:

• Having an appropriate lawful basis for processing any guest or staff data passed to our agents
• Providing their own privacy information to guests and staff
• Maintaining the automated-decision safeguards under the UK GDPR as amended by DUAA 2025 (Articles 22A–22D) around any automated decisions that may significantly affect guests, as described in Section 05
• Promptly notifying us of data subject rights requests so we can assist

We implement technical and organisational measures appropriate to the risk, including:

• Encryption of data in transit (TLS/HTTPS) and, where appropriate, at rest
• Access controls, role-based permissions, and the principle of least privilege for our systems
• Multi-factor authentication on critical accounts
• Secure credentials management (we do not store client passwords in plain text and we avoid handling credentials where possible)
• Error monitoring and logging on the systems that run our agents
• Regular backups with documented recovery procedures
• Vetting of sub-processors and written contracts requiring them to meet UK GDPR standards
• Staff obligations of confidentiality

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours as required by law, and notify you without undue delay where the breach is likely to result in a high risk to you.

Lucevo is a B2B service and is not directed at children. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this policy and, where appropriate, notify you by email or through a notice on our website. Please check this page periodically.

For any questions, concerns, or requests relating to this policy or your personal data:

Email

[email protected]

Website

https://lucevo.io

We aim to respond to all privacy-related enquiries within 5 working days, and to formal rights requests within one month as required by law.

This policy is a plain-English summary of how Lucevo handles personal data and is not a substitute for legal advice. If you represent a luxury property or hospitality group and need our data protection terms in contractual form, please request our Master Services Agreement and Data Processing Addendum.