privacy
Privacy

Privacy Policy

Lucendus Privacy Statement


Effective date: April 15, 2026

Last updated: April 15, 2026

Data controller: Prometheus Engineering SL ("Lucendus", "we", "us", "our")

Contact: privacy@lucendus.com

Our Core Commitment

Lucendus exists to help operations teams run better — not to monetise their data. We will state it plainly:

We do not sell, rent, trade, or otherwise transfer your personal data or your organization's operational data to third parties for their own commercial purposes. Ever.

This commitment applies to all tenant data, user data, asset records, work-order histories, telemetry, documents, and any other information you entrust to our platform.

What Data We Collect and Why

Account and identity data

When you or your organization sign up for Lucendus, we collect the information needed to create and secure your account: names, email addresses, job titles, and authentication credentials. We use this data solely to operate the service, verify your identity, and communicate with you about your account.

Operational data

The core of what you store in Lucendus — asset hierarchies, maintenance records, work orders, inspection results, documents, relationship maps, location data, and similar operational information — belongs to your organization. We process this data exclusively to deliver the service you have contracted for.

Usage and diagnostic data

We collect anonymized usage metrics and technical diagnostics (page views, feature adoption, error rates, performance counters) to maintain, secure, and improve the platform. This data is aggregated and cannot be used to identify individual users or reconstruct your operational records.

AI processing data

Lucendus uses artificial intelligence to help you ingest documents, surface insights, and interact with your data conversationally. When our AI features process your data, the following protections apply:

  • Your data is processed solely to deliver the AI feature you invoked.
  • Your data is not used to train general-purpose AI models.
  • AI-generated outputs (summaries, recommendations, charts) derived from your data are treated with the same confidentiality as the source data.
  • You retain full control over whether and when AI features are activated.

How We Use Your Data

We use the data described above for the following purposes only:

  • Delivering the service - operating the platform, authenticating users, executing your queries and workflows.
  • Maintaining security - detecting threats, preventing fraud, responding to incidents.
  • Providing support - resolving issues you report to us.
  • Improving the platform - using aggregated, anonymised metrics to guide product development.
  • Meeting legal obligations - complying with applicable law, regulation, or enforceable governmental request.

We do not profile you for advertising. We do not serve ads. We do not build shadow profiles from your data.

Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Performance of a contract - processing necessary to deliver the Lucendus service under your subscription agreement.
  • Legitimate interests - platform security, fraud prevention, and aggregated analytics, balanced against your rights and freedoms.
  • Legal obligation - where required by applicable law.
  • Consent - where you have given specific, informed consent (for example, for optional marketing communications), which you may withdraw at any time.

Data Sharing

We share your data only in these limited circumstances:

  • Infrastructure providers - we use cloud infrastructure services (currently Microsoft Azure, hosted in the EU) to operate the platform. These providers act as sub-processors under binding data processing agreements and do not have independent rights to use your data.
  • At your direction - if you instruct us to integrate with a third-party service (for example, an accounting system or messaging platform), data will flow to that service under your integration configuration.
  • Legal requirements - if we are compelled to disclose data by a court order or enforceable legal process, we will notify you where legally permitted.
  • Business transfers - in the event of a merger, acquisition, or asset sale, your data would be subject to the same privacy commitments, and you would be notified in advance.

We do not engage in data brokering, behavioral advertising, or any other practice that treats your information as a product.

Data Retention

We retain your data for the duration of your subscription and for a reasonable wind-down period afterward (typically 90 days) to allow you to export your records. After that period, your data is permanently deleted from our production systems and backups in accordance with our data retention schedule.

You may request earlier deletion at any time, subject to any legal retention obligations.

Data Security

We employ industry-standard technical and organizational measures to protect your data, including encryption in transit (TLS 1.2+) and at rest, network segmentation, role-based access controls, audit logging, and regular security assessments. Our infrastructure runs in EU-based Azure regions with ISO 27001 and SOC 2 certified data centers.

International Transfers

Data for EU-based companies is stored within the European Union. Data for companies based in the US and the Americas is stored in one or more data centers in the US. We will continue to expand our support of sovereign clouds to keep your data close to you and within the legal framework that best matches your company's main location. If circumstances ever require transfer to a jurisdiction outside the EU/EEA, we will ensure appropriate safeguards are in place (such as Standard Contractual Clauses or an adequacy decision) and will update this statement accordingly.

Your Rights

Depending on your jurisdiction, you have the right to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain types of processing. You also have the right to lodge a complaint with your local data protection authority.

For details on how to exercise these rights, see our [Data Subject Access Request (DSAR) FAQ](/dsar-faq).

EU AI Act Transparency (Regulation (EU) 2024/1689)

Lucendus is committed to responsible, transparent use of artificial intelligence in compliance with the EU AI Act. The following disclosures apply to AI-powered features within the platform:

System classification

We assess the AI components embedded in Lucendus as limited-risk or minimal-risk AI systems under the EU AI Act. They are decision-support tools that assist human operators — they do not autonomously make high-risk decisions affecting health, safety, employment, or fundamental rights without human oversight.

Transparency obligations

  • AI-generated content is clearly labelled. When a response, recommendation, chart, or summary is produced by an AI component, the interface indicates this clearly.
  • Human oversight is preserved. AI outputs are advisory. Users approve, reject, or modify all AI-generated suggestions before they take effect in operational workflows.
  • No prohibited practices. Lucendus does not employ subliminal techniques, exploit vulnerabilities, perform social scoring, or engage in any practice prohibited under Article 5 of the AI Act.

Data governance for AI

  • Training data, where applicable, is sourced from our own platform documentation and publicly available technical references — not from tenant operational data.
  • We maintain records of AI system design, intended purpose, and risk assessments as required by applicable provisions of the AI Act.
  • We monitor AI system performance for accuracy, robustness, and cybersecurity on an ongoing basis.

Conformity and review

As implementing regulations and harmonised standards under the AI Act are finalised, we will update our compliance posture and this statement accordingly. We welcome questions about our AI governance practices at privacy@lucendus.com.

Children's Privacy

Lucendus is a business-to-business platform and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.

Changes to This Statement

We may update this privacy statement from time to time. Material changes will be communicated through the platform and/or by email to account administrators. The "last updated" date at the top of this page reflects the most recent revision.

Contact Us

If you have any questions about this privacy statement or our data practices, contact us at:

Prometheus Engineering SL

Email: privacy@lucendus.com

Web: https://lucendus.com

You may also contact our Data Protection Officer at dpo@lucendus.com.

Privacy