Luza — Privacy Policy

01

Who we are

Luza is a companion calling service that arranges regular phone calls between an AI companion and older adults. The service is set up and managed by the adult child or carer of the person receiving calls.

When we say "you" in this policy, we mean the adult child or carer who signed up. When we say "your mum" or "the senior", we mean the person who receives the calls.

02

What data we collect

We collect only what is needed to run the service:

About you: your name, email address, mobile number, and relationship to the senior
About the senior: first name, phone number, country of residence
Call preferences: preferred call times (morning and/or evening), conversation topics she enjoys, anything Luza should avoid
Payment: plan selected (weekly or monthly). Card details are handled entirely by Paddle — we never see or store them
Technical: timestamps of account creation and calls

We do not collect passwords. Access to your account is via a magic link sent to your email — nothing to remember.

03

How we use your data

To make AI-assisted calls to the senior at the times you choose
To personalise Luza's conversation based on topics and preferences you provided
To send you an SMS summary after each call so you know how it went
To send you a magic link to access and edit your account
To process and manage your subscription via Paddle
To contact you about important service updates (no marketing without consent)

We do not sell your data. We do not use it for advertising. We do not train AI models on your data.

04

Third-party services

We use the following services to run Luza. Each has its own privacy policy.

Service	Purpose	Data shared
Supabase	Database and authentication	All account data; email for magic link
Vapi	AI calling platform	Senior's phone number, name, conversation topics
Twilio	SMS delivery	Your mobile number; call summary text
Paddle	Payment processing	Your name, email, plan. Paddle acts as merchant of record and handles all card data independently

05

Where your data is stored

All data is stored in Supabase, hosted on AWS infrastructure in the EU (Frankfurt region). Data is encrypted in transit (TLS) and at rest.

Access to your account data in our database is restricted to authenticated users only — you can only view and edit your own records.

06

How long we keep your data

Active accounts: data is kept for as long as your subscription is active
After cancellation: we retain your data for 30 days in case you want to reactivate, then delete it
Incomplete signups (started but did not pay): data in pending_signups is deleted after 7 days
Call logs: not stored by Luza — Vapi may retain call metadata per their own policy

07

Your rights

You have the right to:

Access — see all data we hold about you and the senior
Edit — update any details at any time from your account page
Delete — request full deletion of your account and all associated data
Portability — receive a copy of your data in a readable format
Object — opt out of any non-essential use of your data

To exercise any of these rights, email us. We'll respond within 5 working days.

08

Cookies and local storage

We use browser localStorage to remember your mum's name across the payment step so the confirmation screen shows her name correctly. This data stays only on your device and is cleared after use.

We do not use tracking cookies or third-party analytics cookies.

Supabase uses a session token stored in localStorage to keep you logged in to your account page. This is deleted when you sign out or after 7 days of inactivity.

09

Children's data

Luza is not intended for use by children under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has submitted data, please contact us and we will delete it promptly.

10

Changes to this policy

If we make material changes to how we handle your data, we will notify you by email before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.