This Privacy Policy explains how Maksim Stokolesov, operating as a self-employed individual (Trabalhador Independente) registered in Portugal, operating the service Luza ("we", "us", "our"), collects and processes personal data of our customers and the people we call.
Our service is offered to residents of the United Kingdom. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). We act as the data controller.
If you have any questions, contact us at makegrandmassmile@gmail.com.
1. Who this policy applies to
Two groups of people are involved with Luza:
The Subscriber
The adult (usually an adult child or relative) who creates the account and pays for the Service.
The Call Recipient
The person Luza calls, nominated by the Subscriber (usually an elderly parent).
This policy covers personal data of both.
2. What data we collect
From the Subscriber
- Name and email address.
- Phone number (if provided).
- Country of residence.
- Payment information — processed directly by Stripe. We receive only billing metadata (last 4 digits of card, transaction ID, amount), not the full card number.
- Account activity (logins, subscription status, plan changes, cancellation).
- Communications you send us (support emails, feedback).
From the Call Recipient
- Name and phone number.
- Preferred call times.
- Audio recordings of every call, stored on our voice infrastructure provider (Vapi).
- Text transcripts of every call, generated automatically from the audio.
- Information shared during the call — for example things the Recipient tells Luza about their day, family, health, or routine. This content sits inside the recordings and transcripts.
- Call metadata — date, time, duration, and outcome of each call.
- Short summaries of each call, generated automatically and shared with the Subscriber.
Calls are conducted by an AI assistant, not a human. This is disclosed to the Call Recipient at the start of their first conversation with Luza.
3. Why we process this data, and on what legal basis
| Purpose | Legal basis under UK GDPR |
|---|---|
| To set up and run the subscription service | Performance of a contract (Art. 6(1)(b)) |
| To place daily calls to the Call Recipient and to record them, so Luza can remember previous conversations and provide a continuous service | Consent of the Call Recipient (Art. 6(1)(a)), confirmed at the start of their first call |
| To process payments and prevent fraud | Contract and legal obligation (Art. 6(1)(b) and (c)) |
| To respond to support requests | Legitimate interest (Art. 6(1)(f)) |
| To improve the quality of the Service | Legitimate interest (Art. 6(1)(f)) |
| To comply with tax and accounting law | Legal obligation (Art. 6(1)(c)) |
Calls placed by Luza are scheduled service calls, not direct marketing, and therefore fall outside PECR Regulation 19. The Subscriber confirms at sign-up that they have the Call Recipient's permission to be contacted by Luza. The Call Recipient is additionally asked for their own consent, by voice, at the start of their first call.
4. How we obtain consent for call recording
Consent for recording is obtained in two stages:
- At sign-up, the Subscriber confirms in writing that they have permission from the Call Recipient to nominate them and that the Recipient understands their calls will be recorded.
- At the start of the first call, Luza tells the Call Recipient that she is an AI assistant, that the call is recorded, and that a short summary is shared with the family member who set up the calls, and asks if that is okay. The Recipient can decline — in which case the Service is not activated — or stop recording at any later point by telling Luza or asking the Subscriber to cancel.
Consent can be withdrawn at any time. Withdrawal does not affect the lawfulness of recording done before withdrawal, but we will stop further recording and, on request, delete past recordings.
5. Who we share data with
We do not sell personal data. We share it only with the service providers we need to operate Luza:
Stripe (Ireland / USA)
Payment processing. Receives Subscriber name, email, billing details, card data. See stripe.com/privacy.
Vapi (USA)
Voice AI infrastructure that places the calls, hosts audio recordings, and generates transcripts. Receives Call Recipient phone number, audio of the conversation, and transcripts.
Twilio (USA)
Telephony provider delivering the actual phone connection. Receives Call Recipient phone number and call metadata.
Supabase (USA / EU)
Database hosting for account data and conversation history. Stores Subscriber and Recipient details, transcripts, and metadata.
Vercel (USA)
Website and application hosting for luza.help. Processes basic technical data (IP address, browser type) when you visit the site.
Google Workspace (USA / EU)
Business email and operational tools.
Portuguese tax authorities and our accountant
Billing records, where required by Portuguese law.
All providers act as data processors on our behalf and are bound by data protection agreements requiring them to handle personal data only on our instructions and to UK GDPR-equivalent standards.
6. International transfers
Several providers are based in the United States. UK GDPR allows transfers outside the UK only with appropriate safeguards. We rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with each provider's certification under the UK Extension to the EU–US Data Privacy Framework where applicable.
7. How long we keep data
- Account data — for as long as the subscription is active, plus up to 12 months after cancellation.
- Audio recordings and transcripts — for as long as the subscription is active, so Luza can maintain continuity. Deleted within 90 days of cancellation, or sooner on written request from the Subscriber or Call Recipient.
- Billing and tax records — retained for the period required by Portuguese tax law (currently 10 years).
- Support correspondence — up to 3 years.
After these periods, data is deleted or anonymised.
8. Your rights under UK GDPR
Both Subscribers and Call Recipients have the right to:
- Access the personal data we hold about them.
- Correct inaccurate data.
- Delete their data ("right to be forgotten"), unless we are legally required to keep it.
- Restrict or object to certain processing.
- Receive a copy of their data in a portable format.
- Withdraw consent at any time, where processing is based on consent.
- Complain to the supervisory authority — the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.
To exercise any of these rights, email makegrandmassmile@gmail.com. We respond within one calendar month, as required by UK GDPR.
9. Security
We take reasonable technical and organisational measures to protect personal data — encryption in transit, access controls, and limited internal access. No system is perfectly secure, but we treat data about elderly people with particular care.
10. Children
Luza is not intended for anyone under 18. We do not knowingly collect data about minors. If you believe we have, contact us and we will delete it.
11. Cookies and the website
The Luza website (luza.help) uses minimal cookies — only those needed for the site to function and for basic analytics. If we add marketing or tracking cookies in the future, we will ask for your consent first via a cookie banner.
12. UK representative
As we are based in Portugal but offer the Service to residents of the UK, we are required under Article 27 of the UK GDPR to appoint a UK representative. [To be appointed — placeholder until designated.]
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email to active Subscribers and posted on the website. Continued use after changes take effect means you accept the updated policy.
14. Contact
Maksim Stokolesov — Luza
Email: makegrandmassmile@gmail.com
Estrada Ponta da Oliveira, n.º 20, Bloco C, 4.º BN, 9125-035 Caniço, Portugal