Privacy Policy

Plain language summary: Your business data belongs to you. We never sell it. It is stored in Europe. Anthropic (the AI provider behind Lucas) does not use customer API data to train its models, per its public Commercial Terms (data is kept up to 30 days for abuse-detection purposes only). With your explicit and revocable consent, anonymized excerpts of your interactions may contribute to training a future proprietary Vision BTP AI specialized in the BTP trade — you decide at signup and can change your mind at any time in Settings. You can export or delete your data at any time. We are fully GDPR compliant.

Who we are
Data we collect
Purposes and legal bases
Data recipients
AI processing and application
Data retention
Data security
International transfers
Your rights
Cookies
Children's privacy
Changes to this policy
Contact & DPO

1. Who We Are

Data Controller: Sylvain Chastang, sole proprietor (French micro-enterprise regime), trading under the LUCAS AI brand. SIREN 518 676 663 — SIRET 518 676 663 00033 — APE 62.01Z. Registered office: 6 Impasse des Magnolias, 26250 Livron-sur-Drôme, France. Email: contact@vision-btp.fr. VAT not applicable, French CGI art. 293 B.

GDPR Contact: Sylvain Chastang — contact@vision-btp.fr (external DPO to be appointed upon SAS transition).

Vision BTP processes personal data in connection with the provision of the LUCAS AI Service — an AI-powered administrative and financial management assistant for skilled tradespeople in the construction sector (BTP), delivered primarily via the Lucas mobile application and a web dashboard.

This Privacy Policy applies to all users of the LUCAS AI Service, including visitors to lucas-ai.fr, subscribers, and beta testers.

2. Data We Collect

2.1 Account and identity data

Full name, company name, SIRET number (French business registration);
Professional email address and phone number;
Billing address;
User account ID (used to link your identity to the Lucas application).

2.2 Business data (your data)

Quotes, invoices, purchase orders and their recipients;
Client and prospect information (names, contact details, addresses);
Construction site information, schedules and photos;
Financial data: cash flow, margins, payment statuses;
HR data: employee records, leave, working hours (Team and Patron plans);
Equipment and vehicle records;
Supplier invoices processed via the email integration feature.

2.3 Usage and technical data

Interaction logs with the Lucas application (messages, voice notes transcribed to text);
Dashboard connection logs, IP addresses, browser type;
Feature usage statistics (aggregated and anonymized for product improvement).

2.4 Payment data

Payment card data is processed exclusively by Stripe (PCI DSS Level 1 certified). LUCAS AI stores only the last four digits of the card, the card type, and the transaction reference. No full card number is ever stored on our servers.

2.5 Data you do NOT provide us

LUCAS AI does not collect and will never request: social security numbers, government-issued ID numbers, health data, political or religious opinions, or any special-category data under Article 9 GDPR.

3. Purposes and Legal Bases

Purpose	Legal basis (GDPR)	Retention
Providing and operating the LUCAS AI Service	Performance of contract (Art. 6(1)(b))	Duration of subscription + 90 days
Billing and subscription management	Performance of contract + legal obligation (Art. 6(1)(b)(c))	10 years (French accounting law)
Customer support and incident response	Performance of contract (Art. 6(1)(b))	3 years after last interaction
Sending transactional emails (invoices, alerts, digests)	Performance of contract (Art. 6(1)(b))	Duration of subscription
Sending newsletters and marketing communications	Consent (Art. 6(1)(a))	Until opt-out or 3 years of inactivity
Improving the Service (anonymized analytics)	Legitimate interest (Art. 6(1)(f))	Anonymized — no retention limit
Fraud detection and security	Legitimate interest (Art. 6(1)(f))	12 months
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))	As required by applicable law

4. Data Recipients

4.1 Internal access

Access to personal data is restricted to authorized LUCAS AI personnel on a strict need-to-know basis, bound by confidentiality obligations.

4.2 Sub-processors

We use the following third-party sub-processors to deliver the Service:

Sub-processor	Role	Location	Safeguards
Supabase, Inc.	Database & backend hosting	EU (Frankfurt, Germany)	SOC 2 Type II, ISO 27001, DPA signed
Anthropic, PBC	AI engine (Claude API)	USA	Zero data retention policy, SCCs, DPA signed
Lucas Application	Primary user interface	UAE / distributed	Application data handled per this Privacy Policy
Stripe, Inc.	Payment processing	USA / EU	PCI DSS Level 1, SCCs, DPA signed
Netlify, Inc.	Website hosting & CDN	USA / EU CDN nodes	DPA signed, EU data residency option
Brevo (Sendinblue)	Transactional email	EU (France)	ISO 27001, GDPR compliant, DPA signed

4.3 No sale of data

LUCAS AI never sells, rents, or monetizes your personal data or business data to any third party, under any circumstances.

4.4 Legal disclosure

We may disclose your data to competent authorities when legally required to do so (e.g., court order, regulatory request). We will notify you of such a request to the extent permitted by law.

5. AI Processing and Application

5.1 How Lucas processes your messages

When you send a message or voice note via the Lucas application, the following occurs:

Voice notes are transcribed to text on our servers (Whisper API or equivalent);
The text content of your message is transmitted to Anthropic's Claude API to generate a response;
The response is returned to you via the application;
The interaction is logged in your LUCAS AI account for continuity and dashboard display.

5.2 What Anthropic sees

Only the textual content of your messages is transmitted to Anthropic. No direct identifiers (name, SIRET, email) are included in API calls. Per Anthropic's public Commercial Terms, API customer data is not used to train Anthropic's AI models; it may be retained for up to 30 days for Trust & Safety purposes (abuse detection) and is then deleted. A Data Processing Addendum (DPA) with Anthropic is being put in place to formalize these obligations contractually.

5.3 Application data

LUCAS AI only processes the content of messages you send through the Lucas application. We do not access your personal contacts, other applications, or device metadata beyond what is necessary to operate the service.

5.4 Lucas memory (personalization)

To personalize its replies and avoid asking you the same questions twice, Lucas remembers — strictly within your account (multi-tenant isolation) — your usage preferences and facts you have declared about your business (your accountant, your usual suppliers, your work methods, conversation history over a 12-month rolling window). This memory is inseparable from the service and is processed on the legal basis of contract performance (Art. 6(1)(b) GDPR). From Settings → My data, you may at any time view, correct or erase what Lucas has memorized about you.

5.5 Training of the proprietary Lucas AI (opt-in)

With your explicit and revocable consent, your interactions with Lucas may contribute to training a future proprietary Vision BTP AI specialized in the BTP trade. This processing is separate from the service and subject to the following safeguards:

Explicit opt-in: a dedicated, pre-unticked checkbox at signup. Revocable at any time from Settings → My data → Contribution to Lucas AI.
Systematic anonymization before any storage in the dataset: removal of client names, jobsite addresses, phone numbers, emails, IBANs, and identifiable amounts; cryptographic hashing of your artisan identifier.
No re-identification possible from the trained model (verified by an internal DPIA).
No commercial sharing: the dataset remains the exclusive property of Vision BTP and is never sold, leased or transferred.

Legal basis: consent (Art. 6(1)(a) GDPR). Withdrawal: at any time in Settings; your future interactions immediately stop contributing to the dataset. Retention of past contributions: data that has already been anonymized (before withdrawal or account deletion) is retained indefinitely in the dataset. Under Article 11 GDPR, anonymous data ceases to constitute personal data once re-identification is impossible.

5.6 Email intelligence feature

If you enable the email management feature (Patron plan), LUCAS AI accesses your dedicated professional email inbox (a specific email address provided for this purpose — not your personal inbox) to read, classify and process incoming messages. You may revoke this access at any time from the dashboard. LUCAS AI will never access or request access to your personal email account.

6. Data Retention

We retain personal data only for as long as necessary for the purposes described in Section 3. Key retention periods:

Active subscription: All account and business data retained for the duration of the subscription;
Post-cancellation: Business data retained for 90 days to allow data export, then permanently deleted;
Billing records: 10 years (French legal obligation — Article L123-22 of the Commercial Code);
Support tickets: 3 years from last interaction;
Connection logs / security: 12 months;
Failed trial (no conversion): Account data deleted 30 days after trial expiration.

Upon your written request, we can accelerate deletion outside of legally mandated retention periods. Contact: contact@vision-btp.fr

7. Data Security

We implement the following technical and organizational security measures:

Encryption in transit: HTTPS / TLS 1.3 on all web and API communications;
Encryption at rest: AES-256 database encryption via Supabase;
Data isolation: Row Level Security (RLS) — each customer can only access their own data;
Access control: Production data access limited to authorized personnel with strong authentication (MFA);
Backups: Automated daily backups with 30-day retention;
Monitoring: Real-time anomaly detection and alerting;
Secure development: Security reviews for all major releases.

7.1 Data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL (French Data Protection Authority) within 72 hours as required by Article 33 GDPR. If the breach poses a high risk to you, we will also notify you directly without undue delay.

8. International Data Transfers

Some of our sub-processors (Anthropic, Stripe, Netlify) are based outside the European Economic Area (EEA), primarily in the United States. These transfers are safeguarded by:

Standard Contractual Clauses (SCCs) approved by the European Commission;
EU-U.S. Data Privacy Framework certification where applicable;
Data Processing Agreements (DPAs) signed with each sub-processor.

For information on the specific safeguards applicable to any transfer, please contact: contact@vision-btp.fr

9. Your Rights

Under the GDPR (Articles 15–21), you have the following rights over your personal data:

Right of Access (Art. 15)

Obtain a copy of all personal data we hold about you.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17)

Request deletion of your data, subject to legal retention obligations.

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format (CSV/JSON).

Right to Object (Art. 21)

Object to processing based on our legitimate interests.

Right to Restriction (Art. 18)

Request temporary suspension of data processing in certain cases.

Right to Withdraw Consent

Withdraw consent at any time for processing based on consent (marketing, analytics cookies).

Right to Lodge a Complaint

File a complaint with the CNIL: cnil.fr

How to exercise your rights

Send your request to: contact@vision-btp.fr — Subject: "GDPR Rights Request — [your SIRET or account email]"

Response time: maximum 30 days (extendable to 3 months for complex requests, with notification within the first month).

We may request proof of identity to protect your data from unauthorized access.

10. Cookies

The LUCAS AI website (lucas-ai.fr) uses cookies. We use:

Strictly necessary cookies: Required for the website to function (session management, authentication). No consent required.
Analytics cookies: Aggregated, anonymized audience measurement (e.g., page views). Requires consent.
No third-party advertising cookies are placed without prior consent.

You can manage your cookie preferences via our cookie banner or at any time in your browser settings. For full details, see our Cookie Policy (French).

11. Children's Privacy

The LUCAS AI Service is exclusively intended for professional use by business owners and their employees. The Service is not directed at children under the age of 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately at contact@vision-btp.fr and we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of any material changes by email with at least 30 days' advance notice. The current version is always available at lucas-ai.fr/privacy-policy.html with its last-updated date.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree, you may cancel your subscription before the changes take effect.

13. Contact & Data Protection Officer

For any question, request, or complaint regarding this Privacy Policy or the processing of your personal data:

Sylvain Chastang — Data Protection Officer
Vision BTP — LUCAS AI
Livron-sur-Drôme (26250), France
Email: contact@vision-btp.fr
Subject: "Privacy / DPO — LUCAS AI"

Supervisory Authority:
CNIL — Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
cnil.fr

Table of Contents