Privacy Notice (United Kingdom)

Last updated: May 2026  •  Version 1.0

This Privacy Notice explains how LucroVox UK ("LucroVox", "we", "us") collects and uses personal data in the United Kingdom. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and amendments brought in by the Data (Use and Access) Act 2025. If you are reading this from outside the United Kingdom or the EEA, please refer instead to our global Privacy Policy.

1. Who this notice covers

This notice covers personal data we collect from:

• Visitors to lucrovox.com/uk — analytics and basic site interactions.
• Customers — businesses that subscribe to LucroVox services and the staff users associated with them.
• End callers — people who ring a phone number that is answered by a LucroVox AI agent operated on behalf of one of our customers.
• Prospects, partners and applicants — people who contact us, apply to our partner programme, or apply for jobs.

2. Controller / processor split

LucroVox is a data controller for the data we collect for our own business purposes (visits to our website, customer accounts, prospect enquiries, partner records, payments). LucroVox is a data processor for personal data we process on behalf of our customers — including call transcripts, summaries, call metadata and lead data captured by the voice agent operating on the customer's number. The customer is the controller for that data, governed by the Data Processing Agreement that forms part of their service agreement with us.

3. What we collect and why

4. AI voice agent — how it works

When a caller rings a number operated by LucroVox on behalf of a customer, our voice agent answers and may collect details such as the caller's name, contact information, reason for calling, and booking preferences. LucroVox does not store audio recordings by default. However, call audio is processed in real time so the voice agent can respond and generate a text transcript for lead capture and service delivery. The agent may inform the caller that the call could be transcribed for quality purposes. Telephony and AI providers may process call audio, transcripts, and related metadata as needed to deliver the service under their applicable data processing terms. The customer (the business that subscribes to LucroVox) is the controller of transcript data.

LucroVox does not handle 999 or 112 emergency calls. Customers are required to ensure end callers retain access to their existing emergency arrangements.

5. Sub-processors

We use the following sub-processors to deliver the LucroVox service. The current list is also published at /legal/sub-processors and we notify customers at least 30 days before adding a new sub-processor.

• Twilio — telephony (UK / US).
• OpenAI / Anthropic — AI model inference for voice and language (US).
• Supabase — application database and authentication (EU / US regions).
• Stripe — payment processing (UK / US).
• SendGrid (Twilio) — transactional email (US).
• Vercel — web hosting and edge networking (global).

6. International data transfers

Some of our sub-processors are based outside the UK. Where we transfer personal data outside the UK (or the EEA, where applicable), we rely on appropriate safeguards under UK GDPR — typically the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus any applicable adequacy decision.

7. Retention

• Account data — for the duration of the customer relationship plus six years for tax / accounting records.
• Call transcripts — retained per the customer's configured retention period (default 3 months) and deleted automatically thereafter, or on request, subject to legal hold. LucroVox does not store audio recordings by default.
• Prospect data — up to 24 months from last meaningful interaction unless the prospect objects sooner.
• Site analytics — up to 14 months in aggregated form.

8. Your rights under UK GDPR

You have the right to:

• Be informed about how we use your personal data (this notice).
• Request a copy of the personal data we hold about you (Subject Access Request).
• Have inaccurate data rectified.
• Have your data erased where the lawful basis no longer applies.
• Restrict or object to processing — including profiling and direct marketing.
• Receive your data in a portable form (data portability).
• Not be subject to a decision based solely on automated processing where it produces legal or similarly significant effects (subject to limited exceptions).

To exercise any of these rights, email privacy@lucrovox.com. We respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk, phone 0303 123 1113.

9. Cookies and electronic communications (PECR)

We use only essential cookies plus, with consent, analytics and conversion-tracking cookies. You can change your choice at any time via the cookie banner or by clearing cookies for our domain. We do not use pre-ticked boxes or cookie walls. We do not place marketing cookies before you have actively consented.

10. Data security

We apply technical and organisational measures appropriate to the risk, including encryption in transit and at rest, role-based access control, row-level security on tenant data, audit logging, and regular review of sub-processor security postures. We notify the ICO of personal data breaches likely to result in risk to data subjects within 72 hours of becoming aware.

11. Children

The LucroVox service is sold to businesses (B2B). It is not intended for use by children under 18.

12. Changes to this notice

We may update this notice from time to time. Material changes will be notified by email to active customers and partners and posted at the top of this page.