Lukita.

Legal / Privacy Policy

Privacy Policy

How we handle your data — in plain English, with the legal details intact.

Last Updated
2026-04-21
Applies To
All services
Jurisdiction
United States

1. Overview

This Privacy Policy describes how Karim Lukita, a sole proprietor doing business as Lukita Dev ("Lukita Dev," "we," "us," or "our") collects, uses, stores, shares, and protects information when you use our websites, our AI phone receptionist Nathan, and related services (the "Services").

By using the Services, you consent to the practices described in this policy. This policy should be read alongside our Terms of Service.

2. Information We Collect

Account and business information

When you create an account, purchase a plan, or onboard your practice, we collect: email address, business / practice name, business phone number, billing address, and payment information (tokenized and processed by Stripe — we never store full card numbers).

Call data (Nathan AI receptionist)

When Nathan answers calls on your behalf, we collect and process: inbound caller phone numbers, call audio recordings, AI-generated transcripts, call metadata (duration, timestamps, outcome), and any information the caller provides during the conversation (name, reason for calling, preferred appointment time, etc.).

Usage analytics

We collect standard web analytics on our public pages and dashboards: page views, referrer URL, approximate geolocation (derived from IP), device / browser user-agent, and API request logs. This is collected by our hosting provider (Vercel) and our own instrumentation.

Cookies

We use session-only cookies for authentication (to keep you logged in to dashboards). See Section 11 for details.

3. How We Use Information

  • To deliver the Services: route calls to Nathan, generate transcripts, send booking confirmations, render your dashboard, process payments.
  • To improve our AI: transcripts and call recordings may be reviewed by Lukita Dev personnel or used to refine prompts, detect failure modes, and improve accuracy. Customers on the Scale tier may opt out of quality-assurance review — contact us to enable.
  • To bill you: charge your payment method, send invoices and receipts, respond to billing inquiries.
  • To communicate: send transactional email (receipts, service notices, security alerts) and, if you opt in, product updates.
  • To comply with law: respond to lawful subpoenas, enforce our Terms, investigate fraud or abuse, and meet regulatory obligations.
  • To keep the Services secure: detect and mitigate abuse, rate-limit traffic, investigate security incidents.

4. Sub-Processors

We rely on the following third-party service providers to operate the Services. Each is contractually obligated (via their standard terms) to handle data only for the purposes we direct and to maintain reasonable security controls.

ProcessorPurposeDataLocation
VapiVoice AI telephony — powers Nathan callsCall audio, transcripts, phone numbersUnited States
ElevenLabsText-to-speech voice synthesisText prompts, synthesized audioUnited States
SupabaseDatabase and authenticationAccount info, transcripts, metadataUnited States
StripePayments and billingName, email, billing address, card (tokenized)United States
ResendTransactional email deliveryEmail address, message contentUnited States
TelegramInternal operational alertsService-level event metadata onlyGlobal (Cloud API)
VercelWeb hosting and CDNIP address, request logs, page viewsUnited States / Edge

We review this list as we add or change infrastructure. Material changes are announced via the Last Updated date at the top of this policy.

5. How We Share Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only in these circumstances:

  • With sub-processors listed in Section 4, strictly to deliver the Services.
  • With you and your authorized users (e.g. your team accessing your dashboard).
  • For legal reasons: in response to valid legal process (subpoena, court order), or to protect the rights, property, or safety of Lukita Dev, our users, or the public.
  • In a business transfer: if Lukita Dev is acquired, merged, or sells its assets, your information may transfer to the successor entity. We will notify you of any such change.
  • With your consent: in any other case where you have explicitly asked us to share.

6. Data Retention

We retain information only for as long as needed to provide the Services and meet legal or accounting obligations.

  • Call transcripts and recordings — default: 90 days from the call date, after which they are deleted from active systems.
  • Scale tier retention options: customers on the Scale tier may elect a 30-day retention window or zero-retention mode (transcripts purged immediately after delivery to your dashboard / webhooks). Contact us to enable.
  • Account and billing records: retained for the life of the account plus seven (7) years after termination, to comply with tax and financial-record obligations.
  • Server / access logs: 30 days.
  • Support correspondence: 2 years from last contact.

Deletion from active systems may not be instantaneous in encrypted backups — those rotate out within 35 days under our standard retention schedule.

7. Your Rights

Subject to applicable law, you have the right to:

  • Access — request a copy of the personal information we hold about you.
  • Correct — ask us to fix inaccurate or incomplete information.
  • Delete — ask us to delete personal information, subject to legitimate business / legal retention needs.
  • Export — receive a machine-readable copy of your data.
  • Opt out of QA review of transcripts (Scale tier only, as described in Section 3).
  • Withdraw consent where processing is based on consent.

Email lukita-communications@cleopatradelights.com with your request. We respond within 30 days and will verify your identity before acting. We do not charge a fee for reasonable requests.

8. HIPAA Disclosure

Lukita Dev is NOT a HIPAA Covered Entity and is NOT acting as a HIPAA Business Associate in its standard service tiers. The Services are NOT a substitute for a HIPAA-compliant medical records or communication system.

Customers must not submit, collect, store, or transmit Protected Health Information (PHI) as defined by 45 C.F.R. § 160.103 through the Services unless and until a separate, signed Business Associate Agreement (BAA) and HIPAA-tier arrangement is in place with Lukita Dev.

Nathan is configured not to solicit PHI. Our voice assistant is instructed to redirect calls to practice staff when a caller volunteers clinical information. If your practice needs HIPAA coverage for clinical-intake workflows, contact us to scope a HIPAA-tier engagement — this is a separate commercial arrangement requiring sub-processor BAAs and legal review.

See Section 6 of our Terms of Servicefor the full legal treatment of this restriction, including Customer's indemnification obligation for any PHI improperly submitted.

9. State-Specific Rights

Residents of certain U.S. states have additional rights under state privacy laws. The rights described in Section 7 already cover most of these, but the following laws grant specific named rights:

  • California (CCPA / CPRA):right to know categories and specific pieces of personal information collected, right to delete, right to correct, right to opt out of "sale" or "sharing" (we do neither), right to limit use of sensitive personal information, and right to non-discrimination for exercising these rights.
  • Virginia (VCDPA): right to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions producing legal or similarly significant effects.
  • Colorado (CPA): right to access, correct, delete, data portability, and opt out of targeted advertising, sale, and profiling.
  • Connecticut (CTDPA): right to access, correct, delete, data portability, and opt out of targeted advertising, sale, and profiling.

To exercise any of these rights, email lukita-communications@cleopatradelights.com. You may also authorize an agent to act on your behalf; we will verify the agent's authority before acting. You have the right to appeal a denial of your request — instructions will be included in any denial response.

10. Children's Privacy

The Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. This is consistent with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506.

If you believe we have collected information from a child under 13, contact us immediately at lukita-communications@cleopatradelights.com and we will delete it.

11. Cookies and Tracking

Our public marketing site uses session cookies only — small files that expire when you close your browser. We use them to keep you logged in to dashboards and to remember your session. We do not use third-party tracking pixels, advertising cookies, or cross-site behavioral tracking on our public pages.

Our hosting provider (Vercel) and analytics instrumentation may set first-party cookies for essential functions (load balancing, request routing, aggregate analytics). These do not track you across other sites.

Most browsers let you control cookies through their settings. Blocking session cookies may break authentication on customer dashboards.

12. International Users (GDPR)

The Services are operated from the United States and intended for U.S.-based customers. We do not specifically target users in the European Economic Area (EEA), the United Kingdom, or other non-U.S. jurisdictions.

If you access the Services from outside the United States, you understand that your information will be transferred to, processed, and stored in the United States, where privacy laws may differ from those in your country.

To the extent the EU General Data Protection Regulation (GDPR) or the UK GDPR applies to a limited processing activity: Lukita Dev acts as a data processor for call data handled on behalf of a customer business, and as a data controller for account and billing information. Lawful bases we rely on include: contract performance (to deliver the Services), legitimate interests (to secure, improve, and bill for the Services), consent (where applicable), and legal obligation (for tax and financial records).

13. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information: encryption in transit (TLS 1.2+), encryption at rest for databases, access controls for personnel, and audit logging. No method of transmission over the internet or storage is 100% secure, and we cannot guarantee absolute security.

If we experience a security breach affecting your personal information, we will notify you and any required regulators in accordance with applicable law.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The Last Updated date at the top reflects the most recent revision. Material changes will be communicated via email to active customers and / or a prominent notice on our website at least 7 days before taking effect. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For questions, concerns, or to exercise any right described in this policy, contact:

Karim Lukita
d/b/a Lukita Dev
State of Florida, United States
Email: lukita-communications@cleopatradelights.com

We aim to respond to privacy requests within 30 days.