Privacy Policy

This Privacy Policy explains how LusyChat ("we", "our", "us") collects, uses, shares, and protects personal data in connection with the website lusychat.ai and our related services (collectively, the "Service"). We are committed to processing your personal data lawfully, fairly, and transparently in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Maltese Data Protection Act, and other applicable laws.

1. Who We Are

LusyChat is the controller of the personal data processed through the Service. We operate from Malta, with a correspondence address at Villa Malitah, The Village, Triq Il-Mediterran, San Giljan STJ 1870, Malta. You can reach us at any time at contact@business.lusychat.ai.

2. Personal Data We Collect

2.1 Information you provide directly

• Account information: email address, username, password (stored hashed), date of birth or age confirmation, country of residence, language preference.
• Character configuration and conversation data: the text-based traits, personality descriptions, backstories, and other settings you choose for your AI characters; the avatar and voice profile you select from our pre-curated libraries; and your chat-message history with the AI character.
• Identity/age verification (when triggered for paid features or where required by law): government-issued ID image and a live selfie processed by our verification vendor (Sumsub), together with the results of the verification check. The live selfie is used only to complete the verification step and is not retained as a profile image. We do not retain raw ID images longer than necessary to complete verification and defend against fraud claims.
• Payment data: name, billing address, partial card data, and transaction identifiers. Full card numbers are collected and stored exclusively by our PCI-DSS-certified payment processor; we do not see or store full payment-card numbers.
• Communications: messages you send to support, abuse reports, content-removal requests, and survey responses.

2.2 Information collected automatically

• Device and connection data: IP address, browser type and version, operating system, device identifiers, screen size, time-zone offset.
• Usage data: pages viewed, features used, generation requests, click events, error logs, and approximate location derived from IP.
• Cookies and similar technologies: see Section 8.

2.3 Information from third parties

• Fraud-prevention and identity-verification providers (only the data needed to complete the check).
• Payment processors (transaction status, chargeback notices).
• Authentication providers, where you choose to sign in via a third-party identity provider.

3. Special Categories of Data

Sexual orientation, sexual preferences, and sexual content you generate through the Service may constitute "special category" data under Article 9 GDPR. Where this is the case, we process such data on the basis of your explicit consent (Article 9(2)(a) GDPR), which you give by voluntarily creating, prompting, or sharing such content while using the Service. You may withdraw this consent at any time by deleting the relevant content or your account.

4. How We Use Personal Data and Legal Bases

We process personal data for the following purposes and on the following legal bases:

• Providing the Service (performance of a contract, Article 6(1)(b)) — operating accounts, processing prompts and generations, delivering subscribed features, customer support.
• Age and identity verification (legal obligation, Article 6(1)(c); legitimate interests, Article 6(1)(f)) — preventing access by minors and verifying self-uploads.
• Trust, safety, and content moderation (legal obligation; legitimate interests in protecting users and the public from illegal content) — automated and human review, abuse detection, retention of evidence relating to suspected illegal material.
• Payment processing and fraud prevention (performance of a contract; legitimate interests; legal obligation) — billing, refunds, chargeback handling, anti-fraud.
• Service improvement (legitimate interests) — aggregated analytics, debugging, security testing. We do not use private user conversations to train our general-purpose AI models.
• Communications (performance of a contract; consent for marketing) — service updates, transactional emails, and — only with your separate consent — promotional emails.
• Compliance with legal requests (legal obligation) — responding to subpoenas, court orders, and lawful requests from regulators, payment partners, and law enforcement.

5. AI Training and Model Development

We use third-party and proprietary AI models to deliver the Service. Inputs you provide may be processed by these models in real time to generate responses. We do not use private one-to-one conversations, account credentials, payment data, or government-issued ID images to train our general-purpose generative-AI models. We may use anonymized, aggregated metrics (such as latency, model error rates, and abuse signals) to evaluate and improve safety classifiers and product features.

Where we offer optional features that involve training a model on your own User Content (for example, a personalized character), we will obtain your separate, informed consent and clearly describe the scope of the training.

6. How We Share Personal Data

We do not sell your personal data. We share personal data only in the following circumstances:

• Service providers and processors — cloud hosting, content-delivery networks, payment processors (including our merchant of record), AI model providers, identity-verification vendors, anti-fraud services, email delivery, and customer-support tools. These providers act under our instructions and pursuant to written data-processing agreements.
• Legal and safety disclosures — where required to comply with law, respond to lawful requests, enforce our Terms, prevent fraud or harm, or protect the rights, property, or safety of any person. In suspected child-sexual-abuse-material ("CSAM") incidents we will report to NCMEC and equivalent bodies and preserve all relevant data.
• Business transfers — if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction subject to standard confidentiality protections.
• With your consent — for any other disclosure we will obtain your explicit consent.

7. International Transfers

Our servers and service providers may be located outside the European Economic Area, including in the United States and other jurisdictions. Where we transfer personal data outside the EEA we rely on appropriate safeguards under Articles 44–49 GDPR, such as European Commission Standard Contractual Clauses, an adequacy decision, or your explicit consent. You may request a copy of the safeguards in place by contacting us at contact@business.lusychat.ai.

8. Cookies and Similar Technologies

We use cookies and similar technologies (pixels, local storage, SDKs) to operate the Service, remember preferences, secure your account, prevent fraud, and measure aggregated usage. You can control non-essential cookies through the cookie banner displayed on first visit and through your browser settings. Disabling essential cookies will affect site functionality. Categories used: strictly necessary, functional, analytics, and fraud-prevention. We do not currently use advertising cookies.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes set out in this Privacy Policy or as required by law:

• Account data: while your account is active and for up to 24 months after deletion (for security, dispute, and tax purposes), unless a longer period is required by law.
• Conversations and generated content: stored on encrypted servers while your account is active; you can delete individual items or your full history at any time from your account settings.
• Payment records: retained for the period required by applicable tax and anti-money-laundering law (typically 5–10 years).
• Identity-verification artefacts: retained only for the period needed to demonstrate the verification was performed and to defend against fraud claims; in any event no longer than 24 months unless we are legally required to retain longer.
• Abuse / suspected illegal content: relevant records and content may be preserved for as long as needed to cooperate with law enforcement.

10. Security

We use administrative, technical, and physical safeguards designed to protect personal data, including TLS encryption in transit, encryption at rest for sensitive fields, access controls, least-privilege provisioning, logging, regular vulnerability scanning, and incident-response procedures. No system is completely secure, however, and we cannot guarantee absolute security.

11. Your Rights

Under GDPR you have the following rights, which you may exercise free of charge by writing to contact@business.lusychat.ai:

• Right of access — to obtain confirmation of, and a copy of, the personal data we hold about you.
• Right to rectification — to have inaccurate data corrected.
• Right to erasure — to have your data deleted, subject to exceptions (e.g., legal retention obligations).
• Right to restriction — to limit how we process your data in certain circumstances.
• Right to data portability — to receive your data in a structured, commonly-used machine-readable format.
• Right to object — to processing based on our legitimate interests, including direct marketing.
• Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint — with the Information and Data Protection Commissioner of Malta (https://idpc.org.mt) or your local supervisory authority.

We may need to verify your identity before processing a rights request to prevent unauthorized disclosure.

12. Children

The Service is strictly for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered, please notify us at contact@business.lusychat.ai. We will promptly investigate, delete the account and associated data, and report the incident to the appropriate authorities where required.

13. Automated Decision-Making

Our trust-and-safety systems may use automated tools (including classifiers) to detect prohibited content and patterns of abuse. Decisions that produce legal or similarly significant effects on you — such as account termination — are reviewed by a human moderator before they take effect, except in cases of clear and unambiguous violations (for example, suspected CSAM).

14. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the revised version on the Service and update the effective date above. Where the change is material we will provide additional notice by email or in-app. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. How to Contact Us

Questions, requests, or complaints relating to this Privacy Policy or our processing of your personal data should be sent to:

LusyChat

Attn: Data Protection

Villa Malitah, The Village, Triq Il-Mediterran, San Giljan STJ 1870, Malta

Email: contact@business.lusychat.ai