English version
Legal

Privacy Policy

LUCAS AI — Compliant with GDPR (Regulation EU 2016/679)

Last updated: March 24, 2026 — Version 1.0

Legal Notice (FR) Terms of Sale (FR) Confidentialité (FR) Licence (FR) Privacy Policy (EN)
Plain language summary: Your business data belongs to you. We never sell it. It is stored in Europe. Lucas only reads your messages to answer them — not to train any AI model. You can export or delete your data at any time. We are fully GDPR compliant.

Table of Contents

  1. Who we are
  2. Data we collect
  3. Purposes and legal bases
  4. Data recipients
  5. AI processing and Telegram
  6. Data retention
  7. Data security
  8. International transfers
  9. Your rights
  10. Cookies
  11. Children's privacy
  12. Changes to this policy
  13. Contact & DPO

1. Who We Are

Data Controller: Vision BTP, operating the LUCAS AI brand, represented by Sylvain Chastang, Livron-sur-Drôme (26250), France — contact@vision-btp.fr

Data Protection Officer (DPO): Sylvain Chastang — contact@vision-btp.fr

Vision BTP processes personal data in connection with the provision of the LUCAS AI Service — an AI-powered administrative and financial management assistant for skilled tradespeople in the construction sector (BTP), delivered primarily via Telegram and a web dashboard.

This Privacy Policy applies to all users of the LUCAS AI Service, including visitors to lucas-ai.fr, subscribers, and beta testers.

2. Data We Collect

2.1 Account and identity data

  • Full name, company name, SIRET number (French business registration);
  • Professional email address and phone number;
  • Billing address;
  • Telegram user ID and username (used to link your account to the Lucas bot).

2.2 Business data (your data)

  • Quotes, invoices, purchase orders and their recipients;
  • Client and prospect information (names, contact details, addresses);
  • Construction site information, schedules and photos;
  • Financial data: cash flow, margins, payment statuses;
  • HR data: employee records, leave, working hours (Team and Patron plans);
  • Equipment and vehicle records;
  • Supplier invoices processed via the email integration feature.

2.3 Usage and technical data

  • Telegram interaction logs with the Lucas bot (messages, voice notes transcribed to text);
  • Dashboard connection logs, IP addresses, browser type;
  • Feature usage statistics (aggregated and anonymized for product improvement).

2.4 Payment data

Payment card data is processed exclusively by Stripe (PCI DSS Level 1 certified). LUCAS AI stores only the last four digits of the card, the card type, and the transaction reference. No full card number is ever stored on our servers.

2.5 Data you do NOT provide us

LUCAS AI does not collect and will never request: social security numbers, government-issued ID numbers, health data, political or religious opinions, or any special-category data under Article 9 GDPR.

3. Purposes and Legal Bases

Purpose Legal basis (GDPR) Retention
Providing and operating the LUCAS AI Service Performance of contract (Art. 6(1)(b)) Duration of subscription + 90 days
Billing and subscription management Performance of contract + legal obligation (Art. 6(1)(b)(c)) 10 years (French accounting law)
Customer support and incident response Performance of contract (Art. 6(1)(b)) 3 years after last interaction
Sending transactional emails (invoices, alerts, digests) Performance of contract (Art. 6(1)(b)) Duration of subscription
Sending newsletters and marketing communications Consent (Art. 6(1)(a)) Until opt-out or 3 years of inactivity
Improving the Service (anonymized analytics) Legitimate interest (Art. 6(1)(f)) Anonymized — no retention limit
Fraud detection and security Legitimate interest (Art. 6(1)(f)) 12 months
Compliance with legal obligations Legal obligation (Art. 6(1)(c)) As required by applicable law

4. Data Recipients

4.1 Internal access

Access to personal data is restricted to authorized LUCAS AI personnel on a strict need-to-know basis, bound by confidentiality obligations.

4.2 Sub-processors

We use the following third-party sub-processors to deliver the Service:

Sub-processor Role Location Safeguards
Supabase, Inc. Database & backend hosting EU (Frankfurt, Germany) SOC 2 Type II, ISO 27001, DPA signed
Anthropic, PBC AI engine (Claude API) USA Zero data retention policy, SCCs, DPA signed
Telegram Messenger Primary user interface UAE / distributed Telegram Privacy Policy applies to messaging metadata
Stripe, Inc. Payment processing USA / EU PCI DSS Level 1, SCCs, DPA signed
Netlify, Inc. Website hosting & CDN USA / EU CDN nodes DPA signed, EU data residency option
Brevo (Sendinblue) Transactional email EU (France) ISO 27001, GDPR compliant, DPA signed

4.3 No sale of data

LUCAS AI never sells, rents, or monetizes your personal data or business data to any third party, under any circumstances.

4.4 Legal disclosure

We may disclose your data to competent authorities when legally required to do so (e.g., court order, regulatory request). We will notify you of such a request to the extent permitted by law.

5. AI Processing and Telegram

5.1 How Lucas processes your messages

When you send a message or voice note to the Lucas Telegram bot, the following occurs:

  • Voice notes are transcribed to text on our servers (Whisper API or equivalent);
  • The text content of your message is transmitted to Anthropic's Claude API to generate a response;
  • The response is returned to you via Telegram;
  • The interaction is logged in your LUCAS AI account for continuity and dashboard display.

5.2 What Anthropic sees

Only the textual content of your messages is transmitted to Anthropic. No direct identifiers (name, SIRET, email) are included in API calls. Anthropic operates under a zero data retention policy: your messages are not stored by Anthropic beyond processing and are never used to train AI models.

5.3 Telegram data

Your use of the Telegram messaging platform is subject to Telegram's own Privacy Policy (available at telegram.org/privacy). LUCAS AI only receives the content of messages sent to the @lucas_ai_bot. We do not access your personal Telegram contacts, other conversations, or account metadata beyond what is necessary to operate the bot.

5.4 Email intelligence feature

If you enable the email management feature (Patron plan), LUCAS AI accesses your dedicated professional email inbox (a specific email address provided for this purpose — not your personal inbox) to read, classify and process incoming messages. You may revoke this access at any time from the dashboard. LUCAS AI will never access or request access to your personal email account.

6. Data Retention

We retain personal data only for as long as necessary for the purposes described in Section 3. Key retention periods:

  • Active subscription: All account and business data retained for the duration of the subscription;
  • Post-cancellation: Business data retained for 90 days to allow data export, then permanently deleted;
  • Billing records: 10 years (French legal obligation — Article L123-22 of the Commercial Code);
  • Support tickets: 3 years from last interaction;
  • Connection logs / security: 12 months;
  • Failed trial (no conversion): Account data deleted 30 days after trial expiration.

Upon your written request, we can accelerate deletion outside of legally mandated retention periods. Contact: contact@vision-btp.fr

7. Data Security

We implement the following technical and organizational security measures:

  • Encryption in transit: HTTPS / TLS 1.3 on all web and API communications;
  • Encryption at rest: AES-256 database encryption via Supabase;
  • Data isolation: Row Level Security (RLS) — each customer can only access their own data;
  • Access control: Production data access limited to authorized personnel with strong authentication (MFA);
  • Backups: Automated daily backups with 30-day retention;
  • Monitoring: Real-time anomaly detection and alerting;
  • Secure development: Security reviews for all major releases.

7.1 Data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL (French Data Protection Authority) within 72 hours as required by Article 33 GDPR. If the breach poses a high risk to you, we will also notify you directly without undue delay.

8. International Data Transfers

Some of our sub-processors (Anthropic, Stripe, Netlify) are based outside the European Economic Area (EEA), primarily in the United States. These transfers are safeguarded by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • EU-U.S. Data Privacy Framework certification where applicable;
  • Data Processing Agreements (DPAs) signed with each sub-processor.

For information on the specific safeguards applicable to any transfer, please contact: contact@vision-btp.fr

9. Your Rights

Under the GDPR (Articles 15–21), you have the following rights over your personal data:

Right of Access (Art. 15)
Obtain a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17)
Request deletion of your data, subject to legal retention obligations.
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format (CSV/JSON).
Right to Object (Art. 21)
Object to processing based on our legitimate interests.
Right to Restriction (Art. 18)
Request temporary suspension of data processing in certain cases.
Right to Withdraw Consent
Withdraw consent at any time for processing based on consent (marketing, analytics cookies).
Right to Lodge a Complaint
File a complaint with the CNIL: cnil.fr

How to exercise your rights

Send your request to: contact@vision-btp.fr — Subject: "GDPR Rights Request — [your SIRET or account email]"

Response time: maximum 30 days (extendable to 3 months for complex requests, with notification within the first month).

We may request proof of identity to protect your data from unauthorized access.

10. Cookies

The LUCAS AI website (lucas-ai.fr) uses cookies. We use:

  • Strictly necessary cookies: Required for the website to function (session management, authentication). No consent required.
  • Analytics cookies: Aggregated, anonymized audience measurement (e.g., page views). Requires consent.
  • No third-party advertising cookies are placed without prior consent.

You can manage your cookie preferences via our cookie banner or at any time in your browser settings. For full details, see our Cookie Policy (French).

11. Children's Privacy

The LUCAS AI Service is exclusively intended for professional use by business owners and their employees. The Service is not directed at children under the age of 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately at contact@vision-btp.fr and we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of any material changes by email with at least 30 days' advance notice. The current version is always available at lucas-ai.fr/privacy-policy.html with its last-updated date.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree, you may cancel your subscription before the changes take effect.

13. Contact & Data Protection Officer

For any question, request, or complaint regarding this Privacy Policy or the processing of your personal data:

Sylvain Chastang — Data Protection Officer
Vision BTP — LUCAS AI
Livron-sur-Drôme (26250), France
Email: contact@vision-btp.fr
Subject: "Privacy / DPO — LUCAS AI"

Supervisory Authority:
CNIL — Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
cnil.fr