Privacy Policy

Last updated: April 27, 2026

Draft notice: This policy is a working draft provided for transparency during early access. It has not yet been reviewed by legal counsel and may be updated before general availability.

Lucora (“Lucora,” “we,” “us,” or “our”) operates Lucora PM, a project management service (the “Service”). This Privacy Policy explains what information we collect when you use the Service, how we use it, the choices you have, and the steps we take to protect it. By using the Service, you agree to the practices described below.

1. Information we collect

a. Information you provide

  • Account information. When you sign up, we collect your name, email address, and a password (or, if you sign in with Google, the identifiers and basic profile data Google shares with us).
  • Organization and workspace data. Information you or your teammates enter into the Service, including projects, tasks, schedules, dependencies, comments, attachments, risks, issues, contracts, and related project-management content.
  • Billing information. If you purchase a paid plan, our payment processor collects payment details on our behalf. We receive limited data such as the last four digits of your card, expiration date, billing address, and transaction history.
  • Communications. Messages you send us (for example, support requests) and any feedback you provide.

b. Information we collect automatically

  • Usage data. Actions taken in the Service, pages viewed, features used, and timestamps, so we can operate, secure, and improve the product.
  • Device and log data. IP address, browser type, operating system, device identifiers, referring URLs, and crash logs.
  • Cookies and similar technologies.We use cookies and local storage for authentication, session management, preferences (such as theme), and basic analytics. See “Cookies” below.

c. Information from third parties

If you connect a third-party service (for example, Google for sign-in, or other integrations you choose to enable), we receive data necessary to operate that integration, subject to your permissions.

2. How we use information

We use the information we collect to:

  • Provide, maintain, and improve the Service;
  • Authenticate you and keep your account secure;
  • Process payments and manage subscriptions;
  • Send transactional messages (e.g., account notices, invoices);
  • Respond to your requests and provide customer support;
  • Detect, investigate, and prevent fraud, abuse, or security incidents;
  • Comply with our legal obligations and enforce our Terms of Service;
  • Analyze usage patterns in aggregate to understand product performance;
  • Power optional AI-assisted features (such as metadata extraction from contract documents you upload) by transmitting the relevant content to our AI subprocessor for processing on our behalf.

We do not sell your personal information, and we do not use the content you enter into the Service to train machine-learning models. Our AI subprocessor (Anthropic) is contractually prohibited from using your content to train its models.

3. How we share information

We share information only in the following limited circumstances:

  • Within your organization.Content you create in a workspace is visible to other members of that workspace according to the access controls configured by the organization’s administrators.
  • Service providers. We use vendors to host infrastructure, send email, process payments, and provide analytics. They may process your data on our behalf under contract and only as needed to provide their service.
  • Legal and safety. We may disclose information when required by law, to respond to valid legal process, or to protect the rights, property, or safety of Lucora, our users, or the public.
  • Business transfers. If Lucora is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to this Policy or a successor notice.
  • With your consent. For any other purpose disclosed at the time, with your permission.

4. Subprocessors and hosting

We use the following third-party services to operate the Service. This list represents our primary subprocessors and may be updated as our infrastructure evolves.

ServicePurposeData shared
VercelApplication hosting (Next.js runtime, edge network)Request metadata, application data in transit
Neon (PostgreSQL)Primary database hostingAll stored account, organization, and workspace data (encrypted at rest by Neon; sensitive credential fields are additionally encrypted at the application level before storage)
Amazon S3 (us-east-1)Contract document storageUploaded contract documents (encrypted at rest with AWS KMS; accessed only via short-lived presigned URLs)
Amazon KMS (us-east-1)Encryption key management for stored filesEncryption keys; no customer content
Amazon SES (us-east-2)Transactional email deliveryRecipient email addresses and message content (e.g. invitations, notifications, status reports)
Vercel BlobStorage for public assets (organization and workspace logos, executive brief images)Image files you upload as branding or report assets
Google Sign-In (OAuth)Account authenticationIdentifiers and basic profile data (name, email, avatar) shared by Google when you sign in
Google Maps PlatformMap display and place lookup for clinical trial sitesSite addresses and coordinates you choose to enter; standard map request metadata
Anthropic (Claude API)Optional AI-assisted features (e.g., automated metadata extraction from uploaded contract documents)The contents of contract documents you upload, transmitted only when an AI feature is invoked. Anthropic does not use your content to train its models. Inputs and outputs may be retained by Anthropic for a limited period (typically up to 30 days) for abuse detection and operational reasons, and are then deleted.

All subprocessors are bound by contract to process data on our behalf and only as needed to provide their service. Infrastructure is hosted in the United States.

5. Data retention

We retain account and workspace data for as long as your account is active or as needed to provide the Service. When you delete a workspace or close your account, we delete or de-identify your personal information within a reasonable period, except where we are required to retain it to comply with legal obligations, resolve disputes, or enforce our agreements.

6. Security

We use technical and organizational measures designed to protect your information, including encryption in transit, encryption at rest for sensitive fields, password hashing (bcrypt), multi-factor authentication, and access controls. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

7. Your rights and choices

Depending on where you live, you may have rights under applicable laws (including the GDPR, UK GDPR, and CCPA/CPRA) to:

  • Access the personal information we hold about you;
  • Request correction of inaccurate data;
  • Request deletion of your data;
  • Object to or restrict certain processing;
  • Receive a portable copy of your data;
  • Withdraw consent where processing is based on consent.

You can exercise most of these rights directly in your account settings. For anything you cannot do yourself, contact us at privacy@lucora.io. We will respond within the timeframe required by applicable law. If we process your data on behalf of your organization (as a processor), we will refer your request to that organization.

8. International transfers

We may process and store information in the United States and other countries where we or our service providers operate. Where required, we rely on appropriate safeguards (such as the EU Standard Contractual Clauses) for cross-border transfers.

9. Cookies

We use cookies and similar technologies that are strictly necessary for authentication, session management, and remembering your preferences. We may also use limited analytics cookies to understand product usage. You can control cookies through your browser, though disabling strictly necessary cookies may prevent you from using the Service.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

11. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date above and, for material changes, provide additional notice (for example, by email or in-product banner).

12. Contact us

If you have questions about this Privacy Policy or our data practices, contact us at privacy@lucora.io.