lucidstudio

Legal

Privacy Policy

Last updated: 22 April 2026. Effective from launch day.

The short version

We collect the minimum data we need to run Lucid. We don’t sell it. We don’t train AI models on your projects. You can export or delete everything, any time, from the app.

What we collect

  • Account data: email, display name, auth provider ids. Stored in Supabase.
  • Project data: your prompts, BuildSpecs, generated images, generated code. Stored in Supabase and Cloudflare R2.
  • Billing data: Stripe customer id, invoice history. Card details are handled by Stripe, not us.
  • Analytics: basic page-view and event data via PostHog, privacy-respecting defaults. No third-party ad pixels.
  • Logs: standard server + Inngest logs for 30 days, for incident response.

What we don’t do

  • Sell or share data with advertisers.
  • Train AI models on your prompts, specs, or generated content.
  • Use your projects for marketing without explicit opt-in.
  • Track across other sites (no fingerprinting, no cross-site cookies).

Sub-processors

Lucid relies on the following vendors to operate. Full list, with the data each one sees:

  • Supabase: Postgres database + auth. Stores account + project data. Region: AU East (Sydney).
  • Cloudflare: R2 object storage for generated code + images. DNS. Published-site hosting.
  • Vercel: marketing site hosting. Per-project Vercel accounts for webapp publishes.
  • Stripe: payments. Holds card details; we don’t.
  • Resend: transactional email (welcome, build complete, billing receipts).
  • Anthropic: Claude API for spec generation and revision. Your prompts are sent to Anthropic under their API terms. Anthropic does not use API content for training.
  • Google (Nano Banana Pro): image generation. Your image prompts are sent to Google’s API under their Gemini API terms.
  • Sentry: error tracking, sampling disabled for PII.
  • PostHog: product analytics, self-hosted or EU cloud (depending on deployment).
  • Upstash: Redis-compatible rate limiting.

Data retention

Project data stays until you delete the project or your account. Deleted projects are wiped from Supabase within 7 days and from R2 within 30 days. Billing records are kept for 7 years per Australian tax law.

Your rights

Export everything you’ve created from the account settings page. Delete your account from the same page; we ask once to confirm. GDPR rights (access, rectification, erasure) are honoured wherever you live, not just in the EU.

Contact

Privacy questions: hello@lucidstudio.ai. Data-protection requests are processed within 30 days.