Privacy Policy

Last updated: 30 March 2026

1. Who we are

luca ("we", "us", "our") operates the luca.mobi receipt management platform. We are committed to protecting the privacy of our users — both accountants and the clients who capture receipts through our service.

Contact: hello@luca.mobi

2. What data we collect

Accountant accounts

  • Email address and firm name (for account registration)
  • Password (stored using bcrypt hashing — we cannot see your password)

Receipt data

  • Receipt images uploaded by clients
  • Extracted receipt data: vendor name, date, amounts, VAT details, invoice numbers, supplier VAT numbers, descriptions
  • Categories and corrections made by accountants

Client identification

  • Name of the person capturing receipts (self-reported)
  • Device identifier (randomly generated, stored locally on the device)

Bank statement data

  • Bank transaction details uploaded by accountants for reconciliation (dates, amounts, descriptions)

3. How we use your data

We use your data solely to provide the luca service:

  • Processing receipt images through AI to extract structured data
  • Displaying receipts and extracted data to the accountant
  • Generating VAT returns and export files
  • Matching bank transactions to receipts
  • Learning vendor categorisation rules to improve accuracy

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described below.

4. Third-party processors

Receipt images are sent to Anthropic (Claude AI) for data extraction. Anthropic processes the images to extract text and structured data, and does not retain the images or use them for training. See Anthropic's privacy policy.

Accountants may optionally configure their own AI provider (OpenAI, Google Gemini, or a self-hosted model). In that case, receipt images are sent to the provider configured by the accountant rather than to Anthropic.

5. Cross-border data transfers

Your account data and receipt records are stored on servers located in the EU. However, when receipt images are processed by AI for data extraction, they are transmitted to the AI provider's infrastructure, which may be located outside the EU/UK (for example, Anthropic and OpenAI operate infrastructure in the United States).

These transfers are covered by appropriate safeguards in accordance with GDPR Chapter V, including the EU-US Data Privacy Framework and standard contractual clauses where applicable. Self-hosted AI configurations (e.g. Ollama) keep all data on infrastructure you control.

6. Data storage and security

  • Data is stored on servers located in the EU
  • All connections are encrypted via HTTPS/TLS
  • Passwords are hashed using bcrypt
  • Third-party AI API keys are encrypted at rest using AES-256-GCM
  • Receipt images are stored on the server filesystem and are only accessible to the associated accountant firm

7. Data retention

We retain your data for as long as your account is active. If you delete your account, we will delete all associated data within 30 days. Accountants may request deletion of specific client data at any time.

8. Your rights (GDPR / UK DPA 2018)

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to or restrict processing
  • Withdraw consent at any time

To exercise any of these rights, contact hello@luca.mobi.

9. Cookies

luca uses only essential cookies and local storage required for the service to function (authentication tokens, device identification for receipt capture). We do not use analytics cookies, tracking cookies, or third-party advertising cookies.

10. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes via email.