Privacy Policy

Lucid is operated by Arcticbit ehf., kennitala 5007230920, a company registered in Iceland. We are the data controller for the personal data processed through the Lucid service.

This policy applies to the Lucid marketing site at lucid.is and the Lucid planner application at app.lucid.is. Together we refer to these as “the Service.”

Everything you write in your planner (entries, goals, habits, reflections) belongs to you. We store it so the planner works across your devices, and that is it. We do not read it, sell it, or use it to train anything.

• Account credentials — email address and hashed password (or profile information provided by Google, Apple, or LinkedIn if you sign in with one of those services).
• Purchase record — order ID, amount, currency, and customer ID provided by Lemon Squeezy (our Merchant of Record). We do not receive or store your card details.
• Analytics — if you consent, Google Analytics collects anonymised usage data (pages visited, session duration, approximate location by country). No fingerprinting, no tracking across other sites.
• Email marketing — if you subscribe to our newsletter, we share your email address with MailerLite to deliver it. You can unsubscribe at any time.
• Preferences — your chosen planner theme, paper texture, font size, and optional PIN hash (we never store your actual PIN).

Under GDPR we need a legal basis for every piece of data we process. Here is ours:

• Planner data, authentication, and purchase verification — necessary to perform the contract you enter when you buy a planner (Art. 6(1)(b)).
• Analytics (Google Analytics) — only processed with your consent. You can withdraw consent at any time (Art. 6(1)(a)).
• Email marketing (MailerLite) — only processed with your consent. Every email includes an unsubscribe link (Art. 6(1)(a)).
• Promo bar dismissal cookie — a small preference cookie set in your browser so we do not show the same banner twice. This is based on our legitimate interest in not annoying you (Art. 6(1)(f)).

We share the minimum data necessary with the following providers. Each acts as a data processor under a contract that meets GDPR requirements.

• Supabase (Frankfurt, EU) — authentication, database, and file storage. Privacy policy.
• Lemon Squeezy (US) — payment processing and Merchant of Record. Handles your card details, billing address, and VAT on our behalf. Privacy policy.
• Google Analytics (US) — anonymised website analytics, only with your consent. Privacy policy.
• MailerLite (Lithuania / US) — email newsletter delivery, only if you subscribe. Privacy policy.
• Vercel (US) — hosting and content delivery for the website and planner application. Processes IP addresses and request metadata. Privacy policy.
• Google, Apple, LinkedIn — if you choose to sign in with one of these providers, they share your name and email address with us. We do not receive your password from them.
• Cookiebot (EU) — cookie consent management. Records your consent preferences so we only set cookies you have agreed to. Privacy policy.

We use a small number of cookies. No advertising cookies are used, ever. Before any non-essential cookies are set, we ask for your consent via a cookie banner powered by Cookiebot.

Your planner data is stored in Supabase EU-West (Frankfurt, Germany). Data is encrypted at rest and in transit.

Some of our third party providers are based outside the EEA (see the list above). Where data is transferred outside the EEA, it is protected by Standard Contractual Clauses (SCCs) or an adequacy decision recognised by the European Commission. You can request a copy of the relevant safeguards by emailing us.

• Planner data and account — retained until you delete your account.
• Purchase records — retained for 7 years to comply with Icelandic accounting and tax obligations.
• Analytics data — retained according to the Google Analytics retention settings (up to 14 months).
• Marketing emails — your email is retained until you unsubscribe, at which point it is deleted from our mailing list.

Your planner data is protected by row level security (RLS) in the database. Under normal operations, only your own authenticated requests can read or write your data. Administrative access is restricted to infrastructure maintenance, requires a separate service key, and is audit logged.

Under GDPR you have the right to:

• Export — download all your planner data at any time, in a standard format.
• Delete — request full deletion of your account and all associated data. We will comply within 30 days.
• Access and correction — request a copy of your personal data or ask us to correct inaccuracies.
• Portability — receive your data in a structured, machine readable format.
• Withdraw consent — for analytics or marketing, at any time, without affecting the lawfulness of earlier processing.
• Lodge a complaint — you have the right to lodge a complaint with Persónuvernd, the Icelandic Data Protection Authority, or with the supervisory authority in your country of residence.

Lucid is designed for students aged 18 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account, please contact us and we will delete it promptly.

We will never sell your personal data. We will never use your planner content to train machine learning models. This is not a negotiable position.

In the unlikely event of a data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and inform you without undue delay, in accordance with GDPR Articles 33 and 34.

We may update this policy from time to time. If we make a material change, we will notify you by email (using the address associated with your account) and update the “Last updated” date at the top of this page. Continued use of the Service after notice constitutes acceptance of the updated policy.

Arcticbit ehf. is based in Iceland, a member of the European Economic Area (EEA). Icelandic data protection law (Act No. 90/2018) aligns with EU GDPR via the EEA Agreement. You have full GDPR rights regardless of where you are located.

Questions about your privacy? Email us at privacy@arcticbit.is.