Legal

Privacy Policy

This is an English translation provided for convenience. The legally binding version of this document is the German original (German original). In case of any discrepancy, the German version prevails.

As of: 12 May 2026 · Version 2.1 · This policy governs data processing on lucid-ai.app as well as within the scope of the AI telephone agent service ("Voice Agent"). The English version at /privacy is a translation of identical content. In case of doubt, this German version prevails.

1. Controller (Art. 4 No. 7 GDPR)

Fabian Ilg · Lucid AI Labs
Kirchbergstraße 5, 93152 Markt Nittendorf
Bavaria, Germany
Email: [email protected]

An officially appointed data protection officer is not currently named. The obligation to appoint pursuant to Art. 37 para. 1 lit. c GDPR (core activity = processing of special categories of data pursuant to Art. 9) is continuously assessed. Until regular processing of health data in the voice agent service begins, requests are handled directly by the controller; before the onboarding of the first paying clinic, an external data protection officer is appointed. A written threshold assessment ("not large scale" assessment for the pre-clinic period) is documented internally.

A record of processing activities pursuant to Art. 30 para. 2 GDPR (record of processing activities as a processor, kept separately per clinic controller) is maintained and provided to the supervisory authority (BayLDA) on request.

2. General Notes on Data Processing

We process personal data only insofar as this is necessary for the provision of the website and our services and a lawful basis pursuant to Art. 6 GDPR (and, additionally, Art. 9 GDPR for health data in the voice agent context) exists. No data processing takes place for the advertising purposes of third parties, no profiling for automated individual decisions (Art. 22 GDPR).

3. Collection on Visiting the Website

3.1 Server Logs

On every page request, technical information is automatically collected by the hosting provider Vercel (server logs):

Lawful basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in security, stability, abuse protection). Storage duration: 30 days, then automatic deletion by the host. A profile with personal data is not created from these logs.

3.2 Hosting

The hosting of the website is carried out via Vercel Inc. (USA), the clinic dashboard and the voice agent database via Hetzner Online GmbH (Falkenstein/Nuremberg, Germany). Third-country transfers for Vercel are safeguarded by SCC and the DPF (see § 9). The application-side data of the voice agent clinic is located exclusively in the EU.

4. Cookies and Consent Management

We use cookies and comparable storage technologies only to the extent that this is permissible pursuant to § 25 TDDDG (formerly § 25 TTDSG):

Before each consent, no non-necessary cookies are set and no trackers are loaded (no pre-consent tracking). Microsoft Clarity is initialised with clarity('consent', false). In this mode, according to Microsoft documentation, Clarity collects no data whatsoever and sets no cookies. Only after explicit consent (click on "Accept") is the flag set to true and Clarity begins data collection. The implementation is verified against the official Microsoft documentation (learn.microsoft.com, Cookie Consent). Consent can be withdrawn at any time via the footer ("Cookie settings"). The withdrawal takes effect immediately, the flag is reset to false and no further data flow to Clarity takes place.

The Reject button and the Accept button are visually presented as equal in the banner (no dark pattern), in accordance with the EDPB Guidelines 03/2022 on deceptive design patterns in cookie banners as well as the requirement of voluntary consent pursuant to Art. 7 GDPR.

5. Contact Form and Email Contact

Data transmitted via the contact form at /contact or directly by email to [email protected] (name, email, company, message, optional: budget, timeframe) is used exclusively for the processing of your enquiry.

6. Voice-Agent-Specific Processing

Within the scope of the voice agent service, we process personal data of callers on behalf of the respective clinic (processing on instruction pursuant to Art. 28 GDPR). The controller for this processing is the clinic itself; Lucid AI Labs is the processor. The master DPA is available at /avv.

This privacy policy describes the voice agent processing only in overview; the legally binding detail clauses are in the DPA.

6.1 Data Flow of a Typical Call

  1. Call ingress via Telnyx (USA, SCC + DPF) on a clinic-specific German geo telephone number.
  2. AI announcement at the beginning of the call (see § 6.4), generated via ElevenLabs (USA, SCC).
  3. Speech input to text via Deepgram (USA, SCC), low latency, transient.
  4. Conversation logic (LLM) via Anthropic Claude (USA, SCC, no training with input data).
  5. Response as speech via ElevenLabs, back via Telnyx to the caller.
  6. Persistence of the transcript and the appointment data in Supabase on Hetzner (DE, EU data residency).
  7. Appointment confirmation by email (if the caller provides an address) via Resend (USA, SCC + DPF).

6.2 Lawful Bases

6.3 Professional Secrecy (§ 203 StGB)

The clinic, as a professional secrecy holder within the meaning of § 203 StGB, expressly authorises, on each conclusion of a contract, Lucid AI Labs as well as all sub-processors named in the sub-processor list as "assisting persons" pursuant to § 203 para. 3 and 4 StGB. The confidentiality obligation is contractually safeguarded.

6.4 AI Announcement (AI Act Art. 50)

At the beginning of every call, the Voice Agent plays a clearly intelligible notice that the caller is interacting with an AI system (example: "You are speaking with the AI telephone assistant of the practice Dr. X. If you would like to speak with a human, please say 'human'."). This obligation arises from Art. 50 AI Regulation (EU) 2024/1689. The applicability of this article begins on 2 August 2026; Lucid AI Labs already fulfils it now.

6.5 Recording (§ 201 StGB)

A permanent audio recording does not take place by default. Voice data is only processed transiently (streaming) and deleted immediately after generation of the transcript. If a clinic explicitly commissions an additional audio recording in the main contract, a separate consent is obtained at the beginning of every call; in the event of objection, the recording is immediately and verifiably deactivated. A recording without notice and possibility of objection does not take place under any circumstances; this would be a criminal offence pursuant to § 201 StGB.

6.6 Functional Limitation

The Voice Agent provides no diagnosis, performs no triage and gives no medical assessments. For any substantive medical concern, an escalation to a human takes place. This limitation avoids a classification as high-risk AI pursuant to Annex III of the AI Regulation.

7. Processors and Recipients

We use the following processors. The complete current list with addresses, data categories and DPA links is available at /de/auftragsverarbeiter.

Provider Seat Purpose Transfer basis
Hetzner Online GmbH DE Hosting database, transcripts EU, no third-country transfer
Vercel Inc. US Marketing hosting, clinic dashboard SCC + DPF
Telnyx LLC US Telephony (SIP trunk, German geo telephone numbers) SCC + DPF
Deepgram Inc. US Speech → text SCC
Anthropic PBC US LLM conversation (Claude) SCC + DPF
ElevenLabs Inc. US Speech synthesis (TTS) SCC
Resend Inc. US Transactional emails SCC + DPF
Microsoft Corp. (Clarity) US Anonymous web analytics (opt-in) SCC + DPF

We do not sell, rent or lend personal data to third parties for advertising purposes.

8. Third-Country Transfers (Art. 44 ff. GDPR)

Transfers to the USA to the recipients named in § 7 take place on the following bases:

9. Storage Duration

10. Your Rights (Art. 15–22 GDPR)

To exercise these rights: email to [email protected] with subject "Data protection access request". Response within the statutory period of one month (Art. 12 para. 3 GDPR), in complex cases extendable by two further months with reasoning.

11. Right to Lodge a Complaint with the Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority. Competent for the seat of the controller:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18, 91522 Ansbach
Telephone: +49 (0)981 180093-0
Email: [email protected]
Web: lda.bayern.de

You can also contact any other EU supervisory authority, in particular the one competent in your state of residence.

12. Newsletter and Marketing

We currently operate no newsletter and no advertising email processing. Should this be introduced in the future, an explicit, documented double-opt-in consent takes place. Data is then not used for marketing purposes without explicit consent (§ 7 UWG).

13. Microsoft Clarity (Web Analytics, Opt-In)

We use Microsoft Clarity for the anonymous analysis of heatmaps and click patterns, exclusively after explicit consent. Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA.

14. Anti-Fingerprinting Obligations

We refrain from browser fingerprinting, canvas fingerprinting and similar techniques for unique re-identification. Technical tracking pixels of third parties are not used. An identification of individual visitors is, on the basis of the collected data, neither intended nor practically possible.

15. Changes to This Policy

Material changes are announced at the top of this page with a new "as of" date and version number. Changes only take effect for future processing; retroactive changes are not made. In case of doubt, existing customers are additionally informed by email.

16. Contact for Data Protection Matters

Directly to the controller: [email protected]. Response within one working day, at the latest within the statutory period of one month.

Related Documents