Privacy Policy
Effective date: 4 May 2026
This Privacy Policy explains how we collect, use, share and protect personal data when you use the Lokuta service. We are committed to treating your data lawfully, fairly and transparently in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”).
1. Data controller
The data controller is Aleix Morte Sánchez, self-employed (autónomo) registered in Spain with NIF 47948269P, with registered address at Pj. Xaloc, 24, 1-1, 08840 Viladecans (Barcelona), Spain. For any privacy-related question or to exercise your rights you can write to hello@lokuta.app. We have not appointed a Data Protection Officer because we are not required to under article 37 of the GDPR.
2. Personal data we process
We process the following categories of personal data:
- Account and identification data. Name, email address, profile image (where you sign in via Google), preferred locale, and the role you hold in your Workspace.
- Authentication data. Sign-in tokens issued by Auth.js, OAuth tokens for Google and HubSpot (when you connect those accounts), and email-verification tokens used for magic-link sign-in.
- Workspace and membership data. The organization name you create, invitations you send, and the membership relationship between users and Workspaces.
- Customer Content. Audio captured through your device microphone (which we treat as transient — see retention below), the resulting transcripts, summaries, action items and notes generated by the Service, and any data exchanged with HubSpot through the integration.
- Billing data. Stripe customer ID, subscription status, plan, billing interval, invoice metadata and the country and tax identification number you provide for invoicing. We do not store card details — those are handled directly by Stripe.
- Usage and technical data. Capture counts and quotas, log entries (including IP address, user agent and timestamps), error reports, and aggregate analytics about page performance.
- Communications. The contents of emails or messages you send us, including support requests.
We do not knowingly collect special categories of personal data (article 9 GDPR — health, political opinions, etc.). The Service is designed so that you record only your own voice and your own notes; you must not use it to record other people without complying with section 5 of our Terms of Service.
3. How we use personal data and legal bases
We process personal data for the purposes set out below, on the legal bases indicated:
| Purpose | Legal basis (GDPR art. 6) |
|---|---|
| Create and manage your account, your Workspace and your memberships; provide capture, transcription, summarization and HubSpot synchronization. | Performance of the contract you enter into with us (art. 6(1)(b)). |
| Send transactional and operational email (sign-in links, invitations, billing notifications, security alerts). | Performance of the contract (art. 6(1)(b)). |
| Process payments, issue invoices and keep accounting records. | Performance of the contract and compliance with legal obligations (art. 6(1)(b) and (c)) — Spanish tax and accounting law requires records to be kept for up to 6 years. |
| Aggregate, anonymous analytics about how the Service is used, security and fraud prevention, debugging. | Our legitimate interest in operating, securing and improving the Service (art. 6(1)(f)). You can object to this processing at any time. |
| Send infrequent product updates or invitations to participate in user research. | Our legitimate interest in keeping you informed about a service you actively use (art. 6(1)(f)). You can opt out at any time. |
| Comply with legal obligations and respond to lawful requests from competent authorities. | Legal obligation (art. 6(1)(c)). |
We do not carry out automated decision-making with legal or significant effects on you within the meaning of article 22 GDPR. The AI Features generate suggested transcripts and summaries that you review before any action is taken; you remain in control.
4. Who we share data with — sub-processors
We rely on a small number of carefully selected service providers (“sub-processors”) that process personal data on our behalf under written agreements meeting the requirements of article 28 GDPR. At the date of this policy our sub-processors are:
| Provider | Purpose | Location of processing |
|---|---|---|
| Vercel Inc. | Application hosting, edge delivery, web analytics. | United States (with EU edge regions). |
| Database provider | PostgreSQL database for application data. | European Union. |
| OpenAI | Speech-to-text transcription, summarization and structuring of notes by large-language models. | United States. |
| HubSpot, Inc. | CRM data exchange, only when you connect HubSpot to a Workspace. | United States / European Union (depending on your HubSpot account region). |
| Stripe Payments Europe Ltd. | Payment processing, subscription management, invoicing. | Ireland and United States. |
| Resend | Sending transactional email (sign-in links, invitations, receipts). | United States. |
| Google LLC | OAuth sign-in (only if you choose to use it). | United States. |
We may also share personal data (i) with professional advisers (e.g. lawyers, accountants) bound by confidentiality, (ii) with a successor entity in the context of a corporate transaction, and (iii) where required by law or to protect our rights.
5. International transfers
Some of our sub-processors are located in the United States. When personal data is transferred outside the European Economic Area, we rely on appropriate safeguards under chapter V of the GDPR — typically the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. You can request a copy of the safeguards we have in place by writing to hello@lokuta.app.
6. How long we keep personal data
- Audio captured through the microphone. Streamed for transcription and discarded immediately after the transcript has been produced. We do not persist raw audio.
- Transcripts, summaries and notes. Stored while your Workspace is active, until you delete them, or for up to 90 days after the Workspace is closed.
- Account, Workspace and membership data. Stored while the account is active and for up to 30 days after deletion to allow recovery, after which it is deleted or anonymized.
- Authentication tokens. Session tokens are valid for up to 30 days; OAuth refresh tokens are kept while the third-party integration remains connected.
- Billing and tax records. Retained for 6 years from the end of the relevant tax year, as required by Spanish tax and accounting law (art. 30 of the Commercial Code; art. 66 of the General Tax Law).
- Server logs. Up to 12 months, after which they are deleted or anonymized.
- Encrypted backups. Up to 30 days on a rolling basis.
7. Cookies and similar technologies
We use only the minimum cookies and similar technologies needed to run the Service. Specifically:
- Strictly necessary cookies for authentication (Auth.js session and CSRF tokens) and for remembering your locale preference. These cookies do not require consent under article 22.2 of the LSSI-CE.
- Vercel Analytics / Speed Insights for aggregate, privacy-preserving measurement of page performance and traffic. According to its provider this technology does not store cookies for tracking purposes and does not identify visitors individually; we process the resulting aggregate data on the basis of our legitimate interest in keeping the Service fast and reliable.
We do not run advertising cookies, tracking pixels or social-media integrations. If we ever introduce non-essential cookies we will first request your consent through a cookie banner.
8. Your rights
Under GDPR and LOPDGDD you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate or incomplete data;
- request deletion of your data (the «right to be forgotten»);
- request restriction of, or object to, certain processing, particularly processing based on our legitimate interests;
- request portability of the data you have provided to us, in a structured, commonly used, machine-readable format;
- withdraw any consent you have given us, without affecting the lawfulness of processing carried out before withdrawal; and
- define instructions for the use of your data after your death, in accordance with article 96 LOPDGDD.
You can exercise these rights by writing to hello@lokuta.app with sufficient information for us to identify you. We will respond within one month (extendable by two further months for complex requests). The exercise of your rights is free of charge unless requests are manifestly unfounded or excessive.
If you consider that we have not handled your data correctly, you can file a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos), C/ Jorge Juan, 6, 28001 Madrid — www.aepd.es. You may also lodge a complaint with the supervisory authority of your country of residence.
9. How we protect personal data
We apply technical and organizational measures appropriate to the risks of processing, including:
- encryption of data in transit (TLS) and at rest;
- access control on the principle of least privilege, with strong authentication for administrative accounts;
- environment isolation between development, staging and production;
- logging, monitoring and anomaly alerting;
- tested backup and restore procedures, with backups kept on a rolling 30-day basis;
- formal sub-processor selection, with a written data-processing agreement and a review of their security posture; and
- staff confidentiality obligations (including for the sole proprietor) and security awareness practices.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the AEPD within 72 hours and, where required, inform affected users without undue delay.
10. Use by minors
The Service is intended for business use only and is not directed at individuals under 18. We do not knowingly collect personal data of minors. If you believe a minor has provided us with personal data, please contact us so we can delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. If a change is material, we will give you reasonable advance notice by email or in-app message before it takes effect. The effective date at the top of the page indicates when the latest version was published.
12. Contact
If you have any question about this Privacy Policy or how we handle personal data, please contact us at hello@lokuta.app or by post to Aleix Morte Sánchez, Pj. Xaloc, 24, 1-1, 08840 Viladecans (Barcelona), Spain.