Privacy Policy

1. Introduction

Lucrii Pty Ltd (ABN 46 694 710 211 / ACN 694 710 211) (“we”, “us” or “our”), located at PO Box 784, New Farm, QLD 4005, values and respects the privacy of the people we deal with. Lucrii is committed to protecting your privacy and complying with the Privacy Act 1988 (Cth) (Privacy Act) and other applicable privacy laws and regulations.

This Privacy Policy (Policy) describes how we collect, hold, use and disclose your personal information, and how we maintain the quality and security of your personal information.

This privacy policy applies to our operations, including:

Our websites located at https://lucrii.io/ and https://lucrii.ai/ (“our websites”)
Our ‘Lucrii’ web-based and mobile applications available at https://app.lucrii.io/ (“our applications”)
Associated services, features, and integrations (our “services”)

Please note that our websites and applications are also governed by our Terms of Service, available at https://lucrii.io/legal/terms-of-service or https://lucrii.ai/legal/terms-of-service.

What is personal information?

“Personal information” means any information or opinion, whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable.

In general terms, this includes information or an opinion that personally identifies you either directly (e.g. your name) or indirectly.

What personal information do we collect?

The personal information we collect about you depends on the nature of your dealings with us or what you choose to share with us.

The personal information we collect about you may include:

Individual details: name, mailing or street address, date of birth, email address, and phone number.

Company details: business name, address, ABN, ACN, contact numbers, employee count, industry, and other basic corporate details.

Usage and Interaction Data: As a web-based application with integrated AI, we capture in-app user data to power functionality. This includes keystrokes, clicks, and text typed within the app, as well as data regarding emails, messages, notes, sales, purchase orders, and quotes processed through the platform.

Sensitive Information: Under certain circumstances, Lucrii may incidentally process sensitive information contained in emails or documents you process through integrated platforms (such as email systems you connect to Lucrii). This might include any information or opinion about your racial or ethnic origin, political opinions, political association, religious or philosophical beliefs, membership of a trade union or other professional body, sexual preferences, criminal record, or health information.

If we collect or process your sensitive information, we will do so only with your consent, if it is necessary to prevent a serious and imminent threat to life or health, or as otherwise required or authorised by law, and we take appropriate measures to protect the security of this information.

Collection Notice

At the point of collection (such as account signup or when connecting third-party integrations), we will provide you with a link to this Privacy Policy and our Terms of Service. These documents explain:

The purposes for which we collect your data
How we use and disclose your information
How to contact us regarding the data collected
Your rights to access, correct, or request deletion of your personal information

You can request access to this information at any time during or after the collection process by contacting us using the details in the “How to contact us” section below.

Do I have to provide my personal information?

You do not have to provide us with your personal information. Where possible, we will give you the option to interact with us anonymously or by using a pseudonym.

However, if you choose to deal with us in this way or choose not to provide us with your personal information, we may not be able to provide you with our services or otherwise interact with you.

How do we collect your personal information?

We collect your personal information directly from you when you:

Interact with us or use the Lucrii web application (we only capture data directly within Lucrii; we do not track users across their web browsers when not using the app)
Interact with us over the phone
Interact with us in person
Participate in surveys or questionnaires
Attend a Lucrii event
Subscribe to our mailing list
Apply for a position with us as an employee, contractor or volunteer

Collecting personal information from third parties

We may also collect your personal information from third parties or through publicly available sources.

Social Logins: If you choose to log in via third-party providers (such as Google, Github, or Meta), we capture the user data available from that login source to pre-fill sign-up data. We do not perform ongoing tracking through these login sources.

Integrated Platforms: We integrate with third-party tools you may use, such as email providers (Outlook, Gmail) and commerce/marketing platforms (e.g., Shopify, WooCommerce, Squarespace, Klaviyo). This is a two-way sync where we capture necessary data (such as emails and customer details) to provide our services, and data may flow back from Lucrii into these tools.

What data flows back to integrated third-party platforms?

When you connect third-party tools to Lucrii, we share data back to those platforms to ensure you get the best functionality and integration experience. The specific data shared depends on the platform:

For marketing platforms (e.g., Klaviyo): We share customer names, email addresses, purchase history, quote history, and any other customer data required for you to get the most out of using the platform for segmentation, campaigns, and analytics.

For e-commerce platforms (e.g., Shopify, WooCommerce): We share quotes, sales orders, product information, customer data, and any other information necessary to maintain synchronisation and provide a seamless integration experience.

For accounting platforms (e.g., Xero, MYOB): We share invoices, quotes, customer details, transaction data, and financial information necessary for accounting and bookkeeping purposes.

General principle: We provide all data necessary to deliver core functionality and optimise your use of the integrated platform. You control these integrations and can disconnect them at any time via your account settings in Lucrii.

How do we use your personal information?

We use personal information for many purposes in connection with our functions and activities, including the following purposes:

Service Provision: To provide you with information or services that you request from us.

Experience & Development: To improve the User Interface (UI) and User Experience (UX), plan future developments, and gain insights into feature improvements.

Hermes AI - AI Model Training: We use artificial intelligence (AI) to power features in Lucrii, including our Hermes AI assistant for predictive analytics and workflow automation.

When you interact with Hermes AI, we use your prompts, commands, data queries, and feedback to improve the AI’s performance specifically for your account. This personalisation data stays within your account and is not shared with other users.

We may also use de-identified, aggregated data from user interactions to improve Hermes AI for all Lucrii users. All data is aggregated and de-identified before being used for model training. This allows us to identify patterns across industries to provide predictive analytics and business solutions.

What we DO use for general AI training:

Aggregated patterns (e.g., “Users in retail often track inventory turnover weekly”)
Common query types (e.g., “Many users ask about profit margins by product category”)
Feature usage statistics (e.g., “Dashboard customisation is used more than pre-built reports”)
De-identified workflow structures (e.g., “5-stage quote-to-invoice processes are common in services businesses”)

What we DO NOT use:

Customer names, contact details, or any identifiable customer information
Specific financial figures (revenue, costs, margins, account balances)
Proprietary business information (pricing strategies, supplier details, custom formulas)
Transaction details (invoice amounts, payment records, order contents)
Any data that could identify you or your business

De-identification Process: Before any data is used for general AI training, we:

(a) Remove all direct identifiers (names, emails, ABNs, account IDs)

(b) Remove quasi-identifiers (specific dollar amounts, unique product codes, timestamps that could re-identify you)

(d) Apply differential privacy techniques to prevent reverse-engineering

While we take steps to prevent re-identification through aggregation and de-identification techniques, absolute anonymity cannot be guaranteed in all cases (for example, if a business has unique characteristics that could make them identifiable even in aggregate datasets).

Data Retention for AI Training: Raw interaction data (your specific prompts and Hermes responses) is retained for 6 months for service improvement, then automatically deleted. De-identified aggregate insights have no retention limit as they cannot be traced back to any individual user.

Hermes AI Opt-Out: You can opt out of Hermes AI data usage for general training at any time by navigating to organisation Settings > Hermes AI or by contacting support@lucrii.io. Opting out will not affect your use of Lucrii’s core features. However, it will remove all smart and AI-related features from your account.

Third-Party AI Services: Hermes AI is powered by third-party AI service providers (including Amazon Web Services using Amazon Bedrock (Anthropic’s Claude), and/or other providers we may use from time to time). We have data processing agreements with these providers that prohibit them from using your data to train their own models, retaining your data beyond the processing session, or sharing your data with other customers. You should review their privacy policies at:

Amazon Web Services: https://aws.amazon.com/privacy/

If you have concerns about specific AI providers, contact us at support@lucrii.io to discuss alternative hosting options (may affect pricing).

Marketing: To deliver a more personalised experience and for marketing and research purposes.

Administration: For internal administrative purposes.

Disclosure of personal information to third parties

Our commitment to your data: Lucrii does not sell, rent, trade, or otherwise commercialise your personal information under any circumstances. We fundamentally believe your data belongs to you, and we treat it with the respect and care it deserves.

We will only disclose your personal information to third parties in limited circumstances where it is strictly necessary to provide you with our services or to meet our legal obligations. Any disclosure is made in accordance with this Policy and only in circumstances where you would reasonably expect us to share your information to deliver the functionality you’ve requested.

When we disclose your personal information:

We may disclose your personal information to the following categories of third parties, and only to the extent necessary to provide you with a better service:

Our third-party service providers: This includes our IT infrastructure providers (AWS for secure hosting) and our analytics partners (Google Analytics and PostHog, which help us improve user experiences). These providers are bound by strict confidentiality obligations and are only permitted to use your data to provide services to us - never for their own purposes.

Our professional services advisors: This includes our accountants, lawyers, and auditors who require access to certain information to provide us with professional advice. These advisors are bound by professional duties of confidentiality.

Integrated third-party platforms you have explicitly connected: When you choose to connect platforms like Shopify, Klaviyo, Xero, or your email provider to Lucrii, we share the minimum data required to make those integrations work effectively. You remain in full control - you can disconnect these integrations at any time via your account settings, and we will immediately cease sharing data with those platforms.

What we never do:

We never sell your personal information to third parties for marketing, advertising, or any other commercial purpose
We never share your data with data brokers or aggregators
We never disclose your information to third parties for purposes unrelated to providing you with Lucrii’s services
We never transfer data in ways that would purposefully or recklessly risk your data security

Your control:

You have full transparency and control over which third-party platforms receive your data through Lucrii. All integrations are opt-in, meaning we only share data with platforms you have explicitly chosen to connect. You can review and manage all active integrations at any time through your account settings.

If you have questions about how we share data with a specific third party, or if you’d like to understand what data is being shared through a particular integration, please contact us at support@lucrii.io and we’ll provide you with a clear explanation.

Transfer of personal information overseas

Lucrii primarily runs off AWS servers based locally in Australia. We operate the business from local Australian servers.

However, some of the third-party service providers we disclose personal information to may be based in or have servers located outside of Australia. Specifically:

Usage data shared with our analytics providers (Google Analytics and PostHog) is stored on international servers (US or EU based)
AI processing through our third-party AI providers (including AWS Bedrock and Anthropic) may involve data processing in the United States
Other third-party service providers may have servers or operations in the United States, United Kingdom, or other jurisdictions

Where we disclose your personal information to third parties overseas, we will take reasonable steps to ensure that data security and appropriate privacy practices are maintained.

How do we protect your personal information?

Lucrii will take reasonable steps to ensure that the personal information that we hold about you is kept confidential and secure, including by:

Hosting our infrastructure on AWS, which meets SOC2 and ISO27001 standards
Utilizing SSL encryption, HTTPS, and Encryption at Rest
Enforcing Two-Factor Authentication (2FA) and strong password policies
Implementing strict User Account Access Policies to restrict access to only personnel who need that information to provide services to you

Data Breach Notification

In the event of a data breach, Lucrii is committed to transparency and prompt notification:

Immediate Notification (Within 24 Hours): We will inform all customers of a potential data breach within 24 hours of the Lucrii team identifying the potential threat. This is a courtesy notification to let you know that we have experienced a data breach. At this time, we may not yet know what data, if any, has been compromised. We will introduce additional protection measures immediately while we investigate and will update you with additional information as soon as it becomes available.

Internal Investigation: We will launch an internal investigation immediately upon identifying the threat. We will take all measures necessary to safeguard user data and contain the breach.

Formal Report: Once we have completed our investigation, we will formalise a report and provide that to all users with a summary of the event, including what happened, what data was affected, and what steps we have taken to prevent future breaches.

Individual Notification: We will additionally contact any users who have had their data compromised individually and provide them with specific details on what data has been compromised and how they can protect themselves from any potential threats.

Regulatory Notification: Where required under the Notifiable Data Breaches (NDB) scheme, we will notify the Office of the Australian Information Commissioner (OAIC) in accordance with our legal obligations.

If you suspect unauthorised access to your Lucrii account, please contact us immediately at support@lucrii.io so we can investigate and secure your account.

Online Activity

Cookies and Analytics: The Lucrii website uses cookies to improve your experience. We do not use cookies to identify you personally, but rather to improve your experience on our website(s).

For marketing purposes and to improve user experience, we collect data on website visitors using Google Analytics and PostHog. We use these tools to gain user insights and improve our service offerings.

Direct Marketing: We may send you direct marketing communications and information about our services, opportunities, or events that we consider may be of interest to you if you have requested or consented to receive such communications.

You may opt-out of receiving marketing communications from us at any time by following the instructions to “unsubscribe” set out in the relevant communication or contacting us using the details set out in the “How to contact us” section below.

Retention of personal information

We will not keep your personal information for longer than we need to.

In most cases, this means that we will only retain your personal information for the duration of your relationship with us unless we are required to retain your personal information to comply with applicable laws (for example, ATO record-keeping obligations require us to retain tax invoices and financial records for 7 years).

Use by Minors

Lucrii is a business tool designed for workplace use. We recognise that employees under 18 may use Lucrii as part of their lawful employment.

For employers: If you provide Lucrii access to employees who are minors, you are responsible for obtaining any required parental/guardian consent and ensuring compliance with employment and privacy laws.

What we collect: We collect the same work-related data from all users regardless of age (name, email, work activity). We do not market to minors, and do not offer features specifically designed for children.

Personal accounts: Individuals under 18 should not create personal Lucrii accounts (outside of employment contexts) without parental consent.

How to access and correct your personal information

Lucrii will endeavour to keep your personal information accurate, complete and up to date.

If you wish to make a request to access and/or correct the personal information we hold about you, you should make a request by contacting us and we will usually respond within 7 days.

We will deal with such a request by following the procedure outlined below:

Requests can be logged via the “Contact Us” form on our website or by clicking “Get in Contact” within the app
These actions will direct your inquiry to a support ticket system received via email at support@lucrii.io
We will review your request and may require proof of identity before processing the access or correction
If we are unable to respond within 7 days due to the complexity of your request or other reasonable circumstances, we will notify you of the delay and provide an expected timeframe for our response.

Links to third-party sites

Lucrii website(s) may contain links to websites operated by third parties. If you access a third-party website through our website(s), personal information may be collected by that third-party website.

We make no representations or warranties in relation to the privacy practices of any third-party provider or website and we are not responsible for the privacy policies or the content of any third-party provider or website. Third-party providers/websites are responsible for informing you about their own privacy practices and we encourage you to read their privacy policies.

Inquiries and complaints

For complaints about how Lucrii handles, processes or manages your personal information, please contact us at support@lucrii.io or write to us at:

Lucrii Pty Ltd
PO Box 784
New Farm, QLD 4005

Attention: Anthony Di Carlo (Co-founder / CEO)

Note we may require proof of your identity and full details of your request before we can process your complaint.

Please allow up to 7 days for Lucrii to respond to your complaint.

It will not always be possible to resolve a complaint to everyone’s satisfaction. If you are not satisfied with Lucrii’s response to a complaint, you have the right to contact the Office of Australian Information Commissioner (at www.oaic.gov.au/) to lodge a complaint.

How to contact us

If you have a question or concern in relation to our handling of your personal information or this Policy, you can contact us for assistance as follows:

Email: support@lucrii.io

Post:
Lucrii Pty Ltd
PO Box 784
New Farm, QLD 4005

Company Details:
Lucrii Pty Ltd
ABN 46 694 710 211 / ACN 694 710 211
PO Box 784, New Farm, QLD 4005