Legal
Privacy Policy
How LocusAI collects, uses, and protects your information
Last updated: March 2026. This is a working draft document. A fully reviewed version prepared by a qualified solicitor will replace this document before LocusAI's public launch. If you have questions about your data in the meantime, contact privacy@locusai.co.uk.
1. Who we are
LocusAI ("LocusAI", "we", "us", "our") provides an AI receptionist platform for small and medium-sized businesses. We process personal data on behalf of our business customers and, in some cases, directly with their end customers.
Our primary jurisdiction is the United Kingdom. Our phone number (+442046203253) and primary operations are UK-based. This policy is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data controller contact: privacy@locusai.co.uk
2. What data we collect
Business customers (dashboard users)
- Name and email address (account registration)
- Business name, address, and contact details
- Payment information (processed by Stripe — we do not store card numbers)
- Configuration data (services, hours, knowledge base content)
- Usage data (conversations handled, appointments booked, calls answered)
End customers (callers and chat users)
- Name and phone number (provided during conversations)
- Email address (if provided during booking)
- Appointment details (service requested, date, time)
- Conversation transcripts (voice and chat)
- Call recordings (where enabled by the business — callers are informed before recording begins)
- Sentiment and intent data (AI-derived from conversation content)
Technical data
- IP addresses (for security and rate limiting)
- Session identifiers
- Error logs and performance metrics
3. Legal basis for processing
We process personal data on the following legal bases under UK GDPR Article 6:
- Contract performance (Art. 6(1)(b)) — processing necessary to provide our service to business customers and to fulfil appointment bookings for end customers.
- Legitimate interests (Art. 6(1)(f)) — security monitoring, fraud prevention, product improvement, and analytics. We have conducted a legitimate interests assessment and determined our interests do not override the rights of data subjects.
- Legal obligation (Art. 6(1)(c)) — compliance with applicable law, including responding to lawful requests from authorities.
- Consent (Art. 6(1)(a)) — where we send marketing communications or use optional cookies, we rely on consent which can be withdrawn at any time.
4. Third-party processors
We share data with the following sub-processors to operate our service. Each is subject to a Data Processing Agreement. Data transfers from the UK to the US are conducted under the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs).
| Processor | Purpose | Location |
|---|
| OpenAI | AI conversation processing | United States |
| Retell AI | Voice AI and call management | United States |
| Telnyx | Telephony and SMS | United States |
| Stripe | Payment processing | United States / EU |
| Google | Calendar integration (where enabled) | United States |
We do not sell personal data to third parties and do not use personal data for advertising purposes.
5. Data retention
We retain personal data only for as long as necessary for the purposes described in this policy:
- Business customer accounts — for the duration of the subscription plus 90 days after termination, then deleted.
- Conversation transcripts and call recordings — configurable per business (default: 365 days). Businesses can reduce this in their settings.
- Appointment records — 3 years (for audit and dispute resolution purposes).
- Payment records — 7 years (UK tax/accounting legal requirement).
- Security and access logs — 90 days.
6. Your rights under UK GDPR
If you are an end customer whose data has been processed through LocusAI, you have the following rights:
- Right of access — request a copy of your personal data.
- Right to rectification — request correction of inaccurate data.
- Right to erasure ("right to be forgotten") — request deletion of your data where there is no overriding legal basis to retain it.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
- Right to restrict processing — request we limit how we use your data.
To exercise any of these rights, contact us at privacy@locusai.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
7. Cookies
We use the following cookies:
- Session cookie (functional) — keeps you logged in to the dashboard. This cookie is strictly necessary and does not require consent.
- CSRF token (functional) — protects form submissions from cross-site request forgery. Strictly necessary.
We do not currently use analytics or advertising cookies. If we add analytics in future, we will update this policy and request consent via our cookie banner.
8. Call recordings
Where voice call recording is enabled by a business customer, all callers are informed at the start of the call with the statement: "This call may be recorded for quality and training purposes." Callers who do not consent should end the call at that point. Recordings are stored securely and accessible only to the relevant business.
9. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption of personal data fields at rest (AES-128 via Fernet)
- Encrypted data transmission (HTTPS/TLS)
- Access controls and account lockout protections
- Multi-tenant data isolation — each business can only access their own data
- Rate limiting on all public-facing APIs
10. Data Processing Agreements (B2B)
When LocusAI processes personal data on behalf of a business customer, we act as a data processor and the business acts as the data controller. A Data Processing Agreement (DPA) is available on request at privacy@locusai.co.uk. Business customers are responsible for ensuring they have the appropriate legal basis to use LocusAI to process their customers' data.
11. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top and notify business customers by email. Continued use of LocusAI after changes constitutes acceptance of the updated policy.
12. Contact
For any questions, requests, or complaints about how we handle your personal data:
- Email: privacy@locusai.co.uk
- Response time: We aim to respond within 5 business days and will always respond within 30 days as required by UK GDPR.
You also have the right to complain to the Information Commissioner's Office: ico.org.uk/make-a-complaint