Your privacy is our foundation

Unlike most AI-powered applications that send your data to cloud servers for processing, Lucca runs AI models directly on your hardware. When Lucca analyzes your session, generates summaries, or detects patterns, it's happening right on your machine — not on a distant server.

This means there is no network transmission of your therapy content. No API calls carrying your transcripts. No cloud provider with access to your most private thoughts.

All therapy transcripts are encrypted using AES-256-GCM, the same encryption standard used by governments and financial institutions worldwide. Each transcript is encrypted with a unique initialization vector, ensuring that even identical content produces different ciphertext.

• Algorithm: AES-256-GCM (authenticated encryption)
• Key storage: Encryption key stored locally on your device with restricted file permissions
• Scope: All session transcripts are encrypted before being written to the database

When you record a therapy session, Lucca captures the audio stream, transcribes it locally using on-device speech recognition, and then discards the audio data. No audio files are saved to your hard drive. Only the text transcript is retained (encrypted).

This approach means that even if someone gained access to your device, there would be no audio recordings to find — only encrypted text.

All your data lives in a single database stored locally in your application data folder. There are no external database servers, no cloud storage buckets, and no remote backups.

• Database: A self-contained, file-based database on your device
• Location: Your operating system's standard application data directory
• Access: Only the Lucca application can read the database, and transcripts within it are encrypted

We believe it's just as important to be clear about what we don't do:

Because your data lives entirely on your device, you have complete control:

• View everything: All your data is accessible within the app at any time
• Export your data: Download all your data in standard formats from Settings
• Delete anything: Remove individual sessions or all data — deletion is immediate and permanent
• No cloud to worry about: When you delete data, it's gone. There are no remote copies, backups, or caches to track down.

Lucca uses open-source AI models that run entirely on your device. These models are:

• Open source: The model architecture and weights are publicly available and auditable
• Locally executed: Models run directly on your hardware — no API calls, no cloud inference
• Size-adaptive: Lucca automatically selects the best model for your device's capabilities
• Offline-capable: Once downloaded, models work without any internet connection

Lucca's local-only architecture provides inherent privacy advantages that align with major compliance frameworks. Because no therapy data leaves your device, many traditional cloud-security concerns simply don't apply.

We are actively working toward:

• SOC 2 Type II certification — to formally validate our security practices and controls (planned)
• HIPAA alignment — Lucca's architecture is designed with HIPAA's data security principles in mind. Formal certification is on our roadmap.

We follow the FTC Health Breach Notification Rule and will notify users within 60 days in the unlikely event of a data breach affecting health information.

We take security seriously. If you discover a security vulnerability in Lucca, please report it responsibly so we can address it promptly.

Contact us at security@meetlucca.com with details of the vulnerability. Please include steps to reproduce the issue if possible. We will acknowledge your report within 48 hours and work to resolve confirmed vulnerabilities as quickly as possible.

Frequently asked questions