Privacy Policy

Effective date: 2026-04-16 Last updated: 2026-04-16

This Privacy Policy explains how Honey Badger Apps LLC ("we," "us," "Honey Badger," or "Lucora") collects, uses, discloses, and protects information in connection with Lucora RM (the "Service"). Capitalized terms not defined here have the meanings given in the Terms of Service.

We've written this policy to be specific and readable. If anything is unclear, email privacy@lucora.app.

1. Who we are and what this policy covers

The Service is provided by Honey Badger Apps LLC, a North Carolina limited liability company. This policy covers personal information we process when you visit lucora-rm.app or use the Service. It does not cover third-party sites or tools we link to (they have their own policies), nor the public marketing content on our website that does not require an account.

Lucora RM shares an account system with other Lucora products (including Lucora and Lucora PM). Your account profile data (email, password hash, two-factor secret) is maintained by the shared Lucora identity system and is governed by this policy when used in the context of Lucora RM.

2. Information we collect

2.1 Information you provide

  • Account profile. Email address, display name, hashed password (hashed with bcrypt — we never store your password in plaintext), and two-factor authentication secret if you enable 2FA. Provided through the shared Lucora identity system during signup.
  • Organization and project data. Organization name, project names and slugs, membership and role assignments, invitation emails.
  • Customer Content. Requirements, requirement attributes (title, description, status, priority, owner, tags, rationale, custom fields), trace links, comments, baselines, review decisions, document templates, generated documents, and any files you upload as attachments. This is what you intentionally put into the Service to do your work.
  • Uploaded documents for AI import. Word, PDF, Excel, and Markdown files you submit to AI-assisted import, and any source passages the Service retains to enable re-running AI on the original text.
  • Support communications. Messages, bug reports, and feedback you send to us, including the account email associated with the conversation.

2.2 Information we collect automatically

  • Audit log data. Lucora RM is designed around an append-only audit log. Every write action (create, update, delete of items, links, and related records) is recorded with actor identity (your user ID), server timestamp, the before/after payload, and a chained content hash. This is a core product feature — not behavioral analytics — and exists to make your data defensible under regulated quality-system audits.
  • Status events. Lifecycle transitions (e.g., draft → in review → approved) are recorded with actor, timestamp, optional reason, and a content hash of the affected item.
  • Technical logs. Our infrastructure records request logs including IP address, user-agent, request timing, and error traces, retained for a limited period for security, debugging, and abuse prevention.
  • Cookies and local storage. A single authentication cookie (rm-token) that is httpOnly, secure, and SameSite-scoped, used to keep you signed in. Your theme preference (dark/light) is stored in browser local storage on your device and never transmitted. We do not use advertising cookies, behavioral-analytics cookies, or tracking pixels.

2.3 Information we do not collect

  • No advertising profile. We do not build advertising profiles, we do not track you across the web, and we do not sell your information.
  • No product analytics (today). During early access, Lucora RM does not run a third-party product-analytics SDK. If we add one in the future, we will update this policy and list it as a sub-processor in Section 6 before enabling it.
  • No Protected Health Information (PHI). You agree not to submit PHI as defined by HIPAA unless a Business Associate Agreement is in place. See Section 10.

3. How we use information

We use the information described above to:

  • Operate the Service — authenticate you, render your organizations and projects, save changes, run imports, generate exports, and render documents.
  • Send transactional email — confirmations, password resets, invitations, @-mention notifications, review-assignment notifications, baseline-approval notifications. Transactional email only; no marketing email during early access.
  • Run AI features you invoke — transmit relevant Customer Content to our AI sub-processor for inference when you explicitly use smart import, trace suggestions, quality scoring, document prose, or similar features. Details in Section 4.
  • Maintain the audit and baseline integrity — persist the append-only history that makes requirements traceable and auditable.
  • Secure the Service — detect, investigate, and respond to security incidents and abuse; rate-limit and suspend accounts as needed.
  • Support you — respond to your emails and in-app support requests.
  • Improve the Service — diagnose bugs and performance issues from logs; understand aggregate usage patterns only at levels that do not identify individuals. We do not use Customer Content to train machine-learning models.
  • Comply with legal obligations — respond to lawful requests and enforce our Terms of Service.

4. AI features — how your content is processed

When you invoke an AI feature (smart import, find trace, suggest artifact, quality scoring, prose generation), the Service transmits the relevant portion of your Customer Content (and, for document uploads, the file itself) to Anthropic PBC via its commercial API, receives a structured response, and stages that response for your review in the Service.

Key points:

  • AI features are user-initiated — they never run automatically against your content.
  • Under Anthropic's commercial API terms as of the Effective Date, Anthropic does not use API inputs or outputs to train its models. We will update this policy if that changes.
  • We do not retain a secondary copy of your content with Anthropic beyond what is needed to service your request; source passages kept for "re-run on original" operate within our own infrastructure, not with Anthropic.
  • If you prefer not to use AI features, do not invoke them. No AI processing happens on your content without an action you take.

5. Legal bases (EEA / UK users)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under GDPR / UK GDPR:

  • Contract (Art. 6(1)(b)) — to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, debug, and develop the product. We believe these interests are not overridden by your rights.
  • Consent (Art. 6(1)(a)) — for any processing we identify as consent-based (none during early access beyond your voluntary use of AI features).
  • Legal obligation (Art. 6(1)(c)) — where we must retain records or respond to lawful requests.

6. Sub-processors and how we share information

We do not sell personal information. We share it with service providers who process it on our behalf, under contract, for the purposes described:

Sub-processorRoleLocation
Neon, Inc.Managed PostgreSQL database hosting (stores account, project, items, links, audit log)United States
Amazon Web Services (AWS)S3 object storage for attachments and generated document archives; SES for transactional email deliveryUnited States
Vercel, Inc.Application hosting, serverless functions, CDN, server-side request logsUnited States
Anthropic PBCAI inference via the Claude API, for user-invoked AI features onlyUnited States

We may also disclose information:

  • With your direction — e.g., when you invite a collaborator, export data, or otherwise choose to share through the Service.
  • To comply with law — in response to a lawful subpoena, court order, or other valid legal process, after review for scope and applicability.
  • To protect rights and safety — to investigate fraud, enforce our Terms, or protect the security of the Service and its users.
  • In a business transaction — if we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to confidentiality. We will notify you of any such transfer and material change in ownership.

We will update this policy when we add, change, or remove sub-processors.

7. International data transfers

Our infrastructure is located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. For EEA / UK transfers, we rely on Standard Contractual Clauses where required by our sub-processors' terms. You can request a copy of the relevant clauses from privacy@lucora.app.

8. Data retention

  • Active-account data — retained for as long as your account and organization are active.
  • Audit log and status events — retained for the lifetime of the project. These are append-only by design; individual entries cannot be deleted without destroying the integrity of the chain. When you delete an item or a link, the audit entry recording its deletion is preserved, though we will minimize the payload on request where legally permissible.
  • Approved baselines and frozen documents — retained for the lifetime of the project, because their integrity is the feature you relied on when approving them.
  • Backups — infrastructure backups may retain data for up to 35 days after deletion from active systems.
  • Technical logs — retained for up to 30 days, then deleted or aggregated.
  • Support communications — retained for up to 3 years after the last interaction, then deleted.
  • After account deletion — we will delete active Customer Content within 30 days of your request, except for (a) audit-chain records described above, (b) backups which will age out on schedule, and (c) records we must retain to comply with law or resolve disputes.

9. Your rights and choices

You have the following rights, subject to applicable law and the audit-integrity caveats above:

  • Access — see most of your data directly in the Service.
  • Export — download your requirements, links, baselines, attachments, and audit history through in-app export (Excel, JSON, PDF). On request we will produce a full-project export.
  • Correction — edit Customer Content directly in the Service; for account profile changes, use account settings or contact us.
  • Deletion — delete projects, organizations, and your account. Contact privacy@lucora.app to request deletion of specific content or your account. See Section 8 on retention limits.
  • Object or restrict processing — applicable to EEA/UK users under GDPR. Contact us.
  • Portability — already provided by export (Section 9 above).
  • Withdraw consent — where processing is based on consent, you may withdraw at any time.
  • Lodge a complaint — EEA/UK users may complain to their local data protection authority; we ask that you give us a chance to address the issue first.

How to exercise. Email privacy@lucora.app from the address on your account, or use the in-app controls where available. We will respond within 30 days (or sooner where required).

10. HIPAA and Protected Health Information

During the early-access period, Honey Badger does not sign Business Associate Agreements. The Service is not configured to be a HIPAA business associate by default. Do not submit Protected Health Information (PHI) — as defined by HIPAA — to the Service unless we have entered into a written BAA with you.

If you have a need to process PHI in Lucora RM, email privacy@lucora.app to discuss BAA availability on commercial tiers.

11. Security

We use industry-standard measures to protect information, including:

  • TLS for all data in transit;
  • bcrypt hashing of passwords and TOTP secret storage for 2FA;
  • httpOnly, secure, SameSite-scoped authentication cookies;
  • least-privilege access to production systems;
  • server-side enforcement of organization, project, and role permissions on every request;
  • content-hashed, chained audit logs that make tampering detectable;
  • at-rest encryption provided by our infrastructure sub-processors (Neon, AWS).

No system is perfectly secure. If you believe your account or our Service has been compromised, email security@lucora.app as soon as possible.

12. California residents (CCPA / CPRA)

Under the California Consumer Privacy Act as amended, California residents have rights to know, delete, correct, and limit certain uses of personal information, and to not be discriminated against for exercising these rights.

  • Categories collected in the last 12 months. Identifiers (email, user ID, IP address); commercial information (if/when you purchase a subscription); internet or network activity information (request logs); professional information (role, organization); and content you voluntarily submit as Customer Content.
  • Sources. Directly from you, from automatic collection during use of the Service, and from our shared Lucora identity system.
  • Purposes. As described in Section 3.
  • Sharing. With the sub-processors listed in Section 6, under contract.
  • Sale or sharing for cross-context advertising. We do not sell or share personal information for cross-context behavioral advertising.
  • Sensitive personal information. We do not use sensitive personal information to infer characteristics about you.

To exercise California rights, email privacy@lucora.app. We will verify your request using the email on your account. You may designate an authorized agent; we may require verification of their authority.

13. Children's privacy

The Service is not directed to children. We do not knowingly collect personal information from anyone under 13 (or under 16 in the EEA/UK). If you believe a child has provided information to us, email privacy@lucora.app and we will delete it.

14. Changes to this policy

We may update this policy to reflect changes to our practices, features, or legal obligations. If we make material changes, we will notify you by email or by a prominent in-Service notice at least 14 days before the changes take effect (or sooner if legally required), and we will update the "Last updated" date above. Historical versions are available on request.

15. Contact us

Honey Badger Apps LLC is the data controller (for GDPR purposes) of personal information processed in the Service.