Lucy® & GDPR

Below you will find information that will address some of the most frequently asked questions that surround what Lucy is doing to assist its customers in becoming GDPR compliant by May 25th, 2018 and beyond.


How does Lucy protect data? 

Lucy is hosted on Microsoft Azure. Azure has several data hosting and other processing locations where data processing takes place. To learn more about these locations, click here


Processing of Personal Data

How does Lucy securely and confidentially process personal data which includes personal data that falls under special categories as indicated in the GDPR articles?

Lucy is a web-based, multi-tenant, software-as-a-service (SaaS) digital-marketing operating system that is a data-driven solution with a flexible data schema that allows customers to determine the data elements to be stored, collected, and processed. Lucy treats all data and content as confidential. For more information on confidentiality and privacy and terms of use, in-depth information can be found in our Privacy Policy.


Lucy's commitment to GDPR readiness

Data Storage and Processing

Lucy stores all structured (“contact list”) data on database servers, encrypted at rest (on disk) by the production storage array (US hosting) or database-management system (other hosting geographies).


Lawful Basis Of Processing

Lucy has appended its Privacy Policy to include customers consent to include personal information including name, email addresses. We collect publicly accessible data from the social media networks usually is based on “legitimate interest” (and not on the social media users’ consent). The concept of “legitimate interest” and the associated balancing of interests are regulated under Art. 6 (f) GDPR. Lucy sees no relevant changes in the legal foundation of such data processing operations. Lucy will be happy to support our customers in their balancing of interests and their documentation of the legitimate interest. Please note that Lucy is not a law firm and may not provide individual legal advice to our customers, but only general opinion and “food for thought.”


Withdrawal of consent (or opt out)

Lucy has updated its Privacy Policy and Terms to include an email address whereby any customer can request an opt out. We will delete their information and provide an email to the effect of deletion of personal information.



You will be able to request a GDPR-compliant delete of your name and email address in your Lucy application login.


Access / Portability

Lucy enables you to grant any access/portability request by easily exporting any contact record into a machine-readable format.



In Lucy, if a customer asks you to change her information, you (or your portal admin) can do so from within her contact record.