Privacy Policy

1.1.Lucid is an AI creative agency operated by Kirill Stanyakin (the "Controller", "we", "us") based in the Russian Federation. We provide AI-generated photo, video and avatar production services to clients worldwide.

1.2.This Privacy Policy describes how we collect, use and protect personal data of visitors to https://lucid.su (the "Website") and clients who contact us through the Website.

1.3.For the purposes of the EU General Data Protection Regulation (GDPR), we act as the data controller for personal data collected through the Website.

1.4.If you have any questions about this policy or how we handle your data, contact us at hello@lucid.su.

2.1.We collect personal data that you provide voluntarily through the Website's contact form, namely:

• name;
• contact details (email address, phone number, Telegram handle);
• company or project name (optional);
• link to your website, Instagram or reference (optional);
• service preferences and any comments you choose to share.

2.2.We automatically collect limited technical data when you visit the Website: IP address (hashed for rate-limiting), browser user agent, referring URL, and the date and time of the request.

2.3.We do not knowingly collect data from children under 16. If you believe we hold data of a minor, contact us and we will delete it.

2.4.We do not collect special categories of personal data (such as health, biometric, political opinions, religious beliefs, sexual orientation).

3.1.We use your personal data only for the following purposes:

• to respond to your inquiry and discuss your project with you;
• to prepare a proposal, contract and invoice if we move forward together;
• to deliver the agreed services and communicate during their delivery;
• to keep records as required by tax and accounting laws;
• to protect the Website against spam and abuse (rate-limiting based on hashed IP);
• to measure aggregated traffic and improve the Website (see Section 9).

3.2.We do not use your personal data for automated decision-making (including profiling) that produces legal or similarly significant effects.

3.3.We do not sell your personal data to third parties and we do not use it for direct marketing without your explicit consent.

4.1.Under GDPR Article 6, we rely on the following legal bases:

• Consent (Art. 6(1)(a)) — when you submit the contact form, you explicitly agree to the processing of your personal data for the purposes described above. You may withdraw consent at any time.
• Performance of a contract (Art. 6(1)(b)) — when we move from inquiry to delivery, processing is necessary to prepare and perform our service contract with you.
• Legitimate interests (Art. 6(1)(f)) — for fraud prevention, network security (rate-limiting) and aggregated analytics that help us run and improve the Website.
• Legal obligation (Art. 6(1)(c)) — for tax, accounting and other statutory record-keeping where it applies.

5.1.We share your data only with the third parties strictly necessary to operate the Website and deliver our services:

• Telegram (Telegram FZ-LLC) — we send a notification message containing your inquiry to our internal Telegram chat so we can respond quickly. The message is routed through a Cloudflare Worker we operate as an intermediary.
• Cloudflare, Inc. — operates the relay infrastructure for the above notification.
• Yandex Metrica (Yandex LLC) — anonymized aggregated analytics about Website traffic (see Section 9).
• Hosting provider — server infrastructure in the Russian Federation where the Website and our database are physically stored.

5.2.We may also share data with law enforcement or regulatory authorities where required by law.

5.3.We never sell or rent your personal data to advertisers or data brokers.

6.1.Our servers and primary database are located in the Russian Federation. The Russian Federation does not currently have an adequacy decision from the European Commission.

6.2.By submitting your data through the contact form, you explicitly consent to the transfer and storage of your personal data in the Russian Federation, in line with GDPR Article 49(1)(a).

6.3.We apply technical and organizational measures (TLS in transit, access controls, hashed IPs, rate limiting) to protect data regardless of where it is stored.

6.4.If you would prefer that we do not store your data in the Russian Federation, please contact us at hello@lucid.su before submitting the contact form.

7.1.We retain personal data only as long as necessary for the purposes for which it was collected:

• Inquiry data (form submissions that do not result in a contract): up to 12 months, then deleted.
• Client data (when we deliver a project): for the duration of the engagement plus the period required by applicable tax and accounting laws (typically up to 5 years after delivery).
• Telegram notifications: retained in our internal chat in line with Telegram's own retention rules; we delete on request.
• Aggregated analytics: anonymized and retained indefinitely (no individual identification).

7.2.You may request deletion of your data at any time (see Section 8).

8.1.If you are located in the European Economic Area, the United Kingdom or Switzerland, you have the following rights under GDPR:

• Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17, "right to be forgotten") — ask us to delete your data, subject to legal exceptions.
• Right to restriction of processing (Art. 18) — ask us to pause processing in certain circumstances.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)) — withdraw consent at any time, without affecting prior processing.
• Right to lodge a complaint with a supervisory authority (Art. 77) in your country of residence.

8.2.To exercise any of these rights, email hello@lucid.su. We will respond within 30 days. We may ask for additional information to verify your identity.

9.1.The Website uses Yandex Metrica for aggregated traffic analytics. Yandex Metrica may set cookies and use anonymized identifiers to measure session length, page views and referral sources. It does not enable us to personally identify you.

9.2.We do not currently display a cookie consent banner. If you are visiting from the EEA, UK or Switzerland and want to opt out of analytics, you can do so via your browser's privacy controls (e.g. "Do Not Track" or blocking third-party cookies), or by contacting us at hello@lucid.su.

9.3.Yandex's own privacy notice is available at yandex.com/legal/confidential.

10.1.We protect your personal data with technical and organizational measures appropriate to the risk:

• TLS encryption for all traffic between your browser and our server;
• access control: only the controller (Kirill Stanyakin) has access to the contact-form database;
• IP addresses are hashed (SHA-256) before being used for rate-limiting; the raw IP is not stored;
• regular backups of the database, stored with the same access controls;
• basic security headers (X-Content-Type-Options, Referrer-Policy, Permissions-Policy) on all pages.

10.2.In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, notify you directly without undue delay.

11.1.We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. The "Last updated" date at the top of the page will always reflect the current version.

11.2.For material changes, we will make reasonable efforts to provide notice, for example by adding a banner to the Website or contacting you directly if you are an active client.

11.3.The current version of this policy is always available at https://lucid.su/en/privacy.

12.1.For any question about this Privacy Policy, to exercise your GDPR rights, or to raise a concern about how we handle your data, write to hello@lucid.su.

12.2.If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority of your EU member state, or with the UK Information Commissioner's Office (ico.org.uk) if you are in the United Kingdom.

12.3.We will always try to resolve concerns directly first — please reach out before filing a complaint, and we will do everything reasonable to make things right.