Legal

Privacy Policy

Last updated: 5 June 2026 · Effective date: 1 June 2026

In short: we collect what we need to answer your enquiry and run the evaluations you ask us to, we don’t train AI on your content, and we don’t sell your data.

1. Who we are

We are Lucid MedComms, operated by Feisia Dam as a sole trader (ABN 45 941 988 285), of Sydney, Australia (“Lucid”, “we”, “us”, “our”). Lucid Audience Lab is a service line of Lucid MedComms, accessible at lab.lucidmedcomms.com (the “Service”).

The Service is operated from Australia under Australian privacy law. We are the entity responsible for personal information collected through the Service. We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What this policy covers

This Privacy Policy explains how we collect, use, store, and disclose personal information when you enquire about or use the Service. It applies to all visitors to the Site and customers of the managed service.

It works alongside our Terms of Service — the agreement between you and us. A Data Processing Agreement is available for enterprise customers on request.

3. What we collect

Lucid Audience Lab is a managed service — you do not create an account or sign in. We collect:

Enquiry information (when you complete our contact form):

your name;
your work email address;
the role you select;
the project details you describe; and
whether you opt in to receive occasional updates and offers.

Content you send for evaluation (once we have scoped an engagement): the content asset(s) you send us (by email or a shared link) and your brief — the audience, therapy area, and what you want to learn.

We do not keep your original files — to run your evaluation we may download the asset to a working device, and we delete it once your report has been generated. The text we extract is deleted within 30 days of delivery (see Section 5).

Evaluation outputs: the structured report we generate — scores, panel design, suggested improvements, and quote bank.

Billing information (only if you purchase a pack, via Stripe or our accounting system): the pack purchased, an invoice/customer identifier, and invoices issued. Stripe handles card details directly; we do not store them.

Correspondence: emails you send us and our replies.

Operational logs: when we run an evaluation, each AI model call is logged with the model used, tokens consumed, cost, and timing, for cost and quality monitoring. These logs do not contain your contact details.

4. How we use your information

We use your information to:

respond to your enquiry and scope an engagement;
run the evaluations you ask us to and deliver your reports;
invoice you and keep tax records;
communicate with you about your engagement (acknowledgement, delivery, follow-up);
send marketing communications, only where you have consented (you may unsubscribe at any time);
comply with legal obligations (tax, audit, regulator requests);
detect, prevent, and address security incidents and misuse; and
operate, maintain, and improve the Service, using aggregated, de-identified signals only.

We do not sell your personal information. We do not share it with advertisers.

4a. Automated decision-making

The Service uses generative artificial intelligence (currently Anthropic Claude) to produce simulated audience reactions to content you send us.

The Service does not use your personal information to make any decision with legal or similarly significant effect about you. Specifically:

the AI panel members are simulated, not real people — they are not making decisions about real individuals;
the Outputs are advisory; you apply your own editorial judgement to decide what to do with them; and
the personal information we collect from you (name, work email, role) is used to manage your enquiry and engagement, not for any decision affecting your rights or interests.

This disclosure is provided in anticipation of the additional APP 1 obligations under the Privacy and Other Legislation Amendment Act 2024 (Cth) (commencing 10 December 2026).

5. Content you send for evaluation

We do not keep your original files. To run your evaluation, we may download the asset you send us to a working device. We delete it once your report has been generated.

Extracted text from your content is retained to deliver your evaluation, then deleted within 30 days of delivery.

Evaluations, scores, reports, and the quote bank generated from your content are retained so we can deliver and re-share them with you; they are deleted on request, subject to the exceptions in Section 8.

We do not fine-tune or train any AI model on your content. Not now, not later. This applies to Lucid’s own models (we train none) and to Anthropic Claude — Anthropic’s Commercial Terms § B state Anthropic may not train models on customer content from its services.

5a. Personal information within content you send

The Service is designed to process draft promotional or communications content — not personal information about real individuals. You should not send content containing personal information (such as HCP names, prescriber feedback, patient narratives, or identifiable individuals’ contact details) unless you have obtained the necessary consents under the Privacy Act and the APPs, including consent for cross-border processing under APP 8 (AI inference is performed in the United States — see Section 7).

If you send content containing personal information, you are responsible for ensuring those consents are in place. We rely on this in providing the Service to you.

Protected health information (PHI), identifiable patient data, and other regulated health data must not be sent — see the Terms of Service.

6. Sub-processors

We use the following sub-processors to operate the Service. Each is bound by contract to handle your information securely.

Provider	Purpose	Region
Anthropic, PBC	AI model inference (Claude)	United States
Supabase Inc.	Database hosting (evaluation outputs, operational logs)	Sydney, Australia
Vercel Inc.	Website and report-viewer hosting	Global / US primary
Resend	Email delivery	United States
Stripe, Inc.	Payment processing — only if you purchase a pack	United States
Google LLC	Website analytics (Google Analytics 4) — site-visitor usage only, not evaluation content	United States

7. Cross-border data transfers (APP 8)

Some of our sub-processors are based outside Australia:

evaluations run on Anthropic infrastructure in the United States;
Resend, Vercel, and Stripe operate primarily in the United States;
website analytics (Google Analytics) are processed by Google, primarily in the United States; and
our database (Supabase) is in Sydney, Australia.

APP 8 reasonable steps. Before disclosing your personal information to an overseas recipient, we take reasonable steps to ensure they do not breach the Australian Privacy Principles. Anthropic is bound by its Commercial Terms § B no-training commitment and contractual confidentiality; Stripe, Resend, Vercel, and Google are bound by their published data-processing agreements (links available on request).

Accountability. Under s 16C of the Privacy Act, we remain accountable to you for the handling of your personal information by these overseas recipients.

Your acknowledgement. By sending us content for evaluation, you acknowledge this cross-border processing.

8. How long we keep your data

Data	Retention
Files you send (PDF, DOCX, image)	Downloaded to run your evaluation, then deleted once your report has been generated
Extracted text of your content	Deleted within 30 days of report delivery
Evaluations, scores, reports, quote bank	Kept so we can re-share them with you; deleted on request, except where required for tax, legal, or audit purposes
Operational logs (model, tokens, cost)	12 months, then purged
Enquiry details	While we are in contact and a reasonable period afterwards, in case you re-engage; deleted on request
Billing records (invoices)	7 years (Australian tax recordkeeping)
Correspondence	24 months
Share-link tokens	Auto-expire after 30 days

9. Your rights

Under the Privacy Act 1988, you have the right to:

Access the personal information we hold about you;
Correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading;
Request deletion of your personal information (subject to retention obligations, such as billing records);
Withdraw consent to marketing communications at any time; and
Make a complaint to us first, and then to the OAIC if unresolved (Section 10).

To exercise any of these rights, email hello@lucidmedcomms.com. We will verify your identity and respond within a reasonable time, free of charge.

10. How to make a privacy complaint

Email us first at hello@lucidmedcomms.com. We will acknowledge within five working days and respond substantively within 30 days.
Escalate to the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response.

11. Security

All traffic is TLS-encrypted (TLS 1.2+) in transit.
Our database is encrypted at rest (AES-256, Supabase-managed).
Access to your information is restricted to the Lucid team and is logged.

If we become aware of a data breach that is likely to result in serious harm, we will notify you and the OAIC in accordance with the Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988).

12. Cookies and analytics

We use first-party cookies for two purposes: a small number that are strictly necessary to operate the site, and analytics cookies set by Google Analytics 4 (the _ga and _ga_* cookies) that help us understand how visitors find and use the site so we can improve it.

What Google Analytics collects: the pages you view, how you arrived (for example, a search engine or a referring link), your device and browser type, your approximate (city-level) location, and on-page interactions such as clicks and scrolls. Google Analytics 4 does not log or store your IP address — it uses it only momentarily to derive that approximate location, then discards it. We review this information in aggregate to understand traffic trends; we do not use it to identify you.

This analytics data is processed by Google LLC, including on infrastructure in the United States (a cross-border disclosure — see Section 7). We take reasonable steps under APP 8, relying on Google’s published data-processing terms. We do not enable Google’s advertising or remarketing features (Google Signals), and we do not use advertising cookies, remarketing pixels, third-party cross-site tracking, or session-replay tools.

How to opt out: you can decline or delete cookies in your browser settings, or install Google’s Analytics Opt-out Browser Add-on. See also Google’s Privacy Policy and how Google uses information from sites that use its services.

13. Children’s information

The Service is a business service for professionals and is not intended for anyone under 18. We do not knowingly collect personal information from anyone under 18. If you believe we have, email hello@lucidmedcomms.com and we will delete it.

14. Changes to this policy

We may update this policy from time to time. For material changes(to what we collect, how we use it, sub-processors, retention periods, or your rights), we will take reasonable steps to bring them to your attention. The “last updated” date at the top reflects the latest version. This policy works together with our Terms of Service.

15. Contact

Privacy questions and complaints: hello@lucidmedcomms.com
Security disclosures / data-handling questions: trust@lucidmedcomms.com
Postal address: PO Box 583, Gladesville NSW 1675, Australia
ABN: 45 941 988 285
OAIC: oaic.gov.au

Lucid MedComms · ABN 45 941 988 285 · Sydney, Australia