1. Who We Are

Lutso Inc. (“Lutso,” “we,” “our,” or “us”) operates the following:

• ‍Site: lutsohealth.com
• ‍App: The Lutso mobile app for Family Caregivers
• ‍Hardware: An in-home sensor device that captures video and audio, performing all analysis and event detection locally on-device. Raw video never streams or is stored off-site; only encrypted event summaries leave the home, unless the optional Emergency Clip feature is enabled, in which case a single, encrypted 15-second clip of the incident is transmitted to a designated, legally authorized caregiver solely to verify the severity of the event and is automatically deleted from all off-site systems after delivery.An in-home sensor device that captures video/audio data and performs analysis and event detection locally on-device. It never streams or stores raw video off-site—only encrypted event summaries leave the home.
• Cloud Services: Secure servers that receive encrypted summaries from the hardware and deliver updates and alerts to the app. No raw or full-resolution video is stored.

Together they are the “Services.”

2. Information We Collect

• Account / Billing
  Details collected: Name, email, phone number, address, and payment basics (note: we do not store full card information).
  Source: You
  Why we need it*: To manage your account and subscription, provide customer support, and prevent fraud.
• Care-Environment Signals
  Details collected: On-device analytics results, motion patterns, and event logs (we do not collect full-resolution video or continuous audio).
  Source: Hardware
  Why we need it*: To generate wellness insights and alerts, and to improve detection accuracy. Anonymized snippets may be retained longer for model training purposes.
• App / Device Diagnostics
  Details collected: IP address, device ID, and crash logs.
  Source: Your phone and Lutso Hardware
  Why we need it*: For security and troubleshooting.
• Site Usage Data
  Details collected: Cookie IDs, pages viewed, and referrer information.
  Source: Browser cookies and tracking pixels
  Why we need it*: To improve site performance and (if you give consent) for optional marketing purposes.
• Support Records
  Details collected: Emails, in-app messages, and call notes.
  Source: You
  Why we need it*: To resolve support issues and train our team.

*Legal basis for collection:
‍We collect and process your data based on the performance of our contract with you, our legitimate business interests, or your explicit consent (especially for non-essential cookies and marketing use).

3. How We Use Information

• To provide, maintain, and improve the Services
• To send service and security-related notices
• To deliver insights and emergency alerts to authorized Family Caregivers
• To refine detection models using irreversibly de-identified, low-resolution data snippets
• To process payments and enforce our Terms
• To detect fraud or abuse and comply with legal obligations

4. What We Never Do

• We never allow identifiable raw video or continuous audio to leave the home
• We never sell or rent your personal data
• We never make automated decisions with legal or similarly significant effects without human review
• We do not knowingly collect data from children under 13 (see Section 9)

5. Cookies and Similar Technologies

We use the following types of cookies:

Essential Cookies:
Purpose: Security, log-in, and load balancing
These are always on.

Analytics Cookies:
Purpose: Aggregate usage tracking via Google Analytics 4 (with IP masking)
These are off by default unless you click "Accept all" or enable them in Cookie Settings.

Marketing Cookies:
Purpose: Retargeting through Google or Meta
These are off by default. Enabling them counts as “sharing” under the CPRA.

Banner Text (displayed to users):
"We use cookies to improve your experience. Essential cookies run by default; Analytics and Marketing cookies load only if you click Accept all. Click Cookie settings to manage preferences."

Essential Cookies:
Purpose: Security, log-in, and load balancing
These are always on.

Do-Not-Track signals: There is no accepted industry standard, so please use our cookie settings panel instead.

6. When We Share Information

We may share your information with the following recipients:

‍Service Providers (e.g., hosting, payments, messaging, installation services):
Used to operate core functions. These providers are bound by contractual confidentiality and security obligations.

‍Legal or Safety Authorities:
Shared only when required by law or necessary for safety. We limit disclosure to what is strictly necessary.

‍Successor Entities:
If we are involved in a merger, acquisition, or asset sale, we will give you prior notice. We require the acquiring party to uphold the same or stronger privacy protections. We prohibit all service providers and other third parties from using personal data for any marketing activities that are not directly related to delivering, maintaining, or improving this Service.

7. Data Retention

• Account and Billing Data: Retained for the duration of your subscription plus 7 years (for tax and audit purposes)
• Insights and Event Logs: Retained for 24 months, then either deleted or irreversibly de-identified and aggregated for long-term analytics or model training
• Diagnostics Data: Retained for 30 days
• Support Records: Retained for 2 years

We may retain data longer if required by law, for fraud prevention, or to resolve disputes.

8. Your Rights and Choices

A. Rights for All U.S. Users

• To opt out of marketing emails, click “unsubscribe” or email us at info@lutsohealth.com
• To make a privacy-related request, visit lutsohealth.com or call +372 5210740

B. Rights for Residents of CA, CO, CT, VA, and UT]

You have the right to access, delete, correct, port your data, or opt out of “sharing” your data for advertising purposes.

Verification process:

1. Submit your request through our website or by phone
2. We’ll send a one-time secure link and ask you to match two data points (e.g., email + last 4 digits of your phone number, or last login timestamp/IP)
3. For sensitive requests (such as deletion of care-environment data), we require a signed declaration under penalty of perjury
4. We’ll respond within 45 days (with one optional 45-day extension)

We do not sell personal information. “Sharing” happens only when you enable marketing cookies. We never request government-issued ID unless absolutely necessary to verify your identity or legal authority.

9. Children’s Privacy

Our Services are not directed at children under 13. If you believe a child has provided us with data, contact us immediately and we will delete it.

10. Security

We use TLS 1.3 for data in transit and AES-256 encryption for data at rest. Access to data is restricted based on least-privilege principles. Our firmware is signed and we conduct annual penetration testing.Note: No system is completely secure. We recommend using a strong, unique password.

11. HIPAA Notice

Lutso is not a “business associate” under HIPAA. Do not enter Protected Health Information (PHI) into any free-text fields.

12. International Data Transfers

Our servers are located in the United States. By using our Services, you consent to your data being processed in the U.S. and in any other country where we or our providers operate.

13. Changes to This Policy

If we make material changes, we will notify you by email, in-app messages, or a banner on our website at least 30 days before the change takes effect (where required by law). The “Last updated” date always reflects the current version of this policy.

14. Contact Us

Email: info@lutsohealth.com
‍Phone: +372 5210740
‍Mailing Address: Lutso Inc., 251 Little Falls Dr., Wilmington, DE 19808, US