Effective June 30, 2025

Privacy Policy

Last updated March 17, 2026

Notice at Collection — California Civil Code § 1798.100. Lutso collects personal information categories listed in Section 2 only for purposes in Section 3. The company does not “sell” personal information but “shares” it only when users enable Marketing cookies. See Section 8(B) for CCPA/CPRA rights.

1. Who We Are

Lutso Inc. (“Lutso,” “we,” “our,” or “us”) operates:

  • Site: lutsohealth.com
  • App: The Lutso mobile app for Family Caregivers
  • Hardware: An in-home sensor device capturing video and audio with local analysis. Raw video never streams or stores off-site; only encrypted event summaries leave the home unless the optional Emergency Clip feature is enabled, transmitting a single encrypted 15-second clip to authorized caregivers for severity verification, automatically deleted after delivery.
  • Cloud Services: Secure servers receiving encrypted summaries, delivering updates and alerts to the app. No raw or full-resolution video is stored.

Together, these constitute the “Services.”

2. Information We Collect

Account / Billing

  • Details: Name, email, phone number, address, and payment basics (full card information not stored). Phone numbers used for SMS including one-time passcodes (OTP).
  • Source: You
  • Why needed: Account and subscription management, customer support, fraud prevention.

Care-Environment Signals

  • Details: On-device analytics results, motion patterns, event logs (no full-resolution video or continuous audio).
  • Source: Hardware
  • Why needed: Generate wellness insights and alerts; improve detection accuracy. Anonymized snippets retained longer for model training.

App / Device Diagnostics

  • Details: IP address, device ID, crash logs.
  • Source: Your phone and Lutso Hardware
  • Why needed: Security and troubleshooting.

Site Usage Data

  • Details: Cookie IDs, pages viewed, referrer information.
  • Source: Browser cookies and tracking pixels
  • Why needed: Improve site performance and (with consent) optional marketing purposes.

Support Records

  • Details: Emails, in-app messages, call notes.
  • Source: You
  • Why needed: Resolve support issues and train team.

Legal basis for collection: Data collection based on contract performance, legitimate business interests, or explicit consent (especially non-essential cookies and marketing).

3. How We Use Information

  • To provide, maintain, and improve the Services
  • To send service and security-related notices
  • To deliver insights and emergency alerts to authorized Family Caregivers
  • To refine detection models using irreversibly de-identified, low-resolution data snippets
  • To process payments and enforce Terms
  • To detect fraud or abuse and comply with legal obligations
  • To send one-time passcode (OTP) text messages for account authentication. Caregivers receive one SMS per login session; those working regular overnight shifts may receive up to 31 messages monthly. Message and data rates may apply. Reply STOP to opt out or HELP for assistance. Phone numbers not sold, rented, or shared with third parties or affiliates for marketing. Numbers collected for SMS authentication used solely for delivering passcodes for shift login.

4. What We Never Do

  • We never allow identifiable raw video or continuous audio to leave the home
  • We never sell or rent your personal data
  • We never make automated decisions with legal or similarly significant effects without human review
  • We do not knowingly collect data from children under 13 (see Section 9)

5. Cookies and Similar Technologies

Essential Cookies

  • Purpose: Security, log-in, and load balancing
  • Always enabled.

Analytics Cookies

  • Purpose: Aggregate usage tracking via Google Analytics 4 (with IP masking)
  • Off by default unless you click “Accept all” or enable in Cookie Settings.

Marketing Cookies

  • Purpose: Retargeting through Google or Meta
  • Off by default. Enabling counts as “sharing” under CPRA.

Banner text (displayed to users)

“We use cookies to improve your experience. Essential cookies run by default; Analytics and Marketing cookies load only if you click Accept all. Click Cookie settings to manage preferences.”

Do-Not-Track signals

No accepted industry standard; use the cookie settings panel instead.

6. When We Share Information

Information may be shared with:

Service Providers

Hosting, payments, messaging, and installation services — used to operate core functions. Providers bound by contractual confidentiality and security obligations.

Legal or Safety Authorities

Shared only when required by law or necessary for safety. Disclosure limited to strictly necessary information.

Successor Entities

If involved in merger, acquisition, or asset sale, prior notice will be given. Acquiring party required to uphold same or stronger privacy protections. Service providers and third parties prohibited from using personal data for marketing activities not directly related to delivering, maintaining, or improving the Service.

7. Data Retention

  • Account and Billing Data: Duration of subscription plus 7 years (tax and audit purposes)
  • Insights and Event Logs: 24 months, then deleted or irreversibly de-identified and aggregated for long-term analytics or model training
  • Diagnostics Data: 30 days
  • Support Records: 2 years

Data may be retained longer if required by law, for fraud prevention, or to resolve disputes.

8. Your Rights and Choices

A. Rights for All U.S. Users

  • To opt out of marketing emails, click “unsubscribe” or email info@lutsohealth.com
  • To make privacy-related requests, visit lutsohealth.com or call +372 5210740

B. Rights for Residents of CA, CO, CT, VA, and UT

You have the right to access, delete, correct, port your data, or opt out of “sharing” your data for advertising purposes.

Verification process:

  1. Submit request through website or by phone
  2. Receive one-time secure link; match two data points (e.g., email + last 4 phone digits, or last login timestamp/IP)
  3. For sensitive requests (such as deletion of care-environment data), signed declaration under penalty of perjury required
  4. Response within 45 days (with one optional 45-day extension)

Lutso does not sell personal information. “Sharing” occurs only when marketing cookies are enabled. Government-issued ID never requested unless absolutely necessary to verify identity or legal authority.

9. Children’s Privacy

Services not directed at children under 13. If you believe a child provided data, contact us immediately and we will delete it.

10. Security

TLS 1.3 used for data in transit and AES-256 encryption for data at rest. Access restricted based on least-privilege principles. Firmware is signed and annual penetration testing conducted. No system completely secure; strong, unique passwords recommended.

11. HIPAA Notice

Lutso is not a “business associate” under HIPAA. Do not enter Protected Health Information (PHI) into free-text fields.

12. International Data Transfers

Servers located in the United States. By using Services, you consent to data processing in the U.S. and any other country where Lutso or providers operate.

13. Changes to This Policy

Material changes trigger notification by email, in-app messages, or website banner at least 30 days before taking effect (where required by law). “Last updated” date reflects current policy version.

14. Contact Us

Email: info@lutsohealth.com

Phone: +372 5210740

Mailing Address:
Lutso, Inc.
101 Rainbow Drive PMB 11758
Livingston, TX 77399
United States

Questions about your privacy?

Email info@lutsohealth.com — a real person reads every message.

Email us