Privacy Policy
Last updated 17 July 2026. This describes, plainly and accurately, what Nelleluce AI actually collects and does with personal data — through this website and through Riley (our phone, SMS, and email receptionist).
Who we are
Nelleluce AI is operated by Lee Cullen, trading as Nelleluce AI ("we", "us"). We are the data controller for the personal data described in this policy. Contact: lee-cullen@nelleluce.com, 07512 336621.
What we collect, and why
We only collect what's needed to answer an enquiry and follow up on it. Specifically:
Phone calls to Riley
When you call our number, your phone number is visible to us, and your spoken words are converted to text by our telephony provider (Twilio) so Riley can respond. A short structured summary of the call (name, contact details, reason for calling, whether it was flagged urgent, and any notes) is saved to our call log. We do not store a full raw audio recording of calls ourselves.
SMS messages
If you text our number, we receive your phone number and message content, and a reply is generated the same way calls are handled. A record of the exchange is kept in the same way as calls.
Email sent to lee-cullen@nelleluce.com is read so a reply can be prepared. Riley only ever prepares a draft — every email reply is reviewed and sent by a person, never sent automatically.
The "Try her" demo on this website
If you use the live chat demo on this site, whatever you type is sent to our AI provider to generate Riley's reply in the browser. Demo conversations are not saved to our call log or any permanent record — they exist only for the duration of that browser session.
Browsing this website
This site does not use tracking cookies, analytics scripts, or any third-party advertising trackers. Our hosting provider (Cloudflare) processes standard connection-level technical data (like IP address) purely to serve the page and for security/DDoS protection — this is normal for any website and isn't used to build a profile of you.
Legal basis for processing
We process this data on the basis of legitimate interests — responding to enquiries made directly to us is the core, obvious purpose someone contacts us for, and processing is limited to what that requires. Where a call, text, or email leads to a business relationship, ongoing processing may also rest on steps taken prior to entering a contract, or the contract itself.
Who else sees it
We use a small number of specialist providers to actually deliver the service — each only sees what's necessary to do their specific job, and none are permitted to use your data for their own purposes:
- Twilio — handles phone calls and SMS, including converting speech to text.
- Anthropic (Claude) — generates Riley's spoken and written replies from the conversation content.
- Cloudflare — hosts this website and secures our phone/SMS infrastructure.
- Railway — hosts the server that runs Riley's call-handling logic and stores the call log.
- IONOS — hosts our business email.
Where your data is processed
Some of these providers process data outside the UK/EEA — notably, the server that runs Riley's voice service currently runs in the United States. Where that happens, we rely on our providers' own standard contractual safeguards for international transfers. (Flagged honestly: if this matters to your organisation, ask us directly which regions are involved for your specific enquiry.)
How long we keep it
Call, SMS, and email summaries are kept so we can follow up on an enquiry and maintain a record of past contact. We aim to review and remove records that are no longer needed after 12 months of inactivity. (Honest flag: as of this policy's publication, that removal is a stated commitment, not yet an automated process — ask us if you'd like a specific record deleted sooner, and we'll do it by hand.)
Your rights
Under UK GDPR, you have the right to:
- Ask what personal data we hold about you, and get a copy of it.
- Ask us to correct inaccurate data.
- Ask us to delete your data ("right to be forgotten").
- Object to, or ask us to restrict, how we use your data.
- Complain to the UK's data protection regulator, the Information Commissioner's Office (ICO), if you're unhappy with how we've handled your data.
To exercise any of these, just contact us — details above. We'll respond within one month.
Children
Our services are aimed at businesses and individuals contacting us for commercial enquiries, not children. We don't knowingly collect data from children.
Changes to this policy
If how we handle data changes meaningfully, we'll update this page and change the "last updated" date at the top.