Skip to content
LUTYO

Trust & Privacy

Built so we cannot look.

Analysis happens on the device. What reaches our servers is encrypted with keys only you hold. LUTYO is cryptographically blind to your drivers' data — not a policy promise, an architectural fact.

01 — The principle

Privacy is the architecture, not a setting.

Three properties hold together. Each is built into how the system works, so none depends on us behaving well.

On-device by design

The AI reads driving signals where they are created. Raw personal data never has to leave the driver's hardware.

Encrypted to you

Your data is encrypted with keys only you hold. No LUTYO key sits in the loop, so LUTYO cannot decrypt it.

Anonymised by separation

Behaviour signals are detached from identity before they reach the cloud. We see patterns, never people.

a3f9 7c21 e0b4 5d18 9e42 61ac 0fd7 33b1 7c1d bb90 e4a2 118f d5e0 4a19 92cf 6b73 2f8c a071 e39d 44be 10a2 CRYPTOGRAPHICALLY BLIND Built so we cannot look. There is no LUTYO key, IAM grant, or admin lever that can decrypt your data.

02 — How your key works

Your key, wrapped three ways.

The key that decrypts your data is created on your side and stored only as ciphertext. You reach it three independent ways — none of which LUTYO can reproduce.

Passkey

A biometric tap — Touch ID, Face ID, or a security key. The silent daily unlock.

Password

Your everyday sign-in, filled by your password manager.

Recovery secret · 2 of 3

Any two of three shares rebuild the key — break-glass only, if you lose the rest.

LUTYO stores only the wrapped, encrypted key — never the key itself.See how it works →

03 — Anonymised by separation

What leaves the device is stripped of identity.

Profiling happens on the device. Two things can leave it: anonymised signals with identity removed, and a behaviour profile encrypted to your key. Nothing else.

Stays on the device

Raw signals and the on-device AI that reads them. Your behaviour profile is built here and encrypted to your key.

Reaches the cloud

Only anonymised signals and encrypted data. LUTYO sees aggregated patterns, never a named person, and cannot decrypt what it holds.

Only anonymised signals and encrypted profiles ever cross the boundary.See the data-flow →

04 — Data residency

Isolated by region.

We run in the United Kingdom, United States, Canada, and the United Arab Emirates today, and add regions as we grow. Each customer lives in one region's isolated account, and data never crosses between them.

DATA RESIDENCY 🇬🇧 United Kingdom eu-west-2 🇺🇸 United States us-east-1 🇨🇦 Canada ca-central-1 🇦🇪 United Arab Emirates me-central-1 Your data stays in your region. Isolated per customer, key material never crosses — and we add regions as we grow.

05 — Plain-English FAQ

The questions diligence asks.

Can LUTYO read my drivers' data?

No. It is encrypted with keys only you hold. No LUTYO key, IAM grant, or admin lever can decrypt it.

Do drivers need a smartphone?

No. The platform is hardware-agnostic — a phone, a telematics unit, or the vehicle's own compute all work.

What if someone loses their device?

The key is rebuilt from a 2-of-3 recovery secret. A lost or stolen device never exposes data on its own.

Where is my data stored?

In one region you choose — UK, US, Canada, or UAE — in an account isolated from every other customer. It does not cross regions.

What can LUTYO actually see?

Anonymised, aggregated network patterns. Never a named individual, never a driver's raw data.

Is this a policy or a guarantee?

An architectural fact. The design removes our ability to decrypt — there is nothing to promise not to do.

This page is our privacy summary. The full notice and cookie policy carry the legal detail.

Read the full privacy notice →

Talk to us

Run diligence with us.

We'll walk your security and compliance team through the architecture, the data-flow, and the residency model — with the reference doc in hand.