On-device by design
The AI reads driving signals where they are created. Raw personal data never has to leave the driver's hardware.
Trust & Privacy
Analysis happens on the device. What reaches our servers is encrypted with keys only you hold. LUTYO is cryptographically blind to your drivers' data — not a policy promise, an architectural fact.
01 — The principle
Three properties hold together. Each is built into how the system works, so none depends on us behaving well.
The AI reads driving signals where they are created. Raw personal data never has to leave the driver's hardware.
Your data is encrypted with keys only you hold. No LUTYO key sits in the loop, so LUTYO cannot decrypt it.
Behaviour signals are detached from identity before they reach the cloud. We see patterns, never people.
02 — How your key works
The key that decrypts your data is created on your side and stored only as ciphertext. You reach it three independent ways — none of which LUTYO can reproduce.
A biometric tap — Touch ID, Face ID, or a security key. The silent daily unlock.
Your everyday sign-in, filled by your password manager.
Any two of three shares rebuild the key — break-glass only, if you lose the rest.
LUTYO stores only the wrapped, encrypted key — never the key itself.See how it works →
03 — Anonymised by separation
Profiling happens on the device. Two things can leave it: anonymised signals with identity removed, and a behaviour profile encrypted to your key. Nothing else.
Raw signals and the on-device AI that reads them. Your behaviour profile is built here and encrypted to your key.
Only anonymised signals and encrypted data. LUTYO sees aggregated patterns, never a named person, and cannot decrypt what it holds.
Only anonymised signals and encrypted profiles ever cross the boundary.See the data-flow →
04 — Data residency
We run in the United Kingdom, United States, Canada, and the United Arab Emirates today, and add regions as we grow. Each customer lives in one region's isolated account, and data never crosses between them.
05 — Plain-English FAQ
No. It is encrypted with keys only you hold. No LUTYO key, IAM grant, or admin lever can decrypt it.
No. The platform is hardware-agnostic — a phone, a telematics unit, or the vehicle's own compute all work.
The key is rebuilt from a 2-of-3 recovery secret. A lost or stolen device never exposes data on its own.
In one region you choose — UK, US, Canada, or UAE — in an account isolated from every other customer. It does not cross regions.
Anonymised, aggregated network patterns. Never a named individual, never a driver's raw data.
An architectural fact. The design removes our ability to decrypt — there is nothing to promise not to do.
This page is our privacy summary. The full notice and cookie policy carry the legal detail.
Read the full privacy notice →Talk to us
We'll walk your security and compliance team through the architecture, the data-flow, and the residency model — with the reference doc in hand.