Privacy policy

Last updated: 2026-05-16 — applies to the Lumauna platform (lumauna.app). Contact privacy@lumauna.app for any question.

1. Who we are

Lumauna is operated by Luma Una Ltd ("we", "us", "the controller"), a company registered in England and Wales. We act as the data controller for the Lumauna marketing site (lumauna.app) and as a data processor (or "service provider" / "operator", depending on the applicable law) for the data our tenants store on the platform — see "Tenant data" below.

2. Information we collect

• Account data — name, email, organisation, billing contact (provided when you sign up).
• Authentication data — handled by a managed identity provider listed at /sub-processors: email, identity-provider id, MFA status. We never see your password.
• Usage telemetry — page views, feature use, error logs. Used to improve the product. No third-party trackers; no marketing cookies.
• Tenant data— content uploaded by tenants to the platform (records relating to their leads, quotes, jobs, photos, customer details). Stored encrypted at rest. We process this as a processor on the tenant's instructions; the tenant is the controller.

3. Lawful basis / purposes

We rely on (a) contract / performance of a service for everything required to deliver the service you signed up for, (b) legitimate interests for product analytics + abuse prevention (where the applicable law permits), and (c) legal obligationwhere applicable (tax records, security incident notifications). For US residents whose state law uses "business purpose" framing, the equivalent purposes are service delivery, security, and legal compliance. We do not "sell" or "share" personal information for cross-context behavioural advertising (CCPA/CPRA).

4. Sub-processors

We use third-party processors to deliver Lumauna. The current list is at /sub-processors. We notify tenants of material additions in advance.

5. Data residency & international transfers

Tenant data and uploaded media are stored in the EU by default. Specific facilities used by our sub-processors are listed at /sub-processors. Where a sub-processor processes data outside your jurisdiction, we rely on the relevant transfer safeguards available at the time — including the UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses (SCCs), the EU-US / UK-US Data Privacy Framework, ANPD international transfer mechanisms (Brazil), and equivalent contractual protections.

6. Retention

Tenant data is kept for the lifetime of the subscription plus 30 days for export. Audit logs and security telemetry are retained for 12 months. Backups roll on a window of approximately twelve months and expire automatically.

7. Your rights

Depending on where you live, you may have rights to access, rectify, delete, restrict, object to, port, or limit the use of your personal data. UK / EU residents (UK GDPR + EU GDPR), US residents (CCPA/CPRA + similar state laws), Brazilian residents (LGPD), and residents of other jurisdictions with comparable laws may exercise these rights by emailing privacy@lumauna.app. We respond within the timeframe set by the applicable law (within 30 days under UK/EU GDPR; within 45 days under CCPA, extendable per statute).

8. Additional rights for US residents

California, Virginia, Colorado, Connecticut, Utah, Texas, and other US state-law residents have specific rights including the right to know what categories of personal information we collect, the right to delete, the right to correct, and the right to opt-out of sale, sharing, or targeted advertising. We do not sell or share personal information for cross-context behavioural advertising. To exercise your rights, email the address above and verify your identity by responding from the email you signed up with.

9. Additional rights for Brazilian residents (LGPD)

Brazilian residents may request confirmation of processing, access, correction, anonymisation, blocking, deletion of unnecessary or non-compliant data, portability, information about sharing, and revocation of consent. The same email above applies.

10. AI / LLM use

Some features use third-party LLM providers listed at /sub-processors. Where enabled, the relevant prompt and context are sent to the chosen provider over an encrypted channel. No tenant data is used to train provider models. Tenants can disable any provider in Settings → LLM.

11. Children

Lumauna is a B2B platform not directed to children. We do not knowingly collect personal information from anyone under 16 (or the relevant age in your jurisdiction).

12. Cookies

Strictly-necessary cookies only: session cookie, CSRF cookie. No third-party trackers, no marketing pixels. See /cookies.

13. How to complain

You can complain to your local data-protection authority — for example, the ICO (UK), your national supervisory authority in the EU, your state Attorney General or applicable agency (US), or the ANPD (Brazil). Please email us first so we can try to resolve your concern directly.

14. Changes

Material changes are emailed to the billing contact at least 30 days before they take effect.