Privacy Policy

This Privacy Policy describes how Lumioh PTY LTD (ABN pending) ("Lumioh", "we", "us", or "our"), an Australian company, collects, uses, discloses, and protects your personal information when you use our services.

This policy applies to all Lumioh services, including our web applications, mobile applications, APIs, and related services (collectively, the "Services").

By using our Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree, please do not use our Services.

• We collect data necessary to provide and improve Lumioh services

• Your workspace content belongs to you and is never used to train AI models

• We use industry-standard security measures to protect your data

• You have rights to access, correct, and delete your personal information

• We comply with Australian Privacy Principles (APPs), GDPR, and CCPA

Lumioh PTY LTD is the data controller responsible for your personal information.

Our registered office is located in Australia (address to be confirmed upon company registration).

• Privacy inquiries: privacy@lumioh.com

• Security issues: security@lumioh.com

• Data Protection Officer: dpo@lumioh.com

• Mailing address: [To be confirmed upon registration]

Name, email address, username, profile photo, and other identifiers you provide during account creation or profile updates.

Password (stored as cryptographic hash), multi-factor authentication settings, session tokens, login history, and authentication preferences.

Workspace name, description, settings, team structure, organizational hierarchy, role assignments, and workspace-level preferences.

Tasks, projects, documents, contacts, contracts, notes, comments, attachments, and any other content you create, upload, or store within our Services.

Feature usage patterns, page views, actions taken, timestamps, navigation paths, search queries, and interaction with specific features.

IP address, browser type and version, device type, operating system, unique device identifiers, referring URLs, and access times.

Support tickets, email correspondence with our team, feedback submissions, and any other communications you send to us.

Billing name, address, and subscription tier. Actual payment details (credit card numbers, bank accounts) are processed and stored by our payment processor (Stripe) and are not accessible to Lumioh.

Prompts you submit to AI features, AI-generated outputs, model selections, token usage, and AI feature configuration settings. This data is used solely for service delivery, security, and quality assurance—never for training foundation models.

Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), we collect and process personal information for purposes that are directly related to our business functions. For users in the EU/EEA and other jurisdictions, we rely on the following legal bases:

Processing necessary to provide Lumioh services, manage your account, and fulfill our contractual obligations to you.

Security monitoring, fraud prevention, service improvements, analytics, and internal business operations, provided our interests are not overridden by your rights and freedoms.

Marketing communications, optional features, and non-essential cookies. You may withdraw consent at any time.

Tax records, regulatory compliance, responding to lawful requests from authorities, and meeting legal requirements.

We use your personal information for the following purposes:

• Service Delivery: To provide, maintain, and personalize Lumioh features and functionality

• Account Management: To create and manage your account, authenticate users, and handle subscriptions

• Workspace Collaboration: To enable team collaboration, task assignment, document sharing, and real-time features

• AI-Assisted Features: To provide AI-powered capabilities with permission-aware controls and audit logging

• Security & Fraud Prevention: To detect and prevent abuse, fraud, security threats, and unauthorized access

• Customer Support: To respond to inquiries, troubleshoot issues, and provide technical assistance

• Analytics & Improvement: To understand usage patterns, improve our Services, and develop new features

• Legal Compliance: To comply with applicable laws, regulations, and legal processes

• Marketing Communications: To send product updates, newsletters, and promotional materials (with your consent)

We use cookies and similar tracking technologies to provide and improve our Services. You can control cookie preferences through your browser settings.

Required for authentication, session management, security features, and core functionality. These cannot be disabled without affecting service operation.

Used to track usage patterns, measure performance, and understand how users interact with our Services. These help us improve the product.

Store your settings such as theme (light/dark mode), language preferences, and display options.

We honor Do Not Track (DNT) signals for analytics cookies. Essential and preference cookies remain active to ensure service functionality.

We share your personal information only in the following circumstances:

We use trusted third-party service providers to operate our Services. All subprocessors are bound by data processing agreements (DPAs) and process data solely on our behalf:

• Hosting & Infrastructure: Supabase (database, authentication, storage) - United States, with data residency in Australia when available

• Cloud Computing: AWS/Google Cloud/Azure - Australian and global regions

• AI Services: OpenAI (United States), Anthropic (United States) - governed by strict DPAs; your content is not used for model training

• Payment Processing: Stripe (United States) - handles payment data per PCI DSS standards

• Email Delivery: Resend or similar service - for transactional emails and notifications

• Content Delivery: Cloudflare (global CDN) - for performance and DDoS protection

• Analytics: Privacy-focused analytics provider - for usage statistics and product insights

We may disclose personal information if required by law, court order, legal process, or to respond to lawful requests from public authorities, including to meet national security or law enforcement requirements.

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you of any such change and provide you with choices regarding your data.

We may share personal information for other purposes with your explicit consent or at your direction.

Lumioh does not sell, rent, or trade personal information to third parties for their marketing purposes.

As an Australian company, our primary data storage is located in Australia. However, some of our service providers and subprocessors may process data in other jurisdictions, including the United States and European Union.

When transferring personal information internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): Approved by the European Commission and Australian Information Commissioner

• Data Processing Agreements (DPAs): Binding contracts with all subprocessors requiring equivalent data protection

• Adequacy Decisions: Where applicable, we rely on adequacy determinations by relevant authorities

• EU-U.S. Data Privacy Framework: For transfers to certified U.S. organizations where applicable

Enterprise customers may request data residency in specific regions, subject to infrastructure availability and additional fees.

We retain personal information for as long as necessary to provide our Services and fulfill the purposes described in this policy, unless a longer retention period is required by law.

Retained while your account is active and for a reasonable period afterward to facilitate reactivation and comply with legal obligations.

30-day soft delete period during which you can restore your account. After 30 days, all personal data is permanently deleted, except as required for legal, accounting, or security purposes.

Retained according to workspace lifecycle. When a workspace is deleted, a 30-day recovery period applies before permanent deletion.

Security and access logs are retained for 1-2 years for fraud prevention, security investigations, and compliance purposes.

System backups are maintained for disaster recovery and are purged on a 30-90 day rolling basis.

Prompts and outputs logged for security, quality assurance, and debugging are retained for up to 12 months unless deletion is specifically requested.

Data subject to legal hold, litigation, regulatory investigation, or other legal requirements may be retained longer as required by law.

You can request export or deletion of your personal data at any time by contacting privacy@lumioh.com. We will respond within 30 days (or as required by applicable law).

We do not use your workspace content, prompts, or outputs to train foundation AI models. Your data is your data.

We use third-party AI services (OpenAI, Anthropic) governed by strict data processing agreements that prohibit use of your data for model training.

AI interactions may be logged for security monitoring, quality assurance, debugging, and abuse prevention. Logs are retained according to our retention policy and can be purged upon request.

Workspace administrators can configure sensitive data masking to redact personally identifiable information (PII) before sending data to AI models.

All AI-assisted actions respect role-based access control (RBAC) and user permissions. AI cannot access data you do not have permission to view.

We send only the minimum necessary data to AI providers to fulfill your request. Full workspace content is never transmitted.

• OpenAI Privacy Policy: https://openai.com/privacy

• Anthropic Privacy Policy: https://www.anthropic.com/privacy

We implement industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction.

• Data in transit: TLS 1.3 encryption for all connections

• Data at rest: AES-256 encryption for database and file storage

• Role-Based Access Control (RBAC) with granular permissions

• Multi-Factor Authentication (MFA) available for all users

• Single Sign-On (SSO) and SCIM provisioning for Enterprise plans

• Comprehensive audit logging of all data access and changes

• Real-time security monitoring and alerting

• Regular security assessments and penetration testing

• Dedicated incident response procedures and team

• Vulnerability disclosure program

• Security issues can be reported to security@lumioh.com

• Least-privilege access for Lumioh employees

• Background checks and confidentiality agreements

• Regular security training

Regardless of your location, you have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you

• Correction: Correct inaccurate or incomplete personal data

• Deletion: Request deletion of your personal data (subject to legal exceptions)

• Export (Portability): Receive your data in a structured, machine-readable format

• Withdraw Consent: Withdraw consent for processing based on consent

• Object: Object to processing based on legitimate interests

• Complaint: Lodge a complaint with the relevant data protection authority

Under the Australian Privacy Act 1988 and Australian Privacy Principles (APPs), you have the right to:

• Access your personal information (APP 12)

• Correct your personal information (APP 13)

• Complain about a breach of the Australian Privacy Principles

• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/privacy/privacy-complaints

If you are located in the European Union, European Economic Area, or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to erasure ("right to be forgotten")

• Right to restrict processing

• Right to data portability

• Right to object to automated decision-making and profiling

• Right to lodge a complaint with your local Data Protection Authority (DPA)

• UK residents can contact the Information Commissioner's Office (ICO): https://ico.org.uk

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information is collected, used, shared, or sold

• Right to know whether your personal information is sold or shared

• Right to opt-out of the sale or sharing of personal information (note: Lumioh does not sell personal information)

• Right to delete personal information

• Right to correct inaccurate personal information

• Right to limit use and disclosure of sensitive personal information

• Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us at privacy@lumioh.com with:

• Your full name and email address associated with your Lumioh account

• A description of your request

• Any relevant details to help us locate your information

We will respond to your request within:

• 30 days for Australian and GDPR requests

• 45 days for CCPA requests (with possible 45-day extension if necessary)

We may require identity verification before processing your request to protect your personal information from unauthorized access.

Lumioh is not intended for use by children under the age of 16 (or 13 in jurisdictions where the minimum age is 13, such as the United States under COPPA).

We do not knowingly collect personal information from children under these age limits. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information as soon as possible.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@lumioh.com so we can take appropriate action.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we are committed to notifying affected users and relevant authorities in accordance with applicable laws.

• GDPR (EU/EEA/UK): Within 72 hours to the relevant Data Protection Authority; without undue delay to affected individuals

• Australian Privacy Act: As soon as practicable to the OAIC and affected individuals when an eligible data breach occurs

• CCPA (California): Without unreasonable delay

Our breach notification will include:

• Description of the breach and affected data

• Likely consequences of the breach

• Measures taken to address the breach

• Recommendations for steps you can take to protect yourself

• Contact information for further inquiries

We maintain incident response procedures, conduct regular security assessments, and continuously monitor our systems to prevent and quickly detect potential breaches.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

• Material changes: We will notify you at least 30 days in advance via email and/or prominent notice within our Services

• Minor changes: We will update the "Last Updated" date at the top of this policy

• In-app notifications: You may receive in-app alerts about policy updates

By continuing to use our Services after the effective date of an updated Privacy Policy, you accept the changes. If you do not agree with the updated policy, you may delete your account.

Previous versions of this Privacy Policy are available upon request by contacting privacy@lumioh.com.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Lumioh PTY LTD

ABN: [To be confirmed upon registration]

Registered Address: [To be confirmed upon registration]

• Privacy inquiries: privacy@lumioh.com

• Security issues: security@lumioh.com

• Data Protection Officer: dpo@lumioh.com

For Australian Privacy Complaints:

Office of the Australian Information Commissioner (OAIC)

Website: https://www.oaic.gov.au

Phone: 1300 363 992

This Privacy Policy is governed by the laws of Australia and the laws applicable in the jurisdiction where you reside. For Australian users, the Australian Privacy Act 1988 and Australian Privacy Principles (APPs) apply. For EU/EEA/UK users, the General Data Protection Regulation (GDPR) applies. For California residents, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply.

Any disputes arising from this Privacy Policy or our data practices will be resolved in accordance with the dispute resolution provisions in our Terms of Service.

If any provision of this Privacy Policy is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and Lumioh regarding the privacy and use of your personal information.