Lumio

Legal

Privacy Policy

Last updated: January 2025 · Lumio Ltd

1. Who we are

Lumio Ltd (“Lumio”, “we”, “us”) is a company registered in England and Wales. We are the data controller for personal data collected through lumiocms.com and app.lumiocms.com. We are registered with the Information Commissioner's Office (ICO) as a data controller.

Contact: privacy@lumiocms.com

2. What data we collect

  • Account data: name, work email address, company name
  • Usage data: pages visited, features used, session duration (anonymised)
  • Technical data: IP address (hashed), browser type, device type
  • Communications: emails you send to us, support tickets
  • Payment data: processed by Stripe — we do not store card details

3. How we use your data

Contract (Article 6(1)(b))
To provide, maintain, and improve the Lumio service
Consent (Article 6(1)(a))
To send marketing emails (only where you have opted in)
Legitimate interests (Article 6(1)(f))
To detect fraud, ensure security, and improve product features
Legal obligation (Article 6(1)(c))
To comply with UK law, tax obligations, and respond to legal requests

4. AI processing (Anthropic)

Lumio uses Anthropic's Claude API to power AI automation features. When you use AI-powered workflows, data from those workflows may be temporarily processed by Anthropic's servers in the USA. This transfer is covered by Anthropic's Data Processing Agreement and UK GDPR Article 46 safeguards (Standard Contractual Clauses). Anthropic does not retain or train on your data.

5. Data storage and retention

  • All primary data is stored in the UK (AWS eu-west-2, London)
  • Demo workspace data is deleted automatically after 14 days
  • Account data is retained for the duration of your subscription plus 30 days
  • Anonymised analytics data may be retained for up to 2 years

6. Sub-processors

ProcessorPurposeLocation
Supabase / AWSDatabase and authenticationUK (eu-west-2)
VercelApplication hostingEU
AnthropicAI processing (Claude API)USA (SCCs applied)
ResendTransactional emailUSA (SCCs applied)
StripePayment processingUSA (SCCs applied)

7. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you (Article 15)
  • Have inaccurate data corrected (Article 16)
  • Have your data erased in certain circumstances (Article 17)
  • Restrict processing of your data (Article 18)
  • Receive your data in a portable format (Article 20)
  • Object to processing based on legitimate interests (Article 21)
  • Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, use our data request form or email privacy@lumiocms.com. We will respond within 30 calendar days.

You also have the right to lodge a complaint with the ICO: ico.org.uk

8. Cookies

We use essential cookies for authentication and security, and optional analytics cookies. See our Cookie Policy for full details.

9. Changes to this policy

We may update this policy from time to time. We will notify you of significant changes by email. The “last updated” date at the top of this page always shows when it was last revised.

Lumio Ltd · privacy@lumiocms.com · Registered in England and Wales

Registered with the Information Commissioner's Office (ICO)