Legal
Privacy Policy
Last updated: June 2026 · Lumio Ltd
1. Who we are
Lumio Ltd (“Lumio”, “we”, “us”) is a company registered in England and Wales. We are the data controller for personal data collected through lumiocms.com and app.lumiocms.com. We are registered with the Information Commissioner's Office (ICO) as a data controller.
Contact: privacy@lumiocms.com
2. What data we collect
- Account data: name, work email address, company name
- Usage data: pages visited, features used, session duration (anonymised)
- Technical data: IP address (hashed), browser type, device type
- Communications: emails you send to us, support tickets
- Payment data: processed by Stripe — we do not store card details
3. How we use your data
4. AI processing (Anthropic)
Lumio uses Anthropic's Claude API to power AI automation features. When you use AI-powered workflows, data from those workflows may be temporarily processed by Anthropic's servers in the USA. This transfer is covered by Anthropic's Data Processing Agreement and UK GDPR Article 46 safeguards (Standard Contractual Clauses). Anthropic does not retain or train on your data.
5. Connected accounts (Google, Microsoft & Apple)
If you connect a Google, Microsoft or Apple account, we access your calendar and the ability to send email on your behalf solely to provide the features you switch on — two-way calendar sync and sending messages from your own address. We do not read the contents of your inbox.
Lumio's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we use Google user data only to provide and improve the user-facing features you have enabled; we do not sell it; we do not use it for advertising or ad personalisation; we do not transfer it to others except as necessary to provide those features, for security, or to comply with law; and we do not allow humans to read it except with your consent, for security or abuse investigations, to comply with law, or where the data has been aggregated and anonymised.
You can disconnect a connected account at any time from your portal settings, which revokes Lumio's stored access. Connection tokens are held securely on our UK infrastructure, restricted to server-side processing, and are never exposed to your browser.
6. Data storage and retention
- Database, file storage, and authentication data are stored in the UK (Supabase, eu-west-2, London)
- Application servers and request logs are hosted in Germany (Hetzner, Nuremberg)
- Demo workspace data is deleted automatically after 14 days
- Account data is retained for the duration of your subscription plus 30 days
- Anonymised analytics data may be retained for up to 2 years
7. Sub-processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | UK (London, eu-west-2) |
| Hetzner Online GmbH | Application hosting and compute | Germany (Nuremberg) |
| Anthropic | AI processing (Claude API) | USA (SCCs applied) |
| Resend | Transactional email delivery | USA (SCCs applied) |
| Stripe | Payment processing | UK |
| ElevenLabs | Voice synthesis (text-to-speech) | USA (SCCs applied) |
| Google (Workspace SSO) | Authentication (sign-in with Google) | USA (SCCs applied) |
| Microsoft (Azure AD SSO) | Authentication (sign-in with Microsoft) | USA (SCCs applied) |
8. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you (Article 15)
- Have inaccurate data corrected (Article 16)
- Have your data erased in certain circumstances (Article 17)
- Restrict processing of your data (Article 18)
- Receive your data in a portable format (Article 20)
- Object to processing based on legitimate interests (Article 21)
- Withdraw consent at any time (where processing is based on consent)
To exercise any of these rights, use our data request form or email privacy@lumiocms.com. We will respond within 30 calendar days.
You also have the right to lodge a complaint with the ICO: ico.org.uk
9. Cookies
We use essential cookies for authentication and security, and optional analytics cookies. See our Cookie Policy for full details.
10. Changes to this policy
We may update this policy from time to time. We will notify you of significant changes by email. The “last updated” date at the top of this page always shows when it was last revised.
Lumio Ltd · privacy@lumiocms.com · Registered in England and Wales
Registered with the Information Commissioner's Office (ICO)
