Privacy Policy

This Privacy Policy describes how Lumy Studio, Inc. ("Lumy," "we," "us," or "our") collects, uses, discloses, and protects information about visitors to this website at lumy.ai and any subdomains we operate (together, the "Site"). It also explains your rights with respect to that information and the choices you have.

We have written this policy in plain language because we believe people who visit our site should be able to understand what happens with their information without translating legalese. Where specific regulations require precise wording — notably the EU and UK General Data Protection Regulation ("GDPR" and "UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and similar laws in other jurisdictions — we have used the required language and noted it where it differs from the plainer wording.

This policy is organised as follows: who we are and how to reach us; the categories of information we collect and how we collect it; what we do with it; who we share it with; how long we keep it; the rights you have; how we protect the information; and finally how we deal with changes, complaints, and contact.

If you have questions about anything in this policy, email us at privacy@lumy.ai.

For the purposes of the GDPR, UK GDPR, and equivalent laws in other jurisdictions, Lumy Studio, Inc. is the "data controller" of the personal data collected through this Site. This means we determine the purposes and means of processing.

Our full contact details — including a postal address for written correspondence — are listed in the Contact section at the bottom of this policy.

We do not currently employ a dedicated Data Protection Officer ("DPO"). Privacy inquiries should be directed to privacy@lumy.ai and will be handled by a member of our team who is responsible for privacy matters. If a DPO is appointed in the future, we will update this policy with contact details.

If you are in the EEA or the UK and you would like to contact us via a representative, we will arrange one on request via privacy@lumy.ai.

Where the following terms are used in this policy, they have the meanings set out below:

We collect information about you in two ways: directly from you when you provide it, and automatically when you interact with the Site. We do not buy personal data about visitors from third-party data brokers.

For the purposes of the CCPA/CPRA, the categories of personal information we collect are limited to:

We collect personal information from the following sources:

At this time, this website does not set advertising cookies, set analytics cookies, or use third-party tracking pixels. The only categories of cookies or similar technologies in use are strictly necessary.

Strictly necessary technologies are those without which the Site cannot function. Currently, we use:

Some browsers send "Do Not Track" ("DNT") signals. Because there is no industry consensus on how DNT should be interpreted and we do not engage in tracking that DNT was designed to prevent, we do not currently respond to DNT signals.

We do, however, treat opt-out signals from the Global Privacy Control ("GPC") as a valid request to opt out of any future sale or sharing of personal information for cross-context behavioural advertising — should we ever introduce such activities (which, as noted below, we currently do not).

We use the information we collect for a narrow set of purposes related to operating the Site, communicating with you, and protecting both our visitors and the Site itself. Specifically:

If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with similar laws, we rely on one or more of the following legal bases when we process your personal data. The basis depends on the purpose:

We share information sparingly. We do not sell personal information, and we do not disclose it to third parties for their own marketing purposes. We share information only with the following categories of recipients, and only as needed:

We rely on a small number of sub-processors to operate the Site. These include providers for web hosting and edge delivery, transactional email delivery, and error monitoring. Each provider is subject to a written agreement that includes data-protection terms and a commitment to apply at least the same standard of protection that we apply.

On written request, we can provide the names of the sub-processors we currently use. Email privacy@lumy.ai and we will send a current list.

We do not "sell" personal information, and we do not "share" personal information for cross-context behavioural advertising as those terms are defined by the California Consumer Privacy Act (as amended by the CPRA). We have not done so in the preceding twelve months and we have no intention of doing so.

If we ever change this — for example, if we adopt analytics that involve disclosing personal information to third parties for their own purposes — we will update this policy, provide a clear opt-out, and honour signals such as Global Privacy Control where applicable.

Our service providers are located in various countries, including jurisdictions outside the country where you reside. If you submit information to us, that information may be transferred internationally for the purposes described in this policy.

Where transfers from the EEA, the UK, or Switzerland are involved, we rely on the safeguards required by applicable law. These currently include:

We retain personal data only for as long as we need it for the purposes described in this policy or as required by law. In general:

Depending on where you live, you may have some or all of the following rights with respect to your personal data. Where multiple laws apply, the more protective standard prevails.

Email privacy@lumy.ai from the address you used when you contacted us (or that we have on file for you) and describe what you would like us to do. Include enough information that we can identify the records you are asking about and confirm your identity.

We respond within the timeframe required by applicable law. For GDPR / UK GDPR requests, this is generally one month, extendable by two further months for particularly complex or numerous requests; we will tell you within one month if an extension is needed. For CCPA/CPRA requests, the response window is generally 45 days, extendable once by 45 days.

We may need to verify your identity before fulfilling certain requests, particularly access, deletion, and correction. We will use information already in our records to do so where possible, and ask for additional information only where strictly necessary.

Exercising any right is free. If a request is manifestly unfounded or excessive (for example, repetitive), we may charge a reasonable fee or refuse to act on it, in which case we will explain why and how you can appeal.

California residents may use an authorised agent to submit a rights request on their behalf. The agent must provide proof of authorisation (for example, a signed permission from you, or a valid power of attorney). We may also contact you directly to confirm that you authorised the request.

We will not deny you services, charge you different prices, provide you with a lesser quality of service, or otherwise discriminate against you for exercising any of the rights described in this policy. Nothing in this policy is intended to limit your rights.

We do not collect or process "sensitive personal information" as that term is defined by the CCPA/CPRA (for example, government identifiers, precise geolocation, race, ethnicity, religion, union membership, biometric data, or health data) through the Site. If we ever begin to, we will update this policy, give notice at collection, and provide the right to limit such use as required by law.

We do not use your personal data to make decisions about you that produce legal effects or similarly significant effects through solely automated means. We do not profile visitors for marketing, scoring, or any other purpose.

We take reasonable technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration, and disclosure. These measures include:

Despite our efforts, no system is completely secure. If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify the appropriate supervisory authorities within the timeframe required by applicable law (generally 72 hours under the GDPR/UK GDPR) and, where the breach is likely to result in a high risk to you, we will notify you directly without undue delay.

Our notifications will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, the measures we have taken in response, and how to contact us for further information.

This Site is intended for adults. It is not directed at children and we do not knowingly collect personal information from individuals under the age of 16 (or under 13 in the United States for the purposes of the Children's Online Privacy Protection Act, "COPPA").

If you believe that a child has provided us with personal information, please contact us at privacy@lumy.ai and we will take steps to delete it. If we discover that we have collected personal information from a child without verified parental consent, we will delete that information promptly.

The Site may contain links to third-party websites, services, or social-media properties that we do not control. We are not responsible for the privacy practices of those services. Their privacy notices govern the information they collect from you, and we encourage you to read them before submitting any information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

When we make any change, we update the "Last updated" date at the bottom of this page. Where the changes are material (for example, a new purpose of processing, a new category of recipient, or a change to the legal bases on which we rely), we will provide more prominent notice — for example, by adding a banner to the Site, sending an email to people we have corresponded with, or, where the change involves processing based on consent, asking for consent again.

We encourage you to review this policy periodically so you remain aware of how we handle your information.

If you are concerned about how we have handled your personal data, please contact us first at privacy@lumy.ai so we have an opportunity to address your concerns directly.

You also have the right to lodge a complaint with a data-protection authority. In the EEA, contact the supervisory authority in your country of residence. In the UK, contact the Information Commissioner's Office (ico.org.uk). In California, contact the California Privacy Protection Agency. Other jurisdictions have their own regulators — contact your local one if you are unsure.

If you have any questions about this Privacy Policy, the way we handle your personal data, or you would like to exercise any of the rights described above, please contact us: