This is the plain-English version of how Lumio handles your data. We collect what we need to make the agent work, we store it securely, we don't sell it, and you can delete it whenever you want. The detail is below.
Lumio Labs is a software company based in Ottawa, Ontario, Canada. We build an AI agent for small businesses that handles email, drafts replies, raises invoices, and keeps a pipeline current. In this policy, "we", "us", and "Lumio" refer to Lumio Labs. "You" refers to the person or business using our service.
If you have a question about anything in this policy, the fastest way to reach us is lumiolabagent@gmail.com.
We collect different kinds of data for different reasons. Here's the full list — nothing is collected that isn't listed here.
When you sign up, we collect your name, email address, business name, and password (hashed — we never see the plain text). If you choose the Teams plan, we also collect basic information about your team members as you add them.
Subscription billing is handled by Stripe. Your card number, CVV, and billing address go directly to Stripe — they never touch our servers. We store only the Stripe customer ID, the plan you're on, your subscription status, and the last 4 digits of your card so you can recognize it.
To do its job, Lumio connects to your inbox via OAuth — the standard authorization flow Google and Microsoft offer. We never see or store your email password. Instead, we receive an access token that lets us read and send mail on your behalf.
Anything you upload to Lumio — knowledge-base documents, invoice templates, employee records, contact lists — is stored on your behalf to make the agent better at understanding your business.
We log technical information needed to keep the service running and secure: IP addresses, browser type, pages visited, error logs, and API request timestamps. These are retained for up to 90 days and used for debugging, security monitoring, and billing reconciliation.
We use the data above for exactly these purposes, and no others:
To deliver the service, we rely on a small set of trusted infrastructure providers. They process data on our behalf and are contractually bound to handle it according to this policy.
We will also disclose information if required by law, court order, or to protect the safety of users or the public. We will tell you about such requests when we are legally allowed to.
Most of your data is stored on servers in the United States (Supabase, Anthropic, Stripe, Render are all US companies operating US infrastructure). By using Lumio, you understand that your data will be transferred to and processed in the United States, which may have different data protection laws than your country.
If you're in the European Union, the United Kingdom, or another jurisdiction with cross-border transfer restrictions, this transfer happens under Standard Contractual Clauses with each provider.
You can request immediate deletion of your account and all associated data at any time (see section 8). We'll honor it within 30 days, except where we're legally required to keep specific records longer.
We take security seriously and use industry-standard practices:
Honest disclosure: no system is 100% secure. If a breach affecting your data ever happens, we will notify you within 72 hours of discovering it, as required by applicable law.
You have rights over your personal data. These rights apply globally, with extra specifics for certain regions.
You can request access to your personal information held by us, ask us to correct inaccuracies, and file a complaint with the Office of the Privacy Commissioner of Canada if you believe we've mishandled your data.
In addition to the rights above, you have the right to restrict processing of your data, object to processing for specific purposes, and lodge a complaint with your local data protection authority.
You have the right to know what categories of personal information we collect, to opt out of "sale" of personal information (we don't sell), and to not be discriminated against for exercising your rights.
To exercise any of these rights, email lumiolabagent@gmail.com from the address on your account. We'll respond within 30 days.
We use only the cookies we need to make the service work — primarily a session cookie that keeps you logged in, and a CSRF token for security. We don't use third-party advertising cookies. We don't run analytics that follow you around the web.
Lumio is a business tool. It's not intended for anyone under 18, and we don't knowingly collect data from minors. If you believe a minor has signed up, email us and we'll delete the account.
If we make a material change to this policy — meaning a change that affects what we collect, how we use it, or who we share it with — we'll notify you by email at least 30 days before the change takes effect. Minor clarifications (typo fixes, restructuring) will just update the "Last updated" date at the top.
For any privacy question, request, or concern, email lumiolabagent@gmail.com. We read every message and respond within 5 business days.
Mailing address available on request.