Lumae Privacy Policy

Effective Date: July 8, 2025

Last Updated: July 8, 2025

I. Introduction

This document constitutes the Privacy Policy ("Policy") for Alphabetasoup LLC, doing business as LUMAE and LUMAE.ai (Registered Address: 30202 52nd Ave NW, Stanwood, WA 98292 USA, hereinafter referred to as "Lumae," "we," "us," or "our"). This Policy outlines our practices concerning the collection, use, disclosure, protection, and processing of personal information belonging to users ("you," "your") of our website, applications, products, and services (collectively, the "Services").

The purpose of this Policy is to provide transparency regarding how Lumae handles your personal information, ensuring you are informed about our data practices.¹ This Policy applies to personal information collected through our online Services and may also apply to information collected offline, as specified herein.⁴ By using our Services, you acknowledge that you have read and understood this Privacy Policy. Where required by applicable law, we will obtain your consent for specific data processing activities.

Maintaining user trust is paramount, and this Policy aims to foster that trust by being clear, comprehensive, and compliant with applicable data protection laws.² It is designed to be read in conjunction with our Terms of Service, which provide additional context regarding your use of our Services.¹

For clarity, certain key terms used throughout this Policy are defined as follows:

• Personal Information (PI): Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples include names, email addresses, IP addresses, and commercial transaction records.⁵ The specific definition may vary slightly depending on the applicable law (e.g. CCPA/CPRA).
• Sensitive Personal Information (SPI) / Special Categories of Personal Data / Consumer Health Data: A subset of Personal Information subject to heightened protection under various laws. Definitions vary significantly by jurisdiction but may include data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, data concerning sex life or sexual orientation, government identifiers (like SSN or driver's license number), account login credentials, precise geolocation, and contents of certain private communications.⁵ Washington's My Health My Data Act uses the term "Consumer Health Data," which has an exceptionally broad definition covering many types of health-related information and inferences.⁸
• Processing: Any operation or set of operations performed on personal information, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, dissemination, erasure, or destruction.⁶
• Data Subject: The identified or identifiable natural person to whom personal information relates.³
• Controller: The entity that determines the purposes and means of processing personal information (Lumae is generally the Controller for user data).³
• Processor: An entity that processes personal information on behalf of the Controller.¹⁸
• Sell: Disclosing personal information to a third party for monetary or other valuable consideration (definition primarily relevant under CCPA/CPRA and WA MHMDA).¹
• Share: Disclosing personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration (definition primarily relevant under CCPA/CPRA).¹¹ WA MHMDA uses "share" more broadly to mean almost any disclosure to a third party or affiliate not acting as a processor.⁸
• Third Party: An entity other than the consumer, Lumae (the business/controller), or Lumae's service providers/processors.¹⁰

This Policy is effective as of the date first stated above and will be reviewed and updated periodically to reflect changes in our practices or applicable laws. We will notify you of significant changes as described in Section XIII.¹

II. User Responsibilities

Lumae uses artificial intelligence tools to assist mortgage professionals in evaluating borrower data and generating reports. These tools do not make lending decisions independently, and users retain full discretion and responsibility for all determinations.

Lumae provides tools and services that allow users to input, upload, or otherwise transmit information, including personal information of third parties such as borrowers, into the platform. You are solely responsible for the accuracy, legality, and appropriateness of all content and data you submit or upload.

By using the services, you represent and warrant that you have obtained all necessary rights, permissions, and consents to provide such data to Lumae, including any third-party personal information. You agree that Lumae shall not be responsible or liable for:

• any content uploaded or submitted by users;
• the accuracy or legality of such content;
• any claims arising from your failure to obtain appropriate consents or authorizations.

Lumae disclaims all liability related to user-submitted content and expressly disclaims any responsibility for compliance with laws or regulations applicable to such content.

III. What Information We Collect

Lumae provides business-to-business services and processes borrower information on behalf of our business customers (such as mortgage professionals). We do not collect personal information directly from consumers and act as a ‘service provider’ under applicable U.S. state privacy laws.

Lumae utilizes various categories of Personal Information to provide and improve our Services. Being exhaustive in listing the data collected is legally prudent, as omitting categories could lead to non-compliance with regulations like GDPR or CCPA/CPRA.¹ However, to enhance readability, we group the information into logical categories.¹⁰ The specific types of Personal Information we may collect include:

• Identifiers: Such as your real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, phone number, or other similar identifiers.¹
• Commercial Information: Records of products or services purchased, obtained, or considered, other purchasing or consuming histories or tendencies.⁷
• Internet or Other Electronic Network Activity Information: Including, but not limited to, browsing history, search history, and information regarding your interaction with our website, application, or advertisements. This may also include log file data such as IP addresses, browser type, Internet Service Provider (ISP), date and time stamps, referring/exit pages, and potentially the number of clicks.³
• Geolocation Data: We collect general location information inferred from your IP address. We do not collect precise geolocation data.
• Professional or Employment-Related Information: Standard business-to-business (B2B) and employee/contractor contact records (names, work emails, phone numbers, titles, etc.) are collected and covered by this policy.¹²
• Inferences Drawn from Other Personal Information: We may create profiles reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.⁷
• User-Generated Content: Information you voluntarily provide in public forums on our Services, such as product reviews or community posts, or content you upload to the Service (e.g., mortgage documents).³
• Payment Information: When you make a purchase, payment details are collected and processed directly by our third-party payment processor (e.g., Chargebee), which tokenizes the information. Lumae does not directly store full credit card numbers and only receives confirmation of payment and limited transaction details.

Sensitive Personal Information (SPI) / Special Categories / Consumer Health Data:

Recognizing and appropriately handling Sensitive Personal Information is critical due to the heightened legal obligations associated with it.¹ Lumae does not intentionally request or require the following categories of sensitive information: Government IDs (SSN, Driver's License, Passport), financial account logins, full card numbers with security codes, precise geolocation, race/ethnicity data (though it may appear in user-provided HMDA-related documents), contents of private communications not intended for us, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

However, some sensitive information (such as Government IDs, race/ethnicity data, or potentially health-related information) might be present within documents you voluntarily upload to the Service (e.g., mortgage application forms like the Form 1003, supporting loan documentation). Any such data that appears incidentally within user-provided content is processed solely for the purpose of providing the requested Service functionality (e.g., analyzing the uploaded document). Lumae does not use this incidental sensitive data for any other purpose. Users may request the deletion of their uploaded documents and associated data at any time, subject to the retention terms outlined in Section VIII.

The potential applicability of the Washington My Health My Data Act (MHMDA) warrants special attention due to its broad definition of "consumer health data" and its reach.⁸ While Lumae does not intentionally collect Consumer Health Data, should such data be identified within user-uploaded documents, we will handle it according to MHMDA requirements, including obtaining specific consent if any collection, use, or sharing (beyond providing the core service requested by the user) were ever contemplated.⁸

The provision of most personal information is voluntary. However, choosing not to provide certain information may limit your ability to use some features of our Services.²⁰

IV. How We Collect Your Information

Lumae collects personal information through various methods, ensuring transparency about these processes ¹:

• Directly From You: We collect information that you voluntarily provide to us. This occurs when you:

• Create an account or register for our Services.⁴
• Fill out forms on our website or application (e.g., contact forms, order forms, survey responses).¹
• Make a purchase.²
• Upload documents or content to the Service.
• Communicate with us directly via email, phone, text message, or other channels.⁴ We will make it clear at the point of collection what information is being requested and why.⁴

• Automatically When You Use Our Services: We automatically collect certain information about your device and your interaction with our Services using various technologies:

• Log Files: Like most websites and online services, we gather certain information automatically and store it in log files. This information may include IP addresses, browser type, ISP, referring/exit pages, operating system, date/time stamps, and clickstream data. This data helps us analyze trends, administer the site, track user movements, and gather demographic information, but is generally not linked to other personally identifiable information.³
• Cookies and Similar Technologies: We use cookies (small text files stored on your device) and similar technologies for essential operations and analytics. Further details are provided in Section VI (Cookies and Similar Technologies).

• From Third-Party Sources: We do not receive personal information about users from third-party data brokers, marketing partners, or social media platforms. We utilize analytics services (Microsoft Azure Application Insights and optionally Google Analytics) to understand service usage, but these collect data about interactions with our Services, not data from external sources about you.

V. How and Why We Use Your Information (Legal Basis & Purpose)

Lumae collects and uses your personal information only for specific, explicit, and legitimate purposes. We are committed to the principles of Purpose Limitation and Data Minimization, meaning we only collect and use data that is necessary for the stated purposes and do not repurpose it without a valid legal basis or your consent.³ Collecting data "just in case" is not our practice.¹⁶ These principles require operational discipline, influencing our system design, internal processes, and employee training to ensure data is handled appropriately throughout its lifecycle.¹⁸

The specific purposes for which we use your information include:

• Providing and Operating Our Services: To deliver the core functionality of our website, applications, and products (including processing uploaded documents as requested), process transactions, fulfill orders, and manage your account.³ (Relevant Data Categories: Identifiers, Commercial Information, Payment Information, Internet Activity, User-Generated Content).
• Customer Service and Support: To respond to your inquiries, provide assistance, manage returns or cancellations, and address billing issues.⁴ (Relevant Data Categories: Identifiers, Commercial Information).
• Improving and Personalizing Services: To understand how users interact with our Services, analyze trends using aggregated or de-identified data where possible, troubleshoot issues, personalize your experience (e.g., remembering preferences), and enhance functionality.³ (Relevant Data Categories: Identifiers, Commercial Information, Internet Activity, Geolocation Data (coarse), Inferences).
• Communication: To send you service-related communications (e.g., order confirmations, account updates), respond to your requests, and, with your consent or where permitted by law, send marketing and promotional materials.³ You will have the option to opt-out of marketing communications. (Relevant Data Categories: Identifiers, Commercial Information).
• Security and Fraud Prevention: To maintain the security and integrity of our Services, detect and prevent fraudulent activity, and protect the rights and safety of Lumae and our users.⁴ (Relevant Data Categories: Identifiers, Commercial Information, Internet Activity).
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests. (Relevant Data Categories: Varies depending on the legal obligation).
• Developing New Offerings: To inform the development of new products, services, features, and functionality.⁴ (Relevant Data Categories: Identifiers, Commercial Information, Internet Activity, Inferences, User-Generated Content).
• Protecting Rights and Preventing Misuse: To protect our rights and your rights, and to meet our standards of business integrity.

Connecting the categories of data we collect (Section II) to the specific purposes for which we use them provides greater transparency, as required by laws like GDPR and CCPA/CPRA.¹ This internal mapping is also essential for effective data governance.⁹

Business or Commercial Purpose (CCPA/CPRA)

For individuals whose data processing is subject to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), we use your personal information for the business or commercial purposes described above. Our use of personal information is reasonably necessary and proportionate to achieve the operational purpose for which it was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected.¹⁰

VI. Sharing and Disclosure of Information

Lumae does not "sell" personal information, nor do we "share" personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.¹ We do not use third-party advertising networks that track your activity across different websites.

Use and Disclosure of Sensitive Personal Information (SPI):

As stated in Section II, Lumae does not intentionally collect most categories of SPI. Where SPI may be incidentally present in user-uploaded documents (e.g., Government IDs, race/ethnicity data in mortgage forms), we process it only as necessary to provide the Service requested by the user. We do not use or disclose this incidental SPI for other purposes that would require offering a "Limit the Use of My Sensitive Personal Information" right under the CCPA/CPRA.⁵

Sharing/Selling under WA MHMDA:

Lumae does not intentionally collect, share, or sell "Consumer Health Data" as defined under the Washington My Health My Data Act. Should such data be identified within user-uploaded documents, we will not share or sell it without obtaining the specific consent or valid authorization required by MHMDA.⁸

Disclosure for Business Purposes:

Lumae may disclose your personal information to third parties for legitimate business purposes, consistent with the reasons it was collected. These disclosures are not considered "sales" or "sharing." Categories of recipients include:

• Service Providers/Processors: We engage third-party companies and individuals to perform functions on our behalf, such as payment processing (Chargebee), data analysis (Microsoft Azure Application Insights, optionally Google Analytics), hosting services (Amazon Web Services), LLM processing (Microsoft Azure OpenAI Service), customer service, and IT support.¹⁰ These service providers act as Service Providers/Contractors under CCPA/CPRA. We have contractual agreements (Data Processing Agreements or DPAs) in place with these parties that require them to protect your personal information, use it only for the specific services they provide to us, and comply with applicable data protection laws.¹⁶ Microsoft Azure OpenAI Service does not use customer data submitted to the service to train its models. The presence and enforcement of these contracts are critical for compliance and risk management.¹⁶ These third parties are contractually obligated to use the information solely to provide services to Lumae.
• Affiliates and Subsidiaries: We may share information within our corporate group, provided such sharing is consistent with this Policy and applicable law.⁵ Note that under WA MHMDA, affiliates are treated as third parties requiring consent for sharing unless they function strictly as processors under contract.¹⁴
• Legal and Regulatory Requirements: We may disclose your information if required to do so by law, regulation, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Corporate Transactions: In the event of a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal information may be transferred as part of that transaction, subject to confidentiality agreements and compliance with legal requirements.¹⁰
• Social Media: We have a presence on various social media outlets in an effort to connect with both current and potential customers. Your activity on third-party websites is governed by the security, policies and terms of use of each third-party website, which Lumae does not control. You should review the privacy policies of the third-party website before using it and ensure you understand how your information may be used before providing it. The information posted on or directed to Lumae social media profiles is generally available to the public. To protect your privacy, do not include sensitive personal information or any other information you want to keep private in your social media activity, comments, or responses. Any information shared on Lumae’s social media pages may be archived independently on, and retention of such information is governed by, the third-party website.

In compliance with CCPA/CPRA, we maintain records of the categories of personal information disclosed for a business purpose in the preceding 12 months.¹⁰

Advertising Partners: We do not share personal information with third-party advertising partners for targeted advertising purposes.

VII. Cookies and Similar Technologies

Lumae utilizes cookies and similar technologies, such as log files and scripts, on our Services. This section provides details on our use of these technologies.

What are Cookies? Cookies are small text files stored on your computer or mobile device when you visit a website. They enable the website to remember your actions and preferences over time.²

How We Use Cookies and Similar Technologies: We use these technologies for the following purposes:

• Essential Operations: Some cookies are strictly necessary for the technical operation of our Services, such as maintaining your login session (authentication) and ensuring website security. These cannot be disabled.
• Performance and Analytics: We use first-party analytics cookies (via Microsoft Azure Application Insights and optionally Google Analytics) to collect information about how you interact with our Services (e.g., pages visited, time spent). This helps us understand usage patterns, improve performance, and optimize our Services.³ This data is used for internal purposes only and is not shared with third parties for cross-site tracking or advertising.

We do not use cookies for third-party targeted advertising or cross-site tracking.

Your Choices Regarding Cookies:

• Browser Settings: Most web browsers allow you to control cookies through their settings preferences. You can typically set your browser to refuse some or all cookies or to indicate when a cookie is being sent. However, please note that disabling essential cookies may impact the functionality of our Services.²⁰
• Analytics Opt-Out: You may be able to opt-out of Google Analytics tracking by using Google's opt-out tools, if you choose to enable this optional analytics service.

Since we only use essential and first-party analytics cookies and do not engage in cross-site tracking or sharing/selling of data via cookies, complex cookie consent banners or "Do Not Sell/Share" mechanisms specifically for cookies are not currently necessary for our US-focused service.

VIII. Data Security

Lumae is committed to protecting the security of your personal information.² We implement and maintain reasonable administrative, technical, and physical security measures designed to safeguard the personal information we process against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.¹ Data security is not merely a best practice but a legal requirement under regulations like GDPR (Article 32), CCPA/CPRA, and WA MHMDA.⁶ Failure to maintain reasonable security can lead to significant liability, including potential private rights of action for data breaches under laws like the CCPA/CPRA.⁷

Our security measures include, but are not limited to:

• Technical Measures:

• Encryption: Using encryption technologies (such as Transport Layer Security (TLS) for data in transit and appropriate encryption for data at rest) to protect sensitive information.²
• Access Controls: Implementing technical controls to limit access to personal information to authorized personnel based on job function (role-based access control, principle of least privilege).⁸
• Network Security: Utilizing firewalls, intrusion detection/prevention systems, and other network security tools provided by our hosting partners (AWS, Azure).
• System Monitoring & Patching: Regularly monitoring systems for vulnerabilities and applying security patches and updates in a timely manner.²⁶
• Pseudonymization: Employing pseudonymization techniques where appropriate to reduce the linkability of data to individuals.⁶
• Secure Development Practices: Incorporating security considerations into our software development lifecycle.

• Organizational Measures:

• Policies and Procedures: Maintaining internal policies and procedures governing data handling, security, and incident response.¹⁸
• Employee Training: Providing training to employees on data privacy and security best practices.¹⁸
• Vendor Security Management: Assessing the security practices of third-party vendors (like AWS, Azure, Chargebee) who handle personal information on our behalf and requiring contractual security commitments (DPAs).²⁴
• Audits and Assessments: Conducting periodic security reviews and risk assessments to identify and address potential vulnerabilities.¹¹
• Incident Response Plan: Having a plan in place to detect, respond to, and mitigate the impact of data security incidents.¹⁶

• Physical Measures: Relying on the robust physical security controls implemented by our infrastructure providers (AWS, Azure) for their data centers.

While we strive to use commercially acceptable means to protect your personal information, it is important to understand that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security. We aim to provide a level of detail in this policy that demonstrates our commitment to robust security practices without revealing specifics that could compromise those measures.²

IX. Data Retention

Lumae retains personal information for as long as necessary to (i) fulfil the purposes described in this Privacy Policy, (ii) comply with legal obligations, (iii) resolve disputes, and (iv) enforce our agreements. Retention periods are reassessed periodically, and users may request deletion of their data at any time, subject to legal or contractual exceptions.³

This practice adheres to the principle of Storage Limitation reflected in the data minimization principles of CPRA.⁶ Retaining data indefinitely or "just in case" is generally prohibited unless required by law.¹⁶

To determine the appropriate retention period for personal information, we consider:

• The amount, nature, and sensitivity of the personal information (including any incidental SPI in uploaded documents).
• The potential risk of harm from unauthorized use or disclosure of the information.
• The purposes for which we process the personal information and whether we can achieve those purposes through other means.
• The duration of our relationship with you (e.g., while you maintain an active account).
• Applicable legal, regulatory, tax, accounting, or other requirements that may mandate specific retention periods (e.g., financial records, audit trails).
• The need to resolve disputes, enforce our agreements, or establish or defend legal claims.

We retain personal information submitted to our services for a period of six (6) months to allow for reuse and customer access. After this time, information is deleted unless retention is required by law or contract.

Documenting the rationale for retention periods is part of our accountability obligations.⁶ Once personal information is no longer necessary for the purposes for which it was collected, we will securely delete or anonymize it in accordance with our data retention policies and applicable law.¹⁸ Operationalizing data retention requires defined policies, procedures, and technical mechanisms for data disposal.¹⁸

X. Your Privacy Rights

Depending on your jurisdiction of residence and the applicable data protection laws, you have certain rights regarding your personal information. Lumae is committed to facilitating the exercise of these rights. Key rights may include:

• Right to Know / Access: The right to confirm whether we process your personal information and to access details about the processing, including the categories and specific pieces of personal information collected, the sources, the purposes of processing, and the categories of third parties with whom data is disclosed.¹
• Right to Rectification / Correction: The right to request correction of inaccurate personal information we hold about you.⁵
• Right to Erasure / Deletion: The right to request the deletion of your personal information, subject to certain exceptions (e.g., information needed to complete a transaction, comply with legal obligations, or for security purposes).¹
• Right to Opt-Out of Sale / Sharing / Targeted Advertising: As Lumae does not currently "sell" or "share" personal information for cross-context behavioral advertising or engage in targeted advertising as defined by various state laws, an opt-out mechanism is not required at this time.¹ Should our practices change, we will update this policy and provide the necessary opt-out tools.
• Right to Limit Use and Disclosure of Sensitive Personal Information (SPI): As Lumae does not use or disclose incidentally collected SPI for purposes beyond providing the requested service, a specific mechanism to limit use/disclosure is not required under CCPA/CPRA at this time.⁵ For WA MHMDA, consent would be required for uses beyond the requested service.
• Right to Data Portability: The right to receive a copy of your personal information in a structured, commonly used, and machine-readable format, and potentially to have it transmitted directly to another controller where technically feasible.⁵
• Right to Object: The right to object to processing based on legitimate interests or for direct marketing purposes.⁶
• Right to Restrict Processing: The right to request the restriction of processing under certain circumstances (e.g., while accuracy is contested).⁶
• Right to Withdraw Consent: Where processing is based on consent (e.g., for marketing emails), you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.³
• Rights Related to Automated Decision-Making and Profiling: The right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects on you, subject to exceptions. You may also have the right to obtain information about such processing.⁵
• Right to Non-Discrimination / Retaliation: The right not to be discriminated against for exercising your privacy rights (e.g., by denying goods or services, charging different prices, or providing a different level of quality).¹

The specific rights available to you, and any exceptions, depend on the laws applicable in your jurisdiction. The patchwork of US state privacy laws continues to evolve.²¹

Table: Summary of Your Key Privacy Rights (as applicable to Lumae's current practices)

Note: This table provides a simplified overview based on Lumae's current data practices. Specific details, definitions, and exceptions vary by law. "N/A" indicates the concept is addressed differently or not applicable to current operations.

Successfully fulfilling these rights requires Lumae to maintain robust internal Data Subject Access Request (DSAR) processes. This involves having mechanisms to receive requests, verify identity, locate data across potentially disparate systems, execute the requested action (access, deletion, correction), track the process, and respond within legally mandated timeframes.¹

XI. How to Exercise Your Rights

To exercise any of the privacy rights described above, please submit a verifiable request to us via email ¹:

• Email: support@lumae.ai (Please include "Privacy Request" in the subject line)

We currently do not offer a web form or toll-free number for these requests.

Information Needed for Your Request: Please include sufficient information in your request to allow us to reasonably verify you are the person about whom we collected personal information or an authorized representative. Please also describe your request with sufficient detail to allow us to properly understand, evaluate, and respond to it.

Verification Process: We need to verify your identity before processing most requests to protect your privacy and prevent fraudulent requests.¹¹ The verification process will depend on the nature and sensitivity of your request. We may ask you to provide additional information to confirm your identity, such as confirming details associated with your account or responding to an email sent to the address on file. We aim to make this process reasonable and proportionate.¹¹

Response Timing and Format: We will endeavor to acknowledge receipt of your request within 10 business days (for CCPA/CPRA requests) and respond substantively within the timeframe required by applicable law (e.g., 45 days for CCPA/CPRA, potentially extendable by another 45 days with notice).¹¹ For WA MHMDA deletion requests concerning Consumer Health Data (if applicable), the timeframe is generally 30 days from authentication.⁸ If we require more time, we will inform you of the reason and extension period in writing. Our response will be provided in a format that is readily usable, and requests are generally free of charge.⁶

Appeals: If we deny your request, we will explain the reasons for the denial. Some state laws provide a right to appeal our decision. If applicable, our denial notice will include instructions on how to submit an appeal.

Authorized Agents: You may designate an authorized agent to make a request on your behalf under certain laws like the CCPA/CPRA. We will require proof that you have provided the authorized agent with signed permission to act on your behalf, and we may also require you to verify your own identity directly with us, unless the agent provides power of attorney.

Data Processing Addendum (DPA): If you are a business customer using Lumae’s services to process personal information of third parties—such as borrowers—you acknowledge and agree that Lumae acts as a service provider under applicable U.S. state privacy laws and processes such information solely on your behalf and in accordance with your instructions.

Our obligations as a service provider are further detailed in our Data Processing Addendum (DPA), which is hereby incorporated by reference into our agreements with business customers. The DPA outlines our data handling practices, security measures, and commitments regarding consumer rights under applicable privacy laws.

To request a copy of our DPA or to execute one as part of your agreement with Lumae, please contact us at [support@lumae.ai], with Subject Heading “Data Processing Addendum,” or your customer success representative.

XII. Children's Privacy

Lumae's Services are directed to U.S. mortgage professionals and are not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.²

• COPPA (Children Under 13): Our Services are not directed to children under 13, and we do not knowingly collect personal information from them. If we were to do so, we would comply with the Children's Online Privacy Protection Act (COPPA).⁵
• CCPA/CPRA (Children Under 16): We do not "sell" or "share" personal information. If we have actual knowledge that a user is under 16, we would not sell or share their information without the affirmative opt-in consent required by law (from the consumer if 13-16, or from a parent/guardian if under 13).¹¹
• Other Jurisdictions: We comply with applicable laws regarding children's data in other jurisdictions if relevant.

If you are a parent or guardian and believe we may have collected personal information from your child under 16 without required consent, please contact us at support@lumae.ai. If we learn that we have collected personal information from a child under 16 without necessary consent, we will take steps to delete that information promptly.

XIII. International Data Transfers

Lumae's primary operations and target market are within the United States. Our website and application hosting infrastructure (Amazon Web Services - AWS) is located in the US-West region. Our LLM processing (Microsoft Azure OpenAI Service) utilizes U.S. datacenters.

We do not routinely transfer personal information outside of the United States. However, should we ever process personal data originating from the European Economic Area (EEA), UK, or Switzerland, we would ensure such transfers comply with applicable data protection laws. For transfers to the United States, Lumae would rely on appropriate safeguards such as the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the DPF, the Swiss-U.S. DPF, and/or the Standard Contractual Clauses (SCCs) adopted by the relevant authorities, potentially supplemented by Transfer Impact Assessments (TIAs) as necessary.³

Regardless of where your information is processed, we apply the protections described in this Privacy Policy.

XIV. Changes to This Privacy Policy

Lumae reserves the right to amend this Privacy Policy at any time to reflect changes in the law, our data collection and use practices, the features of our Services, or advances in technology.¹ The privacy landscape is constantly evolving.¹¹ Therefore, maintaining an up-to-date policy is essential for compliance.¹

We will make the revised Privacy Policy accessible through our Services, and we will update the "Last Updated" date at the top of this Policy. If we make material changes to this Policy, we will provide you with notice as required by applicable law, which may include posting a notice on our website or sending an email notification to the address associated with your account.⁵ We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting the personal information we collect. Your continued use of our Services after the revised Policy has become effective indicates that you have read, understood, and agreed to the current version of the Policy.

XV. Contact Information

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact us ¹:

Alphabetasoup LLC (d/b/a Lumae / Lumae.ai)

Attn: Privacy Inquiry

30202 52nd Ave NW

Stanwood, WA 98292 USA

Email: support@lumae.ai (Please include "Privacy" in the subject line for inquiries)

XVI. Jurisdiction-Specific Information (Addendum)

This addendum provides additional information required under specific data protection laws.

A. California Residents (CCPA/CPRA)

This section supplements the information contained in the main policy and applies solely to residents of California.

• Your Rights: As detailed in Section IX, you have the rights to Know, Delete, and Correct your personal information. As Lumae does not currently "sell" or "share" personal information or use/disclose sensitive personal information beyond providing the service, the rights to Opt-Out of Sale/Sharing and Limit the Use of SPI are not applicable at this time. You also have the right to non-discrimination for exercising your rights.
• How to Exercise Rights: Please refer to Section X for the method to submit requests (email to support@lumae.ai).
• Verification: We will verify your request as described in Section X.
• Authorized Agents: You may designate an authorized agent as described in Section X.
• Sensitive Personal Information: We do not intentionally collect most categories of SPI. Where SPI (e.g., government IDs, race/ethnicity) may be present in documents you upload, we process it only as necessary to provide the service and do not use it for purposes requiring a "Limit Use" opt-out.
• Business and Employee Data: This policy covers personal information collected in the B2B and employment/contractor context, consistent with CPRA requirements.
• "Shine the Light" Law: California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure (if any) of personal information to third parties for their direct marketing purposes. As we do not engage in such disclosures, this is not applicable.
• Reporting Metrics: Lumae is currently below the statutory thresholds requiring annual public reporting on CCPA/CPRA rights request metrics.

B. Washington Residents (My Health My Data Act - MHMDA)

This section supplements the information contained in the main policy and applies solely to Washington residents regarding their "Consumer Health Data" as defined broadly under the MHMDA.⁸

• Consumer Health Data: This term includes a wide range of health-related information.⁸ Lumae does not intentionally collect Consumer Health Data. However, such data could potentially be present within documents users voluntarily upload to the Service.
• Consent Requirements: Lumae will obtain explicit opt-in consent before collecting or using Consumer Health Data, unless necessary to provide a product or service you requested. We will obtain separate, distinct opt-in consent before sharing Consumer Health Data (unless necessary for a requested service or with a contracted processor). We will obtain a valid, signed authorization before selling Consumer Health Data (which we do not do).⁸
• Your Rights: As detailed in Section IX, you have the rights to Confirm Processing, Access, Withdraw Consent, and Deletion regarding your Consumer Health Data.⁸
• How to Exercise Rights: Please refer to Section X for the method to submit requests (email to support@lumae.ai). Deletion requests will be processed within 30 days of authentication.⁸
• Geofencing Prohibition: Lumae complies with the MHMDA's prohibition on implementing geofences around facilities providing in-person health care services for prohibited purposes.¹⁵
• Data Access Restrictions: Access to any Consumer Health Data incidentally processed within Lumae is restricted to personnel who need access to fulfill the purposes consented to by you or to provide requested services.⁸

C. Residents of Other US States

Comprehensive state privacy laws are now in effect or coming into effect in numerous US states (e.g., Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia).²¹ Residents of these states generally have rights similar to those described under CCPA/CPRA and GDPR, such as rights to access, correct, delete, obtain a copy of their data, and opt-out of certain processing activities like targeted advertising or the sale of personal data (though Lumae does not currently engage in these opt-out relevant activities). Please refer to Sections IX and X to understand and exercise your rights. We strive to honor these rights in accordance with applicable state laws.