Lumae Privacy Policy
Effective Date: 28 April 2025
Last Updated: 28 April 2025
I. Introduction
This document constitutes the Privacy Policy ("Policy") for Alphabetasoup LLC, doing business as LUMAE and LUMAE.ai (Registered Address: 30202 52nd Ave NW, Stanwood, WA 98292 USA, hereinafter referred to as "Lumae," "we," "us," or "our"). This Policy outlines our practices concerning the collection, use, disclosure, protection, and processing of personal information belonging to users ("you," "your") of our website, applications, products, and services (collectively, the "Services").
The purpose of this Policy is to provide transparency regarding how Lumae handles your personal information, ensuring you are informed about our data practices.1 This Policy applies to personal information collected through our online Services and may also apply to information collected offline, as specified herein.4 By using our Services, you acknowledge that you have read and understood this Privacy Policy. Where required by applicable law, we will obtain your consent for specific data processing activities.
Maintaining user trust is paramount, and this Policy aims to foster that trust by being clear, comprehensive, and compliant with applicable data protection laws.2 It is designed to be read in conjunction with our Terms of Service, which provide additional context regarding your use of our Services.1
For clarity, certain key terms used throughout this Policy are defined as follows:
- Personal Information (PI): Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples include names, email addresses, IP addresses, and commercial transaction records.5 The specific definition may vary slightly depending on the applicable law (e.g., GDPR, CCPA/CPRA).
- Sensitive Personal Information (SPI) / Special Categories of Personal Data / Consumer Health Data: A subset of Personal Information subject to heightened protection under various laws. Definitions vary significantly by jurisdiction but may include data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, data concerning sex life or sexual orientation, government identifiers (like SSN or driver's license number), account login credentials, precise geolocation, and contents of certain private communications.5 Washington's My Health My Data Act uses the term "Consumer Health Data," which has an exceptionally broad definition covering many types of health-related information and inferences.8
- Processing: Any operation or set of operations performed on personal information, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, dissemination, erasure, or destruction.6
- Data Subject: The identified or identifiable natural person to whom personal information relates (term commonly used under GDPR).3
- Controller: The entity that determines the purposes and means of processing personal information (Lumae is generally the Controller for user data).3
- Processor: An entity that processes personal information on behalf of the Controller.18
- Sell: Disclosing personal information to a third party for monetary or other valuable consideration (definition primarily relevant under CCPA/CPRA and WA MHMDA).1
- Share: Disclosing personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration (definition primarily relevant under CCPA/CPRA).11 WA MHMDA uses "share" more broadly to mean almost any disclosure to a third party or affiliate not acting as a processor.8
- Third Party: An entity other than the consumer, Lumae (the business/controller), or Lumae's service providers/processors.10
This Policy is effective as of the date first stated above and will be reviewed and updated periodically to reflect changes in our practices or applicable laws. We will notify you of significant changes as described in Section XIII.1
II. What Information We Collect
Lumae collects various categories of Personal Information to provide and improve our Services. Being exhaustive in listing the data collected is legally prudent, as omitting categories could lead to non-compliance with regulations like GDPR or CCPA/CPRA.1 However, to enhance readability, we group the information into logical categories.10 The specific types of Personal Information we may collect include:
- Identifiers: Such as your real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, phone number, or other similar identifiers.1
- Commercial Information: Records of products or services purchased, obtained, or considered, other purchasing or consuming histories or tendencies.7
- Internet or Other Electronic Network Activity Information: Including, but not limited to, browsing history, search history, and information regarding your interaction with our website, application, or advertisements. This may also include log file data such as IP addresses, browser type, Internet Service Provider (ISP), date and time stamps, referring/exit pages, and potentially the number of clicks.3
- Geolocation Data: We collect general location information inferred from your IP address. We do not collect precise geolocation data.
- Professional or Employment-Related Information: Standard business-to-business (B2B) and employee/contractor contact records (names, work emails, phone numbers, titles, etc.) are collected and covered by this policy.12
- Inferences Drawn from Other Personal Information: We may create profiles reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.7
- User-Generated Content: Information you voluntarily provide in public forums on our Services, such as product reviews or community posts, or content you upload to the Service (e.g., mortgage documents).3
- Payment Information: When you make a purchase, payment details are collected and processed directly by our third-party payment processor (e.g., Chargebee), which tokenizes the information. Lumae does not directly store full credit card numbers and only receives confirmation of payment and limited transaction details.
- Sensitive Personal Information (SPI) / Special Categories / Consumer Health Data:
Recognizing and appropriately handling Sensitive Personal Information is critical due to the heightened legal obligations associated with it.1 Lumae does not intentionally request or require the following categories of sensitive information: Government IDs (SSN, Driver's License, Passport), financial account logins, full card numbers with security codes, precise geolocation, race/ethnicity data (though it may appear in user-provided HMDA-related documents), contents of private communications not intended for us, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.
However, some sensitive information (such as Government IDs, race/ethnicity data, or potentially health-related information) might be present within documents you voluntarily upload to the Service (e.g., mortgage application forms like the Form 1003, supporting loan documentation). Any such data that appears incidentally within user-provided content is processed solely for the purpose of providing the requested Service functionality (e.g., analyzing the uploaded document). Lumae does not use this incidental sensitive data for any other purpose. Users may request the deletion of their uploaded documents and associated data at any time, subject to the retention terms outlined in Section VIII.
The potential applicability of the Washington My Health My Data Act (MHMDA) warrants special attention due to its broad definition of "consumer health data" and its reach.8 While Lumae does not intentionally collect Consumer Health Data, should such data be identified within user-uploaded documents, we will handle it according to MHMDA requirements, including obtaining specific consent if any collection, use, or sharing (beyond providing the core service requested by the user) were ever contemplated.8
The provision of most personal information is voluntary. However, choosing not to provide certain information may limit your ability to use some features of our Services.20
III. How We Collect Your Information
Lumae collects personal information through various methods, ensuring transparency about these processes1:
- Directly From You: We collect information that you voluntarily provide to us. This occurs when you:
- Create an account or register for our Services.4
- Fill out forms on our website or application (e.g., contact forms, order forms, survey responses).1
- Make a purchase.2
- Upload documents or content to the Service.
- Communicate with us directly via email, phone, text message, or other channels.4 We will make it clear at the point of collection what information is being requested and why.4
- Automatically When You Use Our Services: We automatically collect certain information about your device and your interaction with our Services using various technologies:
- Log Files: Like most websites and online services, we gather certain information automatically and store it in log files. This information may include IP addresses, browser type, ISP, referring/exit pages, operating system, date/time stamps, and clickstream data. This data helps us analyze trends, administer the site, track user movements, and gather demographic information, but is generally not linked to other personally identifiable information.3
- Cookies and Similar Technologies: We use cookies (small text files stored on your device) and similar technologies for essential operations and analytics. Further details are provided in Section VI (Cookies and Similar Technologies).
- From Third-Party Sources: We do not receive personal information about users from third-party data brokers, marketing partners, or social media platforms. We utilize analytics services (Microsoft Azure Application Insights and optionally Google Analytics) to understand service usage, but these collect data about interactions with our Services, not data from external sources about you.
IV. How and Why We Use Your Information (Legal Basis & Purpose)
Lumae collects and uses your personal information only for specific, explicit, and legitimate purposes. We are committed to the principles of Purpose Limitation and Data Minimization, meaning we only collect and use data that is necessary for the stated purposes and do not repurpose it without a valid legal basis or your consent.3 Collecting data "just in case" is not our practice.16 These principles require operational discipline, influencing our system design, internal processes, and employee training to ensure data is handled appropriately throughout its lifecycle.18
The specific purposes for which we use your information include:
- Providing and Operating Our Services: To deliver the core functionality of our website, applications, and products (including processing uploaded documents as requested), process transactions, fulfill orders, and manage your account.3 (Relevant Data Categories: Identifiers, Commercial Information, Payment Information, Internet Activity, User-Generated Content).
- Customer Service and Support: To respond to your inquiries, provide assistance, manage returns or cancellations, and address billing issues.4 (Relevant Data Categories: Identifiers, Commercial Information).
- Improving and Personalizing Services: To understand how users interact with our Services, analyze trends using aggregated or de-identified data where possible, troubleshoot issues, personalize your experience (e.g., remembering preferences), and enhance functionality.3 (Relevant Data Categories: Identifiers, Commercial Information, Internet Activity, Geolocation Data (coarse), Inferences).
- Communication: To send you service-related communications (e.g., order confirmations, account updates), respond to your requests, and, with your consent or where permitted by law, send marketing and promotional materials.3 You will have the option to opt-out of marketing communications. (Relevant Data Categories: Identifiers, Commercial Information).
- Security and Fraud Prevention: To maintain the security and integrity of our Services, detect and prevent fraudulent activity, and protect the rights and safety of Lumae and our users.4 (Relevant Data Categories: Identifiers, Commercial Information, Internet Activity).
- Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests. (Relevant Data Categories: Varies depending on the legal obligation).
- Developing New Offerings: To inform the development of new products, services, features, and functionality.4 (Relevant Data Categories: Identifiers, Commercial Information, Internet Activity, Inferences, User-Generated Content).
Connecting the categories of data we collect (Section II) to the specific purposes for which we use them provides greater transparency, as required by laws like GDPR and CCPA/CPRA.1 This internal mapping is also essential for effective data governance.9
Legal Basis for Processing (GDPR)
For individuals whose data processing is subject to the General Data Protection Regulation (GDPR), we rely on one or more of the following legal bases for each processing activity1:
- Consent: Where you have given us explicit, informed, and freely given consent for a specific purpose (e.g., subscribing to marketing emails). You have the right to withdraw your consent at any time.4
- Contractual Necessity: Where processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract (e.g., processing your order, managing your account, processing uploaded documents to provide the Service).16
- Legal Obligation: Where processing is necessary for compliance with a legal obligation to which Lumae is subject (e.g., retaining financial records for tax purposes).
- Legitimate Interests: Where processing is necessary for the purposes of the legitimate interests pursued by Lumae or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. Where we rely on legitimate interests, we conduct a balancing test to ensure your rights are protected. Examples may include processing for security purposes, analytics to improve our services, or certain types of internal administration.17 We will clearly state when we rely on legitimate interests.
Identifying and documenting the correct legal basis for each processing activity before the processing begins is a fundamental requirement under GDPR and a cornerstone of our compliance approach.1
Business or Commercial Purpose (CCPA/CPRA)
For individuals whose data processing is subject to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), we use your personal information for the business or commercial purposes described above. Our use of personal information is reasonably necessary and proportionate to achieve the operational purpose for which it was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected.10
V. Sharing and Disclosure of Information
Lumae does not "sell" personal information, nor do we "share" personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.1 We do not use third-party advertising networks that track your activity across different websites.
Use and Disclosure of Sensitive Personal Information (SPI):
As stated in Section II, Lumae does not intentionally collect most categories of SPI. Where SPI may be incidentally present in user-uploaded documents (e.g., Government IDs, race/ethnicity data in mortgage forms), we process it only as necessary to provide the Service requested by the user. We do not use or disclose this incidental SPI for other purposes that would require offering a "Limit the Use of My Sensitive Personal Information" right under the CCPA/CPRA.5
Sharing/Selling under WA MHMDA:
Lumae does not intentionally collect, share, or sell "Consumer Health Data" as defined under the Washington My Health My Data Act. Should such data be identified within user-uploaded documents, we will not share or sell it without obtaining the specific consent or valid authorization required by MHMDA.8
Disclosure for Business Purposes:
Lumae may disclose your personal information to third parties for legitimate business purposes, consistent with the reasons it was collected. These disclosures are not considered "sales" or "sharing." Categories of recipients include:
- Service Providers/Processors: We engage third-party companies and individuals to perform functions on our behalf, such as payment processing (Chargebee), data analysis (Microsoft Azure Application Insights, optionally Google Analytics), hosting services (Amazon Web Services), LLM processing (Microsoft Azure OpenAI Service), customer service, and IT support.10 These service providers act as Processors under GDPR or Service Providers/Contractors under CCPA/CPRA. We have contractual agreements (Data Processing Agreements or DPAs) in place with these parties that require them to protect your personal information, use it only for the specific services they provide to us, and comply with applicable data protection laws.16 Microsoft Azure OpenAI Service does not use customer data submitted to the service to train its models. The presence and enforcement of these contracts are critical for compliance and risk management.16
- Affiliates and Subsidiaries: We may share information within our corporate group, provided such sharing is consistent with this Policy and applicable law.5 Note that under WA MHMDA, affiliates are treated as third parties requiring consent for sharing unless they function strictly as processors under contract.14
- Legal and Regulatory Requirements: We may disclose your information if required to do so by law, regulation, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
- Corporate Transactions: In the event of a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal information may be transferred as part of that transaction, subject to confidentiality agreements and compliance with legal requirements.10
In compliance with CCPA/CPRA, we maintain records of the categories of personal information disclosed for a business purpose in the preceding 12 months.10
Advertising Partners: We do not share personal information with third-party advertising partners for targeted advertising purposes.
VI. Cookies and Similar Technologies
Lumae utilizes cookies and similar technologies, such as log files and scripts, on our Services. This section provides details on our use of these technologies.
What are Cookies? Cookies are small text files stored on your computer or mobile device when you visit a website. They enable the website to remember your actions and preferences over time.2
How We Use Cookies and Similar Technologies: We use these technologies for the following purposes:
- Essential Operations: Some cookies are strictly necessary for the technical operation of our Services, such as maintaining your login session (authentication) and ensuring website security. These cannot be disabled.
- Performance and Analytics: We use first-party analytics cookies (via Microsoft Azure Application Insights and optionally Google Analytics) to collect information about how you interact with our Services (e.g., pages visited, time spent). This helps us understand usage patterns, improve performance, and optimize our Services.3 This data is used for internal purposes only and is not shared with third parties for cross-site tracking or advertising.
We do not use cookies for third-party targeted advertising or cross-site tracking.
Your Choices Regarding Cookies:
- Browser Settings: Most web browsers allow you to control cookies through their settings preferences. You can typically set your browser to refuse some or all cookies or to indicate when a cookie is being sent. However, please note that disabling essential cookies may impact the functionality of our Services.20
- Analytics Opt-Out: You may be able to opt-out of Google Analytics tracking by using Google's opt-out tools, if you choose to enable this optional analytics service.
Since we only use essential and first-party analytics cookies and do not engage in cross-site tracking or sharing/selling of data via cookies, complex cookie consent banners (like those required under GDPR for non-essential cookies) or "Do Not Sell/Share" mechanisms specifically for cookies are not currently necessary for our US-focused service.
VII. Data Security
Lumae is committed to protecting the security of your personal information.2 We implement and maintain reasonable administrative, technical, and physical security measures designed to safeguard the personal information we process against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.1 Data security is not merely a best practice but a legal requirement under regulations like GDPR (Article 32), CCPA/CPRA, and WA MHMDA.6 Failure to maintain reasonable security can lead to significant liability, including potential private rights of action for data breaches under laws like the CCPA/CPRA.7
Our security measures include, but are not limited to:
Technical Measures:
- Encryption: Using encryption technologies (such as Transport Layer Security (TLS) for data in transit and appropriate encryption for data at rest) to protect sensitive information.2
- Access Controls: Implementing technical controls to limit access to personal information to authorized personnel based on job function (role-based access control, principle of least privilege).8
- Network Security: Utilizing firewalls, intrusion detection/prevention systems, and other network security tools provided by our hosting partners (AWS, Azure).
- System Monitoring & Patching: Regularly monitoring systems for vulnerabilities and applying security patches and updates in a timely manner.26
- Pseudonymization: Employing pseudonymization techniques where appropriate to reduce the linkability of data to individuals.6
- Secure Development Practices: Incorporating security considerations into our software development lifecycle.
Organizational Measures:
- Policies and Procedures: Maintaining internal policies and procedures governing data handling, security, and incident response.18
- Employee Training: Providing training to employees on data privacy and security best practices.18
- Vendor Security Management: Assessing the security practices of third-party vendors (like AWS, Azure, Chargebee) who handle personal information on our behalf and requiring contractual security commitments (DPAs).24
- Audits and Assessments: Conducting periodic security reviews and risk assessments to identify and address potential vulnerabilities.11
- Incident Response Plan: Having a plan in place to detect, respond to, and mitigate the impact of data security incidents.16
Physical Measures:
Relying on the robust physical security controls implemented by our infrastructure providers (AWS, Azure) for their data centers.
While we strive to use commercially acceptable means to protect your personal information, it is important to understand that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security. We aim to provide a level of detail in this policy that demonstrates our commitment to robust security practices without revealing specifics that could compromise those measures.2
VIII. Data Retention
Lumae retains personal information for as long as necessary to (i) fulfil the purposes described in this Privacy Policy, (ii) comply with legal obligations, (iii) resolve disputes, and (iv) enforce our agreements. Retention periods are reassessed periodically, and users may request deletion of their data at any time, subject to legal or contractual exceptions.3
This practice adheres to the principle of Storage Limitation mandated by laws like GDPR and reflected in the data minimization principles of CPRA.6 Retaining data indefinitely or "just in case" is generally prohibited unless required by law.16
To determine the appropriate retention period for personal information, we consider:
- The amount, nature, and sensitivity of the personal information (including any incidental SPI in uploaded documents).
- The potential risk of harm from unauthorized use or disclosure of the information.
- The purposes for which we process the personal information and whether we can achieve those purposes through other means.
- The duration of our relationship with you (e.g., while you maintain an active account).
- Applicable legal, regulatory, tax, accounting, or other requirements that may mandate specific retention periods (e.g., financial records, audit trails).
- The need to resolve disputes, enforce our agreements, or establish or defend legal claims.
Documenting the rationale for retention periods is part of our accountability obligations.6 Once personal information is no longer necessary for the purposes for which it was collected, we will securely delete or anonymize it in accordance with our data retention policies and applicable law.18 Operationalizing data retention requires defined policies, procedures, and technical mechanisms for data disposal.18
IX. Your Privacy Rights
Depending on your jurisdiction of residence and the applicable data protection laws, you have certain rights regarding your personal information. Lumae is committed to facilitating the exercise of these rights. Key rights may include:
- Right to Know / Access: The right to confirm whether we process your personal information and to access details about the processing, including the categories and specific pieces of personal information collected, the sources, the purposes of processing, and the categories of third parties with whom data is disclosed.1
- Right to Rectification / Correction: The right to request correction of inaccurate personal information we hold about you.5
- Right to Erasure / Deletion: The right to request the deletion of your personal information, subject to certain exceptions (e.g., information needed to complete a transaction, comply with legal obligations, or for security purposes).1
- Right to Opt-Out of Sale / Sharing / Targeted Advertising: As Lumae does not currently "sell" or "share" personal information for cross-context behavioral advertising or engage in targeted advertising as defined by various state laws, an opt-out mechanism is not required at this time.1 Should our practices change, we will update this policy and provide the necessary opt-out tools.
- Right to Limit Use and Disclosure of Sensitive Personal Information (SPI): As Lumae does not use or disclose incidentally collected SPI for purposes beyond providing the requested service, a specific mechanism to limit use/disclosure is not required under CCPA/CPRA at this time.5 For WA MHMDA, consent would be required for uses beyond the requested service.
- Right to Data Portability: The right to receive a copy of your personal information in a structured, commonly used, and machine-readable format, and potentially to have it transmitted directly to another controller where technically feasible.5
- Right to Object: (Primarily under GDPR) The right to object to processing based on legitimate interests or for direct marketing purposes.6
- Right to Restrict Processing: (Primarily under GDPR) The right to request the restriction of processing under certain circumstances (e.g., while accuracy is contested).6
- Right to Withdraw Consent: Where processing is based on consent (e.g., for marketing emails), you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.3
- Rights Related to Automated Decision-Making and Profiling: The right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects on you, subject to exceptions. You may also have the right to obtain information about such processing.5
- Right to Non-Discrimination / Retaliation: The right not to be discriminated against for exercising your privacy rights (e.g., by denying goods or services, charging different prices, or providing a different level of quality).1
The specific rights available to you, and any exceptions, depend on the laws applicable in your jurisdiction. The patchwork of US state privacy laws continues to evolve.21
Table: Summary of Your Key Privacy Rights (as applicable to Lumae's current practices)
| Right | GDPR (EEA/UK Residents) | CCPA/CPRA (California Residents) | WA MHMDA (WA Residents - Health Data) | Other US States (General Trend) |
|---|---|---|---|---|
| Access / Know | Yes | Yes | Yes | Yes |
| Correct / Rectify | Yes | Yes | No (but implied by accuracy needs) | Yes |
| Delete / Erasure | Yes (with exceptions) | Yes (with exceptions) | Yes | Yes (with exceptions) |
| Opt-Out of Sale / Sharing / Targeted Ads | N/A (Consent Required) | N/A (Not Applicable Currently) | N/A (Authorization for Sale) | N/A (Not Applicable Currently) |
| Limit Use of Sensitive PI | N/A (Basis Required) | N/A (Not Applicable Currently) | Yes (Consent for Collection/Sharing beyond service) | Varies (Often Opt-In Consent) |
| Data Portability | Yes | Yes (limited scope) | No | Yes |
| Object to Processing | Yes | No | No | Varies (Often Opt-Out) |
| Restrict Processing | Yes | No | No | Varies |
| Withdraw Consent | Yes | Yes (for marketing etc.) | Yes | Yes |
| Non-Discrimination | Yes (implied) | Yes | Yes (implied) | Yes |
| Automated Decision Rights | Yes | Yes (developing) | No | Varies (Often Opt-Out) |
Note: This table provides a simplified overview based on Lumae's current data practices. Specific details, definitions, and exceptions vary by law. "N/A" indicates the concept is addressed differently or not applicable to current operations.
Successfully fulfilling these rights requires Lumae to maintain robust internal Data Subject Access Request (DSAR) processes. This involves having mechanisms to receive requests, verify identity, locate data across potentially disparate systems, execute the requested action (access, deletion, correction), track the process, and respond within legally mandated timeframes.1
X. How to Exercise Your Rights
To exercise any of the privacy rights described above, please submit a verifiable request to us via email1:
Email: support@lumae.ai (Please include "Privacy Request" in the subject line)
We currently do not offer a web form or toll-free number for these requests.
Information Needed for Your Request: Please include sufficient information in your request to allow us to reasonably verify you are the person about whom we collected personal information or an authorized representative. Please also describe your request with sufficient detail to allow us to properly understand, evaluate, and respond to it.
Verification Process: We need to verify your identity before processing most requests to protect your privacy and prevent fraudulent requests.11 The verification process will depend on the nature and sensitivity of your request. We may ask you to provide additional information to confirm your identity, such as confirming details associated with your account or responding to an email sent to the address on file. We aim to make this process reasonable and proportionate.11
Response Timing and Format: We will endeavor to acknowledge receipt of your request within 10 business days (for CCPA/CPRA requests) and respond substantively within the timeframe required by applicable law (e.g., 45 days for CCPA/CPRA, potentially extendable by another 45 days with notice; one month for GDPR, potentially extendable by two further months with notice).11 For WA MHMDA deletion requests concerning Consumer Health Data (if applicable), the timeframe is generally 30 days from authentication.8 If we require more time, we will inform you of the reason and extension period in writing. Our response will be provided in a format that is readily usable, and requests are generally free of charge.6
Appeals: If we deny your request, we will explain the reasons for the denial. Some state laws provide a right to appeal our decision. If applicable, our denial notice will include instructions on how to submit an appeal.
Authorized Agents: You may designate an authorized agent to make a request on your behalf under certain laws like the CCPA/CPRA. We will require proof that you have provided the authorized agent with signed permission to act on your behalf, and we may also require you to verify your own identity directly with us, unless the agent provides power of attorney.
XI. Children's Privacy
Lumae's Services are directed to U.S. mortgage professionals and are not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.2
COPPA (Children Under 13): Our Services are not directed to children under 13, and we do not knowingly collect personal information from them. If we were to do so, we would comply with the Children's Online Privacy Protection Act (COPPA).5
CCPA/CPRA (Children Under 16): We do not "sell" or "share" personal information. If we have actual knowledge that a user is under 16, we would not sell or share their information without the affirmative opt-in consent required by law (from the consumer if 13-16, or from a parent/guardian if under 13).11
Other Jurisdictions: We comply with applicable laws regarding children's data in other jurisdictions if relevant.
If you are a parent or guardian and believe we may have collected personal information from your child under 16 without required consent, please contact us at support@lumae.ai. If we learn that we have collected personal information from a child under 16 without necessary consent, we will take steps to delete that information promptly.
XII. International Data Transfers
Lumae's primary operations and target market are within the United States. Our website and application hosting infrastructure (Amazon Web Services - AWS) is located in the US-West region. Our LLM processing (Microsoft Azure OpenAI Service) utilizes U.S. datacenters.
We do not routinely transfer personal information outside of the United States. However, should we ever process personal data originating from the European Economic Area (EEA), UK, or Switzerland, we would ensure such transfers comply with applicable data protection laws. For transfers to the United States, Lumae would rely on appropriate safeguards such as the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the DPF, the Swiss-U.S. DPF, and/or the Standard Contractual Clauses (SCCs) adopted by the relevant authorities, potentially supplemented by Transfer Impact Assessments (TIAs) as necessary.3
Regardless of where your information is processed, we apply the protections described in this Privacy Policy.
XIII. Changes to This Privacy Policy
Lumae reserves the right to amend this Privacy Policy at any time to reflect changes in the law, our data collection and use practices, the features of our Services, or advances in technology.1 The privacy landscape is constantly evolving.11 Therefore, maintaining an up-to-date policy is essential for compliance.1
We will make the revised Privacy Policy accessible through our Services, and we will update the "Last Updated" date at the top of this Policy. If we make material changes to this Policy, we will provide you with notice as required by applicable law, which may include posting a notice on our website or sending an email notification to the address associated with your account.5 We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting the personal information we collect. Your continued use of our Services after the revised Policy has become effective indicates that you have read, understood, and agreed to the current version of the Policy.
XIV. Contact Information
If you have any questions, comments, or concerns about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact us1:
Alphabetasoup LLC (d/b/a Lumae / Lumae.ai)
Attn: Privacy Inquiry
30202 52nd Ave NW
Stanwood, WA 98292 USA
Email: support@lumae.ai (Please include "Privacy" in the subject line for inquiries)
Lumae has not appointed a formal Data Protection Officer (DPO) as it is not currently required based on our processing activities under GDPR Art. 37.3 Please direct all privacy-related inquiries to the email address above.
XV. Jurisdiction-Specific Information (Addendum)
This addendum provides additional information required under specific data protection laws.
A. California Residents (CCPA/CPRA)
This section supplements the information contained in the main policy and applies solely to residents of California.
- Your Rights: As detailed in Section IX, you have the rights to Know, Delete, and Correct your personal information. As Lumae does not currently "sell" or "share" personal information or use/disclose sensitive personal information beyond providing the service, the rights to Opt-Out of Sale/Sharing and Limit the Use of SPI are not applicable at this time. You also have the right to non-discrimination for exercising your rights.
- How to Exercise Rights: Please refer to Section X for the method to submit requests (email to support@lumae.ai).
- Verification: We will verify your request as described in Section X.
- Authorized Agents: You may designate an authorized agent as described in Section X.
- Sensitive Personal Information: We do not intentionally collect most categories of SPI. Where SPI (e.g., government IDs, race/ethnicity) may be present in documents you upload, we process it only as necessary to provide the service and do not use it for purposes requiring a "Limit Use" opt-out.
- Business and Employee Data: This policy covers personal information collected in the B2B and employment/contractor context, consistent with CPRA requirements.
- "Shine the Light" Law: California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure (if any) of personal information to third parties for their direct marketing purposes. As we do not engage in such disclosures, this is not applicable.
- Reporting Metrics: Lumae is currently below the statutory thresholds requiring annual public reporting on CCPA/CPRA rights request metrics.
B. European Economic Area (EEA), United Kingdom (UK), and Switzerland Residents (GDPR)
This section supplements the information contained in the main policy and applies solely to individuals whose data processing is subject to the GDPR (should such processing occur).
- Legal Bases: As outlined in Section IV, our legal basis for collecting and using personal information depends on the information concerned and the specific context. We rely on Consent, Contractual Necessity, Legal Obligation, or Legitimate Interests.
- Data Controller: Alphabetasoup LLC is the data controller for personal information collected subject to the GDPR.
- Your Rights: As detailed in Section IX, you have the rights to Access, Rectification, Erasure, Restrict Processing, Data Portability, Object to Processing, Withdraw Consent, and rights related to Automated Decision-Making.
- How to Exercise Rights: Please refer to Section X for the method to submit requests (email to support@lumae.ai).
- International Transfers: As detailed in Section XII, should we transfer personal information outside the EEA, UK, or Switzerland to the US, we would rely on appropriate safeguards such as the Data Privacy Framework and/or Standard Contractual Clauses.
- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information infringes the GDPR.1 Contact details for EU data protection authorities can be found online, and the UK Information Commissioner's Office (ICO) can also be contacted via their website.
C. Washington Residents (My Health My Data Act - MHMDA)
This section supplements the information contained in the main policy and applies solely to Washington residents regarding their "Consumer Health Data" as defined broadly under the MHMDA.8
- Consumer Health Data: This term includes a wide range of health-related information.8 Lumae does not intentionally collect Consumer Health Data. However, such data could potentially be present within documents users voluntarily upload to the Service.
- Consent Requirements: Lumae will obtain explicit opt-in consent before collecting or using Consumer Health Data, unless necessary to provide a product or service you requested. We will obtain separate, distinct opt-in consent before sharing Consumer Health Data (unless necessary for a requested service or with a contracted processor). We will obtain a valid, signed authorization before selling Consumer Health Data (which we do not do).8
- Your Rights: As detailed in Section IX, you have the rights to Confirm Processing, Access, Withdraw Consent, and Deletion regarding your Consumer Health Data.8
- How to Exercise Rights: Please refer to Section X for the method to submit requests (email to support@lumae.ai). Deletion requests will be processed within 30 days of authentication.8
- Geofencing Prohibition: Lumae complies with the MHMDA's prohibition on implementing geofences around facilities providing in-person health care services for prohibited purposes.15
- Data Access Restrictions: Access to any Consumer Health Data incidentally processed within Lumae is restricted to personnel who need access to fulfill the purposes consented to by you or to provide requested services.8
D. Residents of Other US States
Comprehensive state privacy laws are now in effect or coming into effect in numerous US states (e.g., Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia).21 Residents of these states generally have rights similar to those described under CCPA/CPRA and GDPR, such as rights to access, correct, delete, obtain a copy of their data, and opt-out of certain processing activities like targeted advertising or the sale of personal data (though Lumae does not currently engage in these opt-out relevant activities). Please refer to Sections IX and X to understand and exercise your rights. We strive to honor these rights in accordance with applicable state laws.