Privacy Policy

Last Updated: February 2026Version 1.0

1. Introduction

Luminai Limited ("Luminai", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you:

  • Visit our website at luminai.co.uk
  • Use the Luminai platform and services
  • Interact with AI agents powered by Luminai

Luminai Limited is registered in Northern Ireland. We are the data controller for personal data processed through our website and platform.

For data processed on behalf of our business customers, we act as a data processor. See Section 8 for details.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email, company name, password
  • Billing information: Processed by Stripe; we store only last 4 digits of card
  • Support requests: Email, message content
  • Agent configuration: System prompts, knowledge base content

2.2 Information Collected Automatically

  • Device/browser info: For security and analytics
  • IP address: For security and fraud prevention
  • Usage data: For improving our services
  • Cookies: See our Cookie Policy

2.3 Information from Third Parties

  • Stripe: Payment confirmation and billing details
  • AI Providers: We send prompts to OpenAI, Anthropic, Google, etc. to generate responses

3. How We Use Your Information

PurposeLegal Basis (UK GDPR)
Provide and maintain our servicesContract performance
Process paymentsContract performance
Send service-related communicationsLegitimate interest
Respond to support requestsContract performance
Improve our platformLegitimate interest
Prevent fraud and abuseLegitimate interest
Comply with legal obligationsLegal obligation
Send marketing (with consent)Consent

4. How We Share Your Information

We do not sell your personal data. We share information only as follows:

4.1 Service Providers

We use third-party services to operate our platform:

  • Stripe: Payments
  • OpenAI / Anthropic / Google: AI processing
  • Cloud hosting: Infrastructure (encrypted)
  • Analytics providers: Anonymised usage data

4.2 Legal Requirements

We may disclose information if required by law, court order, or government request.

4.3 Business Transfers

If Luminai is acquired or merged, your information may be transferred as part of that transaction.

5. Data Retention

Data TypeRetention Period
Account dataUntil account deletion + 30 days
Billing records7 years (legal requirement)
Conversation logsAs configured by customer (default: 90 days)
Server logs30 days
Analytics data26 months (anonymised)

6. Your Rights (UK GDPR)

Under UK data protection law, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a portable format
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: Where processing is based on consent

To exercise these rights, contact us at empower+privacy@luminai.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. AI Processing and Third-Party Models

7.1 How AI Works

When you or your end users interact with an AI agent, conversations are sent to third-party AI providers (such as OpenAI, Anthropic, or Google) for processing.

7.2 Data Sent to AI Providers

  • User messages and conversation history
  • System prompts and agent configuration
  • Retrieved knowledge base content

7.3 AI Provider Data Practices

Each AI provider has its own data practices:

  • OpenAI: Does not train on API data
  • Anthropic: Does not train on API data
  • Google: See their Cloud AI terms

7.4 AI Limitations

AI may produce inaccurate, biased, or inappropriate content. We do not guarantee the accuracy of AI outputs.

8. Customer Data and Data Processing

8.1 When We Are a Processor

When our business customers use Luminai to create agents that interact with their end users, the customer is the data controller and Luminai is the data processor.

8.2 Data Processing Agreement

Business customers must accept our Data Processing Agreement (DPA), which governs how we process data on their behalf in compliance with UK GDPR.

8.3 Customer Responsibilities

Customers are responsible for:

  • Providing privacy notices to their end users
  • Obtaining necessary consents
  • Responding to data subject requests from their users
  • Ensuring lawful use of the platform

9. International Transfers

Your data may be transferred to and processed in countries outside the UK, including the United States (where AI providers operate).

We ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs) with providers
  • UK International Data Transfer Agreement where required
  • Adequacy decisions where available

10. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS) and at rest
  • Access controls and authentication
  • Regular security assessments
  • Employee training

No system is 100% secure. We cannot guarantee absolute security but strive to protect your data.

11. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal data from children. If we learn we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the new policy on our website
  • Sending an email to account holders (for material changes)

Your continued use after changes constitutes acceptance.

13. Contact Us

For privacy-related questions or to exercise your rights:

Luminai Limited
Email: empower+privacy@luminai.co.uk

For complaints, you may contact the ICO: ico.org.uk