Privacy Policy

Lumiqo Inc. (“Lumiqo”, “we”, “our”, or “us”) is an AI-powered analytics and observability platform that helps engineering teams monitor APIs, process webhooks, analyse event streams, and derive actionable insights through conversational AI.

This Privacy Policy describes the personal data we collect when you use our website at lumiqo.app, our web application at console.lumiqo.app, our APIs, SDKs, and all related services (collectively, the “Services”). It also explains how we use that data, your rights, and how to exercise them.

Account & Identity Data

• Full name and work email address
• Company name and size (optional during onboarding)
• Authentication credentials — passwords stored as hashed values only
• Role and team membership within your organisation

Usage & Telemetry Data

• Pages visited, features used, and click interactions within the console
• Session duration, frequency, and feature engagement metrics
• IP address, approximate geolocation (country/city), and time zone
• Device type, OS, browser version, and screen resolution

Customer Ingested Data

Lumiqo processes data you choose to send — API payloads, webhook bodies, event stream records, and metrics. This data is processed strictly to deliver the contracted Services. We do not use your ingested data to train AI models without your explicit, separately obtained consent.

Payment & Billing Data

Billing is handled by Stripe, Inc. We never store raw card numbers. We receive tokenised payment references, billing address, invoice history, and subscription tier information.

• Service delivery: Provision, maintenance, and operation of the Lumiqo platform
• Account management: Authentication, team access control, and administration
• AI insights: Powering on-platform conversational AI in isolated, per-tenant contexts
• Product improvement: Analysing aggregated, anonymised usage patterns
• Security: Fraud detection, abuse prevention, and infrastructure monitoring
• Customer support: Responding to queries and troubleshooting issues
• Legal compliance: Meeting obligations under applicable law and regulations
• Marketing (opt-in only): Product announcements and changelog updates

For users in the EEA, UK, or Switzerland, we rely on the following GDPR legal bases:

• Contract performance (Art. 6(1)(b)): Delivering the Services under your subscription
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and product analytics
• Consent (Art. 6(1)(a)): Marketing communications and non-essential cookies
• Legal obligation (Art. 6(1)(c)): Tax, financial reporting, and regulatory compliance

We do not sell your personal data. We share data only with trusted sub-processors:

• AWS: Cloud infrastructure, storage, and managed databases
• OpenAI: Conversational AI features — isolated contexts, no model training on your data
• Stripe: Billing and subscription management
• Intercom: In-app customer support
• Sentry: Application error tracking
• PostHog: Self-hosted, privacy-first product analytics
• Resend: Transactional email infrastructure

All sub-processors are bound by data processing agreements and implement adequate security measures. We may also disclose data if required by law, court order, or to protect the safety of our users.

• Account data: Retained for 90 days after account deletion to support recovery
• Ingested event data: 30 days on Starter; extended on Business and Enterprise plans
• Billing records: 7 years for tax and financial regulation compliance
• Support communications: 3 years from case closure
• Server logs: 90 days for security and debugging

After the applicable period, data is securely deleted or anonymised. Request earlier deletion at privacy@lumiqo.app.

• TLS 1.2+ encryption in transit for all API and web traffic
• AES-256 encryption at rest for all stored data
• Strict tenant isolation — your data is logically separated from other customers
• Role-based access control (RBAC) and MFA support
• Regular third-party penetration testing and vulnerability assessments
• SOC 2 Type II audit programme — report available to Enterprise customers under NDA

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct inaccurate or incomplete personal data
• Erasure: Request deletion of your personal data
• Restriction: Ask us to restrict processing
• Portability: Receive data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Withdraw at any time for consent-based processing

• Privacy team: privacy@lumiqo.app
• DPO: dpo@lumiqo.app
• General legal: legal@lumiqo.app