Privacy Policy

Section 1

Who We Are

Lumeairy is a managed AI operator service that deploys autonomous business operators for small businesses. We handle client communications, lead follow-up, outreach, and daily business operations on behalf of our clients ("Clients").

This Privacy Policy governs how Lumeairy ("we," "us," "our") collects, uses, stores, and protects personal information from:

Clients — businesses that subscribe to Lumeairy's operator service
End contacts — individuals whose information Clients provide to us as part of operating their business (leads, customers, prospects)
Website visitors — anyone browsing lumeairy.com

By using our services, you agree to the practices described in this policy. If you do not agree, please discontinue use of our services.

Section 2

What We Collect

From Clients (businesses using Lumeairy)

Business name, owner name, email address, and phone number
Business type, industry, and operational preferences
Contact lists, lead data, and customer information you provide to us
Communications history (messages your operator sends and receives on your behalf)
Configuration data: your operator's voice documentation, sequences, and templates
Billing information (processed and stored by Stripe — we never see or store full card numbers)
Platform access credentials via OAuth/API keys (e.g., Gmail, Instagram, Airtable) — stored encrypted

From End Contacts (your leads and customers)

Name, email address, and/or phone number (as provided by you, the Client)
Any additional information you provide as part of your contact list
Communication history (their responses to operator-sent messages)

From Website Visitors

Standard server logs: IP address, browser type, referring URL, pages visited
Information voluntarily submitted via contact or signup forms

We do not collect payment card numbers, government ID numbers, Social Security numbers, or sensitive health information. We do not install anything on your devices. Our operator runs entirely on Lumeairy's infrastructure.

Section 3

How We Use Your Information

We use the information we collect for one primary purpose: delivering the Lumeairy operator service you subscribed to. Specifically:

Operating your business operator — running outreach sequences, sending follow-ups, managing lead communications, and executing the tasks your operator is configured for
Delivering briefings and reports — sending your daily briefing, weekly performance reports, and monthly reviews
Account management — billing, support, onboarding, and service configuration
Service improvement — identifying patterns that help us improve operator performance for your specific business (never shared with or applied to other clients)
Legal compliance — meeting our obligations under applicable law

We do not use your data to train AI models. We do not use your data for advertising. We do not analyze your data in aggregate and sell those insights. Your data works for your business, not ours.

Section 4

What We Never Do

These are not guidelines or defaults. They are absolute commitments that apply without exception.

Never sell your data to any third party — ever, under any circumstances
Never use your contact lists or client data to benefit other Lumeairy clients
Never train AI models on your data
Never share your business information, client data, or contact lists with unauthorized parties
Never access accounts, platforms, or tools you haven't explicitly authorized
Never retain your data after account deletion beyond the 30-day deletion window (or immediately upon request)
Never use data provided for one purpose for any other purpose without your explicit consent
Never misrepresent how we handle your data

Section 5

Sub-Processors & Third Parties

To deliver our service, we work with a small number of carefully selected sub-processors. Each is contractually bound to protect your data. All core infrastructure providers maintain their own SOC 2 Type II certifications.

Anthropic SOC 2 Type II AI inference provider powering operator intelligence. Anthropic's API usage does not train their models on your data. Data processed under Anthropic's data processing agreement.

Supabase SOC 2 Type II Database and authentication infrastructure. All client data stored in Supabase is encrypted at rest (AES-256) and in transit (TLS 1.2+). Row-level security enforced.

Vercel SOC 2 Type II Website and application hosting. Static assets and application delivery. Data in transit protected by TLS 1.3.

Stripe SOC 2 Type II · PCI DSS Level 1 Payment processing. We never see or store your full payment card number. Stripe handles all payment data under PCI DSS Level 1 compliance.

Brevo Transactional email delivery (onboarding sequences, briefings). GDPR-compliant. EU data residency available.

Telegram / Twilio Operator briefing delivery. Used only for sending your daily briefings and alerts. No client contact data processed.

Google Optional integration provider. When you connect Gmail, Google Calendar, Google Sheets, or Google Business Profile, access is granted via Google's official OAuth 2.0 flow. We store only the access token (encrypted) and never your Google password. You may revoke access at any time through your Google account settings.

We do not share your data with any providers beyond those necessary to deliver the service. Upon request, we can provide a full list of current sub-processors and their data processing agreements.

Section 6

Security & Infrastructure

We take security seriously. Our infrastructure is built on SOC 2 Type II certified providers and we apply security best practices throughout our stack. While Lumeairy is a growing business and has not yet completed its own standalone SOC 2 audit, we operate at or above the control standards required — and we intend to complete a Type I audit when we reach scale.

Encryption at Rest

All client data encrypted at rest using AES-256. API keys and credentials stored encrypted and never logged in plaintext.

Encryption in Transit

All data transmitted over TLS 1.2+. HTTPS enforced with HSTS preload. No unencrypted connections permitted.

Access Controls

Row-level security on all database tables. Principle of least privilege applied. Each client's data is isolated from other clients.

Security Headers

X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Referrer-Policy headers enforced on all web responses.

Audit Logging

All tool actions are logged with timestamps. Logs retained for 90 days and available to Clients on request.

Incident Response

Any security incident affecting client data triggers a 24-hour notification obligation. Full incident reports provided within 72 hours.

If you discover a security vulnerability, please contact us immediately at shawn@lumeairy.com. We respond to all security reports within 24 hours.

Section 7

Your Rights

You have the following rights regarding your personal information. To exercise any of them, contact us at shawn@lumeairy.com and we will respond within 5 business days.

Access — Request a copy of all personal data we hold about you or your business
Correction — Ask us to correct any inaccurate information
Deletion — Request deletion of your data. We will delete within 30 days (or immediately upon request at account closure)
Portability — Request your data in a portable format (CSV or JSON) for transfer to another service
Restriction — Ask us to restrict processing of your data in certain circumstances
Objection — Object to specific uses of your data
Withdraw consent — Cancel your service at any time with a single message. All processing stops at end of billing period

If you are a contact in a Client's database and wish to be removed, contact the Client directly or email us at shawn@lumeairy.com and we will facilitate your removal.

Section 8

Data Retention

Active accounts — Data retained for the duration of the service relationship plus 30 days after cancellation
After cancellation — All client data deleted within 30 days. Immediate deletion available on request
Operator logs — Communication and activity logs retained for 90 days during active service, then deleted
Billing records — Retained for 7 years as required by applicable tax law (payment processor data only; no full card numbers)
Website visitor logs — Server logs retained for 30 days then automatically purged

When you cancel, we'll export everything we hold on your business and send it to you before deletion. You keep everything we built for you.

Section 9

Cookies

We use cookies minimally and only for functional purposes:

Authentication cookies — Keep you logged into the Lumeairy dashboard during your session. Session-only; deleted when you close your browser
Preference cookies — Remember your dashboard display preferences. Persistent but contain no personal data

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not use Google Analytics or Facebook Pixel. We do not track you across other websites.

You can disable cookies in your browser settings. Disabling authentication cookies will prevent you from staying logged in to your dashboard.

Section 10

Changes to This Policy

If we make material changes to this Privacy Policy, we will notify active Clients via their daily briefing at least 14 days before the changes take effect. The updated policy will be posted at lumeairy.com/privacy with a new effective date.

For non-material changes (typo corrections, clarifications that don't affect how we handle data), we will update the policy and note the revision date without advance notice.

Your continued use of Lumeairy after the effective date of changes constitutes acceptance of the updated policy. If you disagree with any changes, you may cancel your service before they take effect.