Privacy Policy
Last updated: May 5, 2026
This Privacy Policy explains how Lume AI (“Lume,” “we,” “us,” or “our”) collects, uses, and shares information when you use getlumeai.com and the Lume AI service (the “Service”). We've written it in plain English. If anything is unclear, email us at legal@getlumeai.com and we'll explain.
1. Who we are and what we do
Lume AI is a SaaS marketing platform for small businesses, operated as a product of Svara Inc (svara-group.com) — a company incorporated in the State of New York. You give us your website URL; we audit your search engine visibility (SEO), your visibility in AI search engines like ChatGPT and Gemini (AEO), your social media presence, and your design — and we help you fix what's broken.
For purposes of EU and UK data protection law, Svara Inc is the data controller for personal information of our account holders (you, if you've signed up) and the data processor for content you upload or generate inside the Service.
Our address: 520 West 48th St Apt 1N, New York, NY 10019
Contact: legal@getlumeai.com
2. Information we collect
We collect three categories of information.
2.1 Information you give us directly
- Account information: name, email address, password (hashed), and authentication identifier from Google, GitHub, Facebook, or another OAuth provider if you sign in with one.
- Billing information: when you subscribe to Growth or Pro, our payment processor (Stripe) collects your payment method on our behalf. We never see or store your full card number — we receive only a Stripe customer ID, the last four digits of your card, the expiration date, and the country.
- Brand information: the website URL you submit, business name, contact details, and any other information you provide during onboarding or in your account settings.
- Content you create: social media posts, captions, images, and other content you generate using Lume's AI tools. You retain ownership of this content (see Section 8).
2.2 Information we collect automatically when you use the Service
- Usage data: pages visited, features used, audits run, fixes applied, and timestamps.
- Device & log data: IP address, browser type, operating system, referring URL, and pages viewed.
- Cookies and similar technologies: see Section 5.
2.3 Information from your connected services (with your permission)
When you connect a third-party service to Lume — Google Search Console, Google Analytics, Google Business Profile, Meta (Facebook/Instagram), GitHub, WordPress, Shopify, or others — we receive data from that service through OAuth. The specific data depends on which service you connect. See Section 4 for the per-integration breakdown.
2.4 Information we collect from your website
When you submit a URL for audit, we crawl publicly accessible pages on that website. We send the crawled content (HTML, meta tags, structured data) and the URL itself to our AI providers (see Section 4) to score it and generate recommendations. We do not crawl pages behind authentication or password walls.
3. How we use your information
We use the information we collect to:
- Deliver the Service — run audits, generate fix recommendations, create content, post on your behalf when you authorize us to.
- Operate your account — sign you in, process billing, send Service-related emails (audit-complete notifications, weekly briefs, billing receipts).
- Improve the Service — analyze aggregated and anonymized usage data to fix bugs, build new features, and prioritize roadmap.
- Communicate with you — respond to support requests; send product updates if you've opted in.
- Keep the Service secure — detect and prevent fraud, abuse, and security incidents.
- Comply with legal obligations — meet tax, accounting, and regulatory requirements.
4. How we share information
We share information only with the third parties listed below, and only as needed to deliver the Service.
4.1 Service providers (sub-processors)
| Sub-processor | What they do | Data shared |
|---|---|---|
| Vercel | Hosting and infrastructure (USA) | All Service data flows through Vercel servers |
| Supabase | Database and authentication storage (USA, us-west-2) | Account info, brand audit results, generated content |
| Stripe | Subscription billing (USA, EU) | Payment method, billing address, customer email |
| Google (Gemini API) | AI scoring and fix generation | Submitted URL + crawled page content |
| OpenAI | AI scoring (subset of audits) | Submitted URL + crawled page content |
| Anthropic | AI scoring fallback | Submitted URL + crawled page content |
| OpenRouter | AI provider routing for free-tier fallback | Submitted URL + crawled page content |
| Resend | Transactional email (planned) | Email address, name |
| Twilio | SMS for review request feature (Pro tier, planned) | Customer phone number you upload |
| BetterAuth | Authentication framework | Email, OAuth identifiers |
By design, sub-processors receive only the minimum data needed to perform their function. We select sub-processors that publish data-protection terms or DPAs consistent with our obligations to you, and we make those terms available on request.
We may update this list as we add or change vendors. Material changes will be reflected in the “Last updated” date at the top of this policy and, where required by applicable law, communicated in advance.
Data Processing Addendum. A standard Data Processing Addendum (DPA) compliant with GDPR Article 28 is available on request to legal@getlumeai.com for customers acting as data controllers of end-user data they process through the Service.
4.2 Third-party integrations you connect
When you connect a third-party service, we receive data from it through OAuth. Here's what we access and what we do with it:
| Integration | What we access | What we do |
|---|---|---|
| Google Search Console | Search impressions, clicks, query data, indexing status | Display in your dashboard; prioritize SEO fixes |
| Google Analytics (GA4) | Sessions, conversions, top pages, referrers | Display in your dashboard; attribute fixes to traffic changes |
| Google Business Profile | Listing details, reviews, posts, performance | Audit listing; auto-post on your behalf (Pro); draft review responses (Pro) |
| Meta (Facebook/Instagram) | Page info, post content, post analytics, ability to publish posts | Display in your dashboard; auto-post when you authorize a scheduled post |
| GitHub | Repository read/write access | Open pull requests with code fixes you approve |
| WordPress (planned) | Site read/write access | Apply schema and SEO fixes you approve |
| Shopify (planned) | Store + product catalog access | Pull product data; apply schema fixes you approve |
| Stripe Connect (planned, Pro) | Transaction data | Trigger review requests after recent purchases |
You can disconnect any integration at any time from /settings/integrations. Disconnecting revokes our OAuth token; we will cease receiving new data from that integration without undue delay and delete cached data within a reasonable period, subject to the backup-rotation cycles described in Section 7.
We comply with the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not use Google data for advertising; we do not transfer Google data except as necessary to provide your requested service or as required by law; and we do not allow humans to read Google data except with your consent or for security purposes.
4.3 Legal and safety
We may disclose information when we reasonably believe it's necessary to: comply with a law, regulation, subpoena, or court order; protect the safety of any person; investigate fraud or abuse; or enforce our Terms of Service.
4.4 Business transfers
If Lume AI is acquired, merges with another company, or sells substantially all of its assets, your information may be transferred as part of that transaction. The acquiring company will be bound by this Privacy Policy or one with equivalent protections.
5. Cookies and similar technologies
We use a small number of cookies. We don't run ad-tracking pixels.
- Essential cookies (required): session cookies for authentication. Without these, you cannot stay signed in.
- Stripe checkout cookies: active during the checkout flow only, set by Stripe to process your payment.
- Analytics: we use Vercel Analytics, which collects aggregated, anonymized usage data without setting third-party tracking cookies.
You can control cookies through your browser settings. Blocking essential cookies will prevent you from signing in.
6. Data security
Our security program includes, among other things:
- TLS encryption in transit
- Encryption at rest for sensitive fields (OAuth tokens, password hashes)
- Role-based access controls — only employees who need access for their job can access user data
- Regular security reviews and dependency scanning
- Audit logs for administrative access
No system is perfectly secure. If we experience a security incident affecting your data, we will notify you without undue delay and as required by applicable law. Notification timing is governed by applicable law and the risk profile of the incident; nothing in this Policy creates a contractual notification SLA beyond the statutory requirement.
7. Data retention
We keep your information for as long as you have an account, plus the time we need to meet our legal and contractual obligations.
- Account information: retained while your account is active. After you delete your account, your account information is queued for deletion and removed from active systems without undue delay (typically within approximately 60 days), with backup rotation completing thereafter. Some records may be retained longer to meet tax and accounting requirements (typically 7 years for billing records).
- Brand audit results and generated content: retained while your account is active; deleted on account deletion.
- OAuth tokens: retained while the integration is connected; deleted within 30 days of disconnect.
- Backups: automated database backups are retained for 30 days and then deleted.
You can request deletion of your account at any time — see Section 8.
8. Your privacy rights and choices
8.1 Everyone — your basic choices
- Access and update your information — sign in and visit
/settings. - Delete your account — sign in, visit
/settings/account, and click “Delete account.” This permanently deletes your account and associated data, subject to the retention periods in Section 7. - Export your data — email legal@getlumeai.com and we will provide a machine-readable export of your data within the timeframe required by applicable law.
- Opt out of marketing emails — every marketing email has an unsubscribe link. Service-related emails (billing, security, audit completion) cannot be unsubscribed while your account is active.
8.2 If you live in the European Economic Area, the United Kingdom, or Switzerland
You have the following rights under the GDPR or UK GDPR:
- Right of access — get a copy of your personal data
- Right to rectification — correct inaccurate data
- Right to erasure — delete your personal data
- Right to restrict processing — limit how we use your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — at any time, where consent is the legal basis
Legal bases for processing. We process your personal data on the following legal bases: (a) contract — to deliver the Service you've subscribed to; (b) legitimate interests — to operate, secure, and improve the Service; (c) consent — for marketing emails and optional integrations; (d) legal obligation — to meet tax and regulatory requirements.
International transfers. Lume's servers are in the United States. If you're in the EEA, UK, or Switzerland, we transfer your data to the US under the European Commission's Standard Contractual Clauses. For transfers from the United Kingdom, we rely on the UK International Data Transfer Addendum (IDTA) or the UK Addendum to the EU SCCs, as applicable. For transfers from Switzerland, we rely on the SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner. You can request a copy from legal@getlumeai.com.
To exercise any right, email legal@getlumeai.com. We will respond within the timeframe required by applicable law (typically within 30 days). If you're not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.
8.3 If you live in California
You have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
- Right to know what personal information we collect, use, and share
- Right to delete your personal information
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of your personal information
- Right to limit the use of sensitive personal information
- Right to non-discrimination — we won't deny you service or charge you a different price for exercising your rights
Categories of personal information we collect. Identifiers (name, email, IP address); commercial information (subscription history); internet activity (usage data); geolocation (city/country level); inferences (audit results); customer records.
Sources — directly from you, automatically through your use of the Service, and from third-party services you connect.
Business purposes — delivering the Service, billing, security, support, product improvement.
Categories disclosed to third parties — to the sub-processors listed in Section 4.1.
Do Not Sell or Share My Personal Information. Lume AI does not sell personal information for monetary consideration. We use service providers (sub-processors) to deliver the Service, which under CCPA may be considered “sharing.” To opt out of any such sharing, email legal@getlumeai.com with the subject line “CCPA Opt-Out — Do Not Sell or Share.” Include the email address associated with your account. We will process your request within the timeframe required by California law.
You may also designate an authorized agent to make a request on your behalf. We'll require proof of authorization.
8.4 Other US states
If you live in Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you have similar rights to know, delete, correct, and opt out of certain processing under your state's privacy law. Email legal@getlumeai.com to exercise any of these rights.
8.5 Other jurisdictions
If you reside in Australia, Brazil, Canada, India, Japan, Singapore, or another jurisdiction with applicable data-protection law, you may have rights to access, correct, delete, or port your personal information, and to lodge a complaint with your supervisory authority. Email legal@getlumeai.com to exercise any such right; we will respond within the timeframe required by applicable law.
9. Children's privacy
Lume AI is a B2B service for businesses and is not directed to children. We do not knowingly collect personal information from children under the age of 16 (or such other minimum age as applicable law may require in the user's jurisdiction). If you believe a child has provided us personal information, email legal@getlumeai.com and we will delete it.
10. Changes to this policy
We may update this Privacy Policy as the Service evolves. When we make material changes, we'll update the “Last updated” date at the top, and where required by law, notify you by email or a notice in the Service before the changes take effect. Continued use of the Service after changes take effect means you accept the updated policy.
11. Contact us
Questions, requests, or complaints — email us:
- General privacy questions: legal@getlumeai.com
- Data subject rights / CCPA / GDPR: legal@getlumeai.com
- Mailing address: 520 West 48th St Apt 1N, New York, NY 10019
Lume AI is a product of Svara Inc, incorporated in the State of New York.