Legal
Privacy Policy
Last updated: 5 June 2026
This Privacy Policy explains how Lumora Ltd ("Lumora", "we", "us") collects, uses, and protects your personal data when you use our Service at lumora.ai. We are committed to compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR).
1. Data Controller
Lumora Ltd
Registered in England and Wales, Company No. [TO BE FILED]
Registered address: [TO BE FILED], United Kingdom
Data protection contact: privacy@lumora.ai
2. Data We Collect
2.1 Data you provide
- Account data: name, email address, password (hashed)
- Payment data: billing name, country, last four digits of card (full card data is processed by our payment provider and never stored by us)
- Communications: messages you send to our support team
- User-generated content: text prompts and images you upload for processing
2.2 Data collected automatically
- Usage data: pages visited, features used, Credit balance and transaction history
- Technical data: IP address, browser type and version, device type, time zone
- Cookies and similar technologies: see our Cookie Policy
3. How We Use Your Data
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Create and manage your Account | Performance of contract (Art. 6(1)(b)) |
| Process Credit purchases and payments | Performance of contract (Art. 6(1)(b)) |
| Provide AI image generation service | Performance of contract (Art. 6(1)(b)) |
| Prevent fraud and abuse | Legitimate interests (Art. 6(1)(f)) |
| Comply with legal obligations (tax, AML) | Legal obligation (Art. 6(1)(c)) |
| Send transactional emails (receipts, security alerts) | Performance of contract (Art. 6(1)(b)) |
| Send marketing emails | Consent (Art. 6(1)(a)) — opt-in only |
| Improve our Service (analytics) | Legitimate interests (Art. 6(1)(f)) |
4. Sharing Your Data
We do not sell your personal data. We share data only as necessary with:
- Payment processors (e.g. Stripe, Checkout.com): to process transactions. They act as independent controllers for payment data.
- Cloud infrastructure providers (e.g. AWS, Google Cloud): hosting and storage under data processing agreements.
- AI model providers: prompts and images may be sent to third-party AI APIs to generate results. Refer to those providers' data policies for details.
- Legal and regulatory bodies: where required by law, court order, or to protect our legal rights.
5. International Data Transfers
Some of our service providers are located outside the UK/EEA. Where we transfer data internationally, we ensure appropriate safeguards are in place (UK International Data Transfer Agreements (IDTAs), EU Standard Contractual Clauses, or adequacy decisions).
6. Data Retention
- Account data: retained for the duration of your Account plus 3 years after closure.
- Payment and transaction records: 7 years (HMRC requirement).
- Support communications: 3 years.
- User-generated images and prompts: deleted within 30 days of processing unless you explicitly save them to your Account.
- Cookie/analytics data: 13 months maximum.
7. Your Rights
Under UK GDPR you have the right to:
- Access your personal data (Subject Access Request)
- Rectify inaccurate data
- Erase your data ("right to be forgotten") where no legal basis for retention exists
- Restrict processing
- Data portability — receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time (for marketing)
- Not be subject to solely automated decisions with significant effects
To exercise your rights, email privacy@lumora.ai. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk, 0303 123 1113.
8. Security
We implement appropriate technical and organisational measures including TLS encryption, hashed passwords, access controls, and regular security reviews. Despite these measures, no internet transmission is completely secure. In the event of a personal data breach, we will notify affected users and the ICO as required by law.
9. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, contact us immediately at privacy@lumora.ai.
10. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of significant changes by email or notice on the Service. The updated policy will be effective from the date of publication.
11. Contact
Email: privacy@lumora.ai
Post: Lumora Ltd, [TO BE FILED], United Kingdom