Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

When you contact us, request a proposal, complete a form, or engage our services, we may collect the following categories of personal information:

• Identity data: first name, last name, job title, company name.
• Contact data: email address, phone number, mailing address.
• Business data: website URL, industry, monthly ad spend, marketing goals, and other information you voluntarily share in intake forms or strategy calls.
• Financial data: billing name, billing address, and payment method details processed securely through our third-party payment processor (Stripe). We do not store raw card numbers.
• Communications: emails, chat messages, and any content you send to us.

1.2 Information Collected Automatically

When you visit our website, we and our service partners automatically collect certain technical data, including:

• Usage data: pages visited, time spent, links clicked, referring URLs, and navigation paths.
• Device data: IP address, browser type and version, operating system, screen resolution, and device identifiers.
• Cookie data: session cookies, persistent cookies, and similar tracking technologies. See our Cookie Policy for details.
• Analytics data: aggregated behavioral data collected via Google Analytics 4, including bounce rate, session duration, and conversion events.

1.3 Information from Third Parties

We may receive information about you from third-party sources such as LinkedIn Lead Gen Forms, Google Ads lead extensions, referral partners, and public business directories, which we combine with information we hold about you to improve service quality and marketing relevance.

2. How We Use Your Information

We use the personal information we collect for the following purposes:

• Service delivery: to onboard you as a client, execute campaigns, generate reports, and fulfill contractual obligations.
• Communication: to respond to inquiries, send proposals, schedule discovery calls, and provide project updates.
• Marketing: to send you information about our services, case studies, and industry insights where you have given consent or where we have a legitimate interest. You may opt out at any time.
• Analytics and improvement: to understand how our website and services are used and to improve their performance, content, and user experience.
• Legal compliance: to comply with applicable laws, regulations, and court orders, including Texas state law and federal requirements.
• Fraud prevention and security: to protect our business and users from fraudulent activity and unauthorized access.

3. Legal Basis for Processing

Where applicable under US privacy frameworks, we process your personal data on the following legal bases:

• Contract performance: processing necessary to deliver services you have engaged us to provide.
• Legitimate interests: improving our services, marketing to prospective clients, and maintaining website security, where these interests are not overridden by your rights.
• Consent: for marketing emails, non-essential cookies, and certain analytics. You may withdraw consent at any time.
• Legal obligation: complying with applicable laws, tax requirements, and regulatory obligations.

4. California Consumer Privacy Act (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: you may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources of that information, our business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: you may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., information needed to complete a transaction or comply with a legal obligation).
• Right to Correct: you may request correction of inaccurate personal information we maintain about you.
• Right to Opt Out of Sale/Sharing: Lumo does not sell your personal information. We do not share personal information for cross-context behavioral advertising purposes without your consent.
• Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA rights.

To exercise your California privacy rights, contact us at hello@lumoaiagency.com with the subject line "CCPA Privacy Request." We will respond within 45 days. We may need to verify your identity before fulfilling your request.

5. Sharing of Personal Information

We do not sell your personal information. We may share your information with:

• Service providers: third-party vendors who process data on our behalf, including cloud hosting (Vercel, AWS), analytics (Google Analytics), CRM (HubSpot), email marketing (Mailchimp), and payment processing (Stripe). These parties are contractually bound to use your data only as directed by us.
• Advertising platforms: when you are an active client, we may share anonymized audience data with Google Ads and Meta Ads to optimize campaign targeting. This data is processed under their respective data processing agreements.
• Legal and regulatory bodies: when required by law, subpoena, court order, or to protect the rights and safety of Lumo, our clients, or the public.
• Business transfers: in connection with a merger, acquisition, or sale of all or part of our business, in which case your information may be transferred as a business asset.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, to comply with legal obligations, resolve disputes, and enforce agreements. Specifically:

• Client account and billing records: 7 years from the end of the client relationship (for tax and legal compliance).
• Marketing contact records: until you unsubscribe or request deletion.
• Website analytics data: up to 26 months in Google Analytics (standard retention setting).
• Cookie data: see our Cookie Policy for individual retention periods.

7. Data Security

We implement industry-standard technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• TLS/HTTPS encryption for all data in transit.
• Encrypted storage for sensitive data at rest.
• Role-based access controls limiting data access to authorized personnel only.
• Regular security assessments and vulnerability scanning.
• Two-factor authentication on all internal systems containing personal data.

No method of electronic transmission or storage is 100% secure. If we become aware of a breach that materially affects your personal information, we will notify you as required by applicable law.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our website, analyze usage, and deliver relevant advertising. For a full description of the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy.

9. Third-Party Links

Our website may contain links to third-party websites, social media platforms, and partner resources. These sites have their own privacy policies. We are not responsible for the content or privacy practices of external sites and encourage you to review their policies independently.

10. Children's Privacy

Our website and services are directed to business professionals and are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of our website or services following any changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: