LuminirLuminir
← Back to Home

Privacy Policy

Last updated: March 11, 2026

1. Data Controller

The data controller responsible for your personal data is Luminir LLC, a limited liability company registered in England and Wales. For all matters relating to the processing of your personal data, you may contact our Data Protection Officer at dpo@luminir.io.

  • Data Controller: Luminir LLC
  • Registered address: London, United Kingdom
  • Data Protection Officer: dpo@luminir.io
  • UK Supervisory Authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom (www.ico.org.uk)
  • EU Representative (Art. 27 GDPR): For EU data subjects, our EU representative can be contacted at eu-representative@luminir.io

2. Introduction

Luminir LLC ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our phishing detection service, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws including the EU GDPR (where we process data of EU residents), the California Consumer Privacy Act (CCPA), and the Australian Privacy Act 1988. Please read this policy carefully to understand our practices regarding your personal data.

3. Information We Collect

We collect the following types of information:

Account Information

  • Email address (required for account creation)
  • Full name (optional)
  • Password (stored securely using industry-standard hashing)
  • Preferred language settings

Phone Number

  • Mobile phone number (when you opt-in for SMS notifications)
  • SMS consent status and timestamp
  • Verification status

Submitted Content

  • Emails forwarded for analysis
  • SMS messages submitted for analysis
  • Sender information from submitted messages
  • URLs and attachments contained in submitted messages

Usage Data

  • Analysis history and results
  • Feature usage patterns
  • Device and browser information
  • IP address and approximate location (derived from IP address, not device GPS)

4. How We Use Your Information

We use your information for the following purposes:

  • Provide and maintain our phishing detection service
  • Analyze submitted messages and generate threat assessments
  • Send you analysis results via email or SMS
  • Communicate with you about your account and service updates
  • Prevent fraud and ensure service security
  • Comply with legal obligations

Important: Your personal data and submitted messages are NEVER used to train AI models. All content is analyzed in real-time and immediately anonymized. We do not store or use your private communications for any machine learning purposes.

5. SMS Communications

When you provide your phone number and consent to receive SMS messages:

  • We will send you analysis results for messages you submit
  • Message frequency varies based on your usage
  • You can opt-out at any time by replying STOP
  • Your phone number will not be shared with third parties for marketing purposes

Important: SMS opt-in data and consent will not be shared with any third parties.

6. Legal Basis for Processing

We process your personal data on the following legal bases under the UK GDPR and, where applicable, the EU GDPR:

  • Contract (Art. 6(1)(b)): Processing necessary to provide our services to you
  • Consent (Art. 6(1)(a)): When you opt-in for SMS notifications or marketing communications
  • Legitimate Interest (Art. 6(1)(f)): To improve our services, ensure security, and prevent fraud. We have conducted a Legitimate Interest Assessment to balance our interests against your rights
  • Legal Obligation (Art. 6(1)(c)): When required by applicable UK, EU, or other laws

7. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

  • Service providers who assist in operating our service (under Data Processing Agreements compliant with UK GDPR Article 28)
  • Cloud infrastructure providers (AWS, based in the US) for hosting and data storage
  • Payment processors (Stripe) for subscription management
  • Law enforcement when required by law or to protect our rights
  • Our EU Representative for handling EU data subject requests

The above excludes text messaging originator opt-in data and consent; this information will not be shared with any third parties.

8. Data Security

We implement appropriate technical and organisational security measures to protect your information, in accordance with UK GDPR Article 32:

  • All data is encrypted in transit using TLS 1.3
  • Data at rest is encrypted using AES-256
  • We use secure cloud infrastructure (AWS) with SOC 2 compliance
  • Access to personal data is restricted to authorized personnel only
  • We conduct regular security audits and penetration testing
  • Multi-factor authentication is available for account protection

9. Data Retention

We retain your data for as long as your account is active or as needed to provide services:

  • Account data: Retained until account deletion
  • Analysis history: Retained based on your subscription plan (7 days to 1 year)
  • Submitted content: Immediately anonymized after analysis - original content is NOT stored
  • SMS consent records: Retained for compliance purposes
  • Cookie consent preference: Stored locally in your browser

You can delete your account at any time from Settings > Danger zone > Delete my account. Upon deletion: all personal data (name, email, preferences) is permanently erased; your authentication account is deleted; analyzed emails are anonymized (sender info removed). Truly anonymized data (from which you cannot be re-identified) may be retained for statistical and service improvement purposes. This process is irreversible.

We do NOT retain your emails, SMS, or any personal content for AI training purposes. Your private data remains private.

10. Your Rights

Depending on your location, you have the following data protection rights:

  • Right to Access: Request a copy of your personal data (UK/EU GDPR Art. 15, CCPA, Australian Privacy Principle 12)
  • Right to Rectification: Correct inaccurate or incomplete data (UK/EU GDPR Art. 16)
  • Right to Erasure: Request deletion of your personal data (UK/EU GDPR Art. 17)
  • Right to Restrict Processing: Limit how we use your data (UK/EU GDPR Art. 18)
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format such as JSON (UK/EU GDPR Art. 20)
  • Right to Object: Object to processing based on legitimate interests (UK/EU GDPR Art. 21)
  • Right to Withdraw Consent: Withdraw consent at any time (UK/EU GDPR Art. 7(3))
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the ICO (UK), your local EU supervisory authority, or the Office of the Australian Information Commissioner (OAIC), as applicable
  • California Residents: Under the CCPA, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact privacy@luminir.io

To exercise these rights, contact us at privacy@luminir.io. We will respond within one month (UK/EU GDPR) or as required by applicable law.

11. Automated Decision-Making and Profiling

In accordance with UK GDPR Article 22 and EU GDPR Article 22:

  • Luminir uses automated processing to analyze messages and generate threat assessments (verdicts of safe, suspicious, or dangerous)
  • These automated assessments are advisory only and do not produce legal effects or similarly significantly affect you
  • The system may create usage profiles to track sender behavior patterns for threat detection purposes (e.g., identifying first-time senders or frequency anomalies). This profiling is conducted under our legitimate interest in providing effective security analysis
  • You have the right to request human review of any automated assessment by contacting support@luminir.io
  • You may contact us to obtain meaningful information about the logic involved in automated decision-making
  • Confidence scores (0-100) indicate the system's assessment level, not absolute certainty

12. Data Breach Notification

In accordance with UK GDPR Articles 33 and 34, and EU GDPR Articles 33 and 34 (where applicable), in the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  • We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
  • Where applicable, we will also notify relevant EU supervisory authorities and the OAIC (for Australian users)
  • If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay
  • Notification will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach
  • We maintain a breach register documenting all personal data breaches, their effects, and remedial actions taken

13. Cookies and Tracking

We use cookies and similar technologies in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and, for EU users, the ePrivacy Directive. When you first visit Luminir, a cookie consent banner allows you to accept or reject optional cookies:

  • Essential cookies: Required for the service to function (authentication, security). These cannot be disabled.
  • Preference cookies: To remember your settings (language, theme)
  • Analytics cookies: To understand how you use our service (only with your consent)

You can change your cookie preferences at any time through your browser settings or by clearing your local storage. Your choice is stored locally and respected across sessions.

14. International Data Transfers

Your data is primarily processed in the United States (AWS us-east-1 region). As Luminir LLC is based in the United Kingdom, transfers from the UK are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the ICO. For EU data subjects, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission (June 2021 version). For Australian users, we comply with Australian Privacy Principle 8 regarding cross-border disclosure of personal information. We have conducted Transfer Impact Assessments to ensure adequate protection of your data.

15. Children's Privacy

Our Service is not intended for children under 13 years of age (or under 16 in jurisdictions where the minimum age for data processing consent is 16). We do not knowingly collect personal information from children below the applicable age threshold. If you believe we have collected data from a child, please contact us immediately at privacy@luminir.io.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we will provide at least thirty (30) days' prior notice via email. We encourage you to review this policy periodically.

17. Contact Us

For questions about this Privacy Policy or to exercise your rights, contact us at:

Privacy inquiries: privacy@luminir.io

General support: support@luminir.io

Data Protection Officer: dpo@luminir.io

Luminir LLC - London, United Kingdom

EU Representative: eu-representative@luminir.io