Privacy Policy

Effective date: 21 April 2026.  Last updated: 21 April 2026

1. About this policy

This Privacy Policy explains how Lumai Limited ("Lumai", "we", "us", "our") collects and uses personal data when you use lumai.ai (the "Website"), contact us, or otherwise interact with us.

We handle your personal data in accordance with UK data protection laws, including the UK GDPR, Data Protection Act 2018, and PECR.

2. Who we are

Lumai Limited is the data controller.

Address: Wood Centre for Innovation, Quarry Road, Oxford, OX3 8SB, United Kingdom Company number: 13772989 Email: privacy@lumai.ai

3. The data we collect

We collect the following types of personal data:

Website usage data

When you visit our Website, we may collect technical information such as your IP address (with IP anonymisation enabled), browser type, device, pages visited, and time of access.

We use this to operate, secure, and improve the Website. We rely on our legitimate interests in maintaining a functional and secure website. Analytics cookies (Google Analytics 4, PostHog) are used only with your consent.

Sales and marketing contacts

If you contact us, request a demo, sign up for updates, or interact with us (e.g. via LinkedIn or at events), we collect details such as your name, work email, job title, company, and any information you choose to share.

We use this to:

  • respond to enquiries
  • manage our sales pipeline
  • send relevant updates and invitations
  • understand engagement with our content

We rely on legitimate interests for B2B communications and consent where required (e.g. for cookies or certain electronic marketing). If you are a sole trader or partnership, we rely on consent or the soft opt-in where permitted under PECR.

Business relationships and communications

If you are an investor, partner, supplier, or otherwise communicate with us, we process your contact details and correspondence to manage that relationship. We rely on our legitimate interests in managing our business relationships, and on contract where processing is necessary to fulfil an agreement with you. 

Legal and compliance purposes

We may process personal data where necessary to comply with a legal obligation, or to establish, exercise, or defend legal claims. We rely on our legal obligation as the lawful basis for compliance purposes, and on our legitimate interests in protecting and defending our legal position where relevant.

Job applicants

If you apply for a role, your data is handled under our separate Candidate Privacy Notice.

We do not knowingly collect sensitive personal data. If you do share sensitive personal data with us, we will handle it with appropriate care, but we ask that you do not submit it unless specifically requested.

4. How we use your data

We use personal data to:

  • run and improve our Website
  • respond to enquiries and provide information
  • manage sales, marketing, and business relationships
  • organise meetings, demos, and events
  • comply with legal obligations
  • protect our business and users

5. Marketing

We may send marketing emails to business contacts under PECR's rules for corporate bodies.

You can opt out at any time using the unsubscribe link in our emails or by contacting us.

6. Cookies

We use:

  • strictly necessary cookies (for core functionality)
  • analytics cookies (Google Analytics 4, PostHog)
  • marketing cookies (HubSpot) to support our sales and marketing activities

Analytics and marketing cookies are only set with your consent.

For full details, see our Cookie Policy. You can change your preferences at any time via the "Cookie settings" link on our Website.

7. Sharing your data

We share personal data with trusted service providers, including:

  • We share personal data with trusted service providers, including:
  • HubSpot (CRM and communications)
  • Google (analytics)
  • PostHog (analytics and session recording)
  • Email and productivity providers (e.g. Google Workspace or Microsoft 365)
  • Hosting and infrastructure providers

We may also share data with:

  • professional advisers
  • investors (under confidentiality)
  • authorities where required by law
  • a buyer or successor in the event of a business transaction

We do not sell your personal data.

8. International transfers

Some of our providers are based outside the UK (including in the US).

Where this happens, we use appropriate safeguards under UK data protection law, such as the UK Extension to the EU-US Data Privacy Framework, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses.

9. Data retention

We keep personal data only as long as needed. In general:

  • analytics data: up to 2 years
  • sales/marketing contacts: while relevant, and typically up to 3 years after last interaction
  • communications: up to 3 years
  • contractual records: up to 10 years

We may retain data longer if required by law or to resolve disputes.

10. Your rights

You have the right to:

  • access your data
  • correct inaccurate data
  • request deletion
  • restrict or object to processing (including marketing)
  • receive a copy of your data
  • withdraw consent at any time

To exercise your rights, contact privacy@lumai.ai.

You can also complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

11. Security

We take appropriate measures to protect personal data, but no system is completely secure.

12. Third-party links

Our Website may link to other sites. We are not responsible for their privacy practices.

13. Children

Our Website is not intended for children under 16, and we do not knowingly collect their data.

14. Changes to this policy

We may update this policy from time to time. The latest version will always be available on our Website.

15. Contact

If you have any questions:

Email: privacy@lumai.ai

Post: Lumai Limited Wood Centre for Innovation, Quarry Road, Oxford, OX3 8SB, United Kingdom.