Privacy Policy
Effective date: 19 April 2026
This policy explains how Robert Watkiss, trading as Lumen (“Lumen”, “we”, “us”), handles personal data when you use the Lumen service (the “Service”). We collect only what we need to provide the Service, and we never sell personal data.
1. Who we are
Lumen is operated by Robert Watkiss, a sole trader established in the United Kingdom. You can contact us at support@asklumen.ai.
For UK and EU data protection law purposes:
- we act as the controller of account and usage data about individual users (for example, your name, email, and login events);
- we act as a processorof content your organisation submits to the Service (“Customer Content”); your organisation is the controller of that content and its separate agreement with us includes a data processing addendum.
2. Personal data we process
Account data
- Email address, display name, and profile image (obtained from Google when you sign in with your Google account).
- Organisation membership and role.
- Authentication session data, stored as a signed JWT in a secure, HTTP-only cookie.
Usage and content data
- Conversations, messages, prompts, AI responses, and associated metadata (such as model used, token counts, and cost).
- Files you upload, stored in Cloudflare R2.
- Feedback you submit on individual AI messages (thumbs up/down).
- An audit log of operations performed through the Service, retained for security and accountability.
Integration data
- Access tokens and API keys that you or your organisation connect for third-party integrations. These credentials are encrypted at rest.
- Data retrieved from connected third-party services in response to your queries, to the extent we process it to generate a response.
Operational data
- Server logs containing structured events about Service operation. These do not include IP addresses or user-agent strings.
- Error reports (including stack traces), optionally forwarded to Sentry with a hashed user identifier. We do not send your email or name to Sentry.
Communications
- Messages you send via the in-product feedback form, delivered to us by email through Cloudflare Email Routing.
We do not set advertising cookies, analytics cookies, or cross-site tracking cookies.
3. How we use personal data
We process personal data for the following purposes:
| Purpose | Legal basis (UK GDPR Art. 6) |
|---|---|
| Providing and operating the Service | Performance of a contract |
| Authenticating and authorising users | Performance of a contract; legitimate interests (security) |
| Generating AI responses by routing prompts to model providers | Performance of a contract |
| Detecting, preventing, and responding to abuse, security incidents, and misuse | Legitimate interests (security, integrity of the Service) |
| Maintaining an audit log of operations performed through the Service | Legitimate interests (accountability, security) |
| Invoicing and commercial administration | Performance of a contract; legal obligation |
| Responding to support requests and feedback | Performance of a contract; legitimate interests |
| Complying with legal obligations | Legal obligation |
We do not use Customer Content to train foundation models, and we do not sell personal data.
4. Subprocessors
Lumen uses the following third parties to operate the Service. Each is bound by a written contract that requires appropriate protection of personal data.
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Application hosting (Workers), database (D1), object storage (R2), email routing, AI Gateway | USA / global edge |
| Anthropic PBC | Large language model inference (Claude) | USA |
| Google LLC | Authentication (Google OAuth sign-in) | USA |
| Functional Software, Inc. (Sentry) | Error telemetry (optional, used when enabled) | USA |
Where your organisation enables them, the Service can also forward data to org-scoped integrations you choose to connect (including Slack, Shopify, GitHub, Amplitude, BigQuery, Axiom, Vercel, Cursor, and Tavily). Those services operate under their own terms and privacy policies and act as independent controllers or processors for the data you send to them.
5. International transfers
Several of our subprocessors are located outside the United Kingdom. Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses or on another valid transfer mechanism (such as the EU–US Data Privacy Framework, where applicable).
6. Retention
- Conversations, messages, and uploaded files: retained for the lifetime of your account, or until your organisation deletes them or terminates the Service. Deleted on request.
- Audit log: retained for up to 12 months for security and accountability purposes.
- Operational logs and error telemetry: retained by our log processor for up to 30 days.
- Account data: retained while your account is active, and deleted within 30 days of account deletion, except where we must retain it to comply with legal obligations.
- Backups: may persist for a short period beyond deletion before being overwritten on their normal rotation.
7. Security
We use industry-standard security measures, including TLS in transit, encryption of integration credentials at rest, scoped access controls, authenticated API endpoints, and per-organisation data isolation. No service can guarantee absolute security; please let us know promptly if you discover a vulnerability or suspect an incident.
8. Your rights
If you are in the UK or EEA, UK GDPR and EU GDPR give you the following rights:
- access to your personal data;
- rectification of inaccurate personal data;
- erasure (“right to be forgotten”);
- restriction of processing;
- data portability;
- objection to processing;
- withdrawal of consent where processing is based on consent (without affecting the lawfulness of processing before withdrawal).
Where Lumen acts as a processor on behalf of your organisation, please direct requests to your organisation’s administrator, who controls that data. We will support your organisation in responding.
To exercise a right, or to request deletion of your data, email support@asklumen.ai. We aim to respond within one month.
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).
9. Cookies
We use a single strictly-necessary cookie: a secure, HTTP-only session cookie used to keep you signed in. It expires after 30 days or when you sign out. We do not use advertising, analytics, or cross-site tracking cookies, so no consent banner is required.
10. Children
The Service is not intended for anyone under 18, and we do not knowingly collect personal data from children.
11. Changes to this policy
We may update this policy from time to time. Material changes will be notified to your organisation’s administrator. The “Effective date” at the top indicates when the policy was last revised.
12. Contact
Robert Watkiss
Email: support@asklumen.ai