Privacy Policy

Effective date: 21 April 2026

This policy explains how Robert Watkiss, trading as Lumen (“Lumen”, “we”, “us”), handles personal data when you use the Lumen service (the “Service”). We collect only what we need to provide the Service, and we never sell personal data.

1. Who we are

Lumen is operated by Robert Watkiss, a sole trader established in the United Kingdom. You can contact us at [email protected].

For UK and EU data protection law purposes:

• we act as the controller of account and usage data about individual users (for example, your name, email, and login events);
• we act as a processorof content your organisation submits to the Service (“Customer Content”); your organisation is the controller of that content and its separate agreement with us includes a data processing addendum.

2. Personal data we process

Account data

• Email address, display name, and profile image (obtained from Google when you sign in with your Google account).
• Organisation membership and role.
• Authentication session data, stored as a signed JWT in a secure, HTTP-only cookie.

Usage and content data

• Conversations, messages, prompts, AI responses, and associated metadata (such as model used, token counts, and cost).
• Files you upload, stored in Cloudflare R2.
• Feedback you submit on individual AI messages (thumbs up/down).
• An audit log of operations performed through the Service, retained for security and accountability.

Integration data

• Access tokens and API keys that you or your organisation connect for third-party integrations. These credentials are encrypted at rest.
• Data retrieved from connected third-party services in response to your queries, to the extent we process it to generate a response.

Operational data

• Server logs containing structured events about Service operation. These do not include IP addresses or user-agent strings.
• Error reports (including stack traces), optionally forwarded to Sentry with a hashed user identifier. We do not send your email or name to Sentry.

Communications

• Messages you send via the in-product feedback form, delivered to us by email through Cloudflare Email Routing.

We do not set advertising cookies, analytics cookies, or cross-site tracking cookies.

3. How we use personal data

We process personal data for the following purposes:

We do not use Customer Content to train foundation models, and we do not sell personal data.

4. Subprocessors

Lumen uses the following third parties to operate the Service. Each is bound by a written contract that requires appropriate protection of personal data.

Where your organisation enables them, the Service can also forward data to org-scoped integrations you choose to connect (including Slack, Shopify, GitHub, Amplitude, BigQuery, Axiom, Vercel, Cursor, and Tavily). Those services operate under their own terms and privacy policies and act as independent controllers or processors for the data you send to them.

5. Shopify app — additional disclosures

The Lumen Shopify app is a separate subscription-billing surface from the general Lumen Service. If your organisation installs it from the Shopify App Store, the following additional processing applies. This section is intended to satisfy Shopify’s App Store privacy requirements and is in addition to, not in place of, the rest of this policy.

5.1 Data we receive from Shopify

• Shop identifier. Your shop’s *.myshopify.com domain. Stored in D1 under organizations.billing_subject_ref as the join key between your Lumen workspace and your Shopify subscription.
• Offline access token. A long-lived token issued by Shopify during OAuth install that authorises the Lumen app to call billing mutations on your shop. Stored encrypted at rest using AES-256-GCM; never written to logs. We use it only to issue appSubscriptionCreate, appUsageRecordCreate, appSubscriptionLineItemUpdate, and appSubscriptionCancel— the minimum billing surface.
• Shopify user id. The subclaim on App Bridge session tokens, used only for audit-log attribution when an embedded user takes a billing action (e.g. switching plans).
• Subscription status events. We receive webhooks on APP_SUBSCRIPTIONS_UPDATE and the three mandatory GDPR topics (see 5.4 below). Bodies are HMAC-verified before processing.

The Lumen Shopify app requests the minimum OAuth scope Shopify requires to authorise an install — currently read_products. We do not access storefront order, customer, or fulfilment data via the Shopify app surface. (A separate, optional Shopify integration — configured per organisation in Settings → Integrations — does request broader read scopes for in-product analysis; it is not covered by this section.)

5.2 Usage data reported to Shopify

When an active Shopify subscription exists, Lumen reports a single daily aggregate usage amount to Shopify via appUsageRecordCreate. Each record carries the organisation identifier and the date as an idempotency key; no conversation content, prompts, file contents, or personal data about your customers is transmitted. Shopify receives only the dollar amount of metered usage (above the included-usage bundle) for the subscription cycle.

5.3 Retention of Shopify billing records

billing_subscriptions rows and billing_usage_eventsrows are retained beyond the life of your Shopify subscription because UK and EU tax & commercial law require us to keep invoice-supporting records for six years. After the shop/redact webhook completes (see 5.4), the shop access token and other Shopify-specific metadata on those rows are cleared; the reported amount columns are retained for accounting.

5.4 Mandatory Shopify GDPR webhooks

Lumen implements Shopify’s three required webhook topics:

• customers/data_request — Lumen does not store personal data about your customers (Lumen is an internal-facing analytics tool for merchants, not a shopper-facing feature), so we respond to this webhook with an empty data bundle and a timestamped audit log.
• customers/redact — No-op with an audit log entry for the same reason.
• shop/redact — When Shopify fires this webhook (typically ~48 hours after a shop uninstalls Lumen), we run a three-step freeze → flush → purge pipeline:
  1. Mark the associated organisation frozenso it can’t start new turns.
  2. Synchronously flush any pending usage events to Shopify so no billable usage is lost silently.
  3. Schedule a 48-hour delayed purge. When the alarm fires we verify no pending usage events remain for the organisation and then clear the shop access token and Shopify metadata from billing_subscriptions.

5.5 Embedded app surface

Lumen’s embedded pages (e.g. the plan picker in the Shopify Admin) authenticate every request with a short-lived App Bridge session token (~1 minute expiry), HS256-signed by Shopify with the app’s client secret. The token is verified server-side on every call; unauthenticated requests are rejected with HTTP 401 and the App Bridge client automatically refreshes.

6. International transfers

Several of our subprocessors are located outside the United Kingdom. Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses or on another valid transfer mechanism (such as the EU–US Data Privacy Framework, where applicable).

7. Retention

• Conversations, messages, and uploaded files: retained for the lifetime of your account, or until your organisation deletes them or terminates the Service. Deleted on request.
• Audit log: retained for up to 12 months for security and accountability purposes.
• Operational logs and error telemetry: retained by our log processor for up to 30 days.
• Account data: retained while your account is active, and deleted within 30 days of account deletion, except where we must retain it to comply with legal obligations.
• Backups: may persist for a short period beyond deletion before being overwritten on their normal rotation.

8. Security

We use industry-standard security measures, including TLS in transit, encryption of integration credentials at rest, scoped access controls, authenticated API endpoints, and per-organisation data isolation. No service can guarantee absolute security; please let us know promptly if you discover a vulnerability or suspect an incident.

9. Your rights

If you are in the UK or EEA, UK GDPR and EU GDPR give you the following rights:

• access to your personal data;
• rectification of inaccurate personal data;
• erasure (“right to be forgotten”);
• restriction of processing;
• data portability;
• objection to processing;
• withdrawal of consent where processing is based on consent (without affecting the lawfulness of processing before withdrawal).

Where Lumen acts as a processor on behalf of your organisation, please direct requests to your organisation’s administrator, who controls that data. We will support your organisation in responding.

To exercise a right, or to request deletion of your data, email [email protected]. We aim to respond within one month.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).

10. Cookies

We use a single strictly-necessary cookie: a secure, HTTP-only session cookie used to keep you signed in. It expires after 30 days or when you sign out. We do not use advertising, analytics, or cross-site tracking cookies, so no consent banner is required.

11. Children

The Service is not intended for anyone under 18, and we do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified to your organisation’s administrator. The “Effective date” at the top indicates when the policy was last revised.

13. Contact

Robert Watkiss
Email: [email protected]