This Privacy and Data Notice explains how Luma Security ("Luma," "we," "us," or "our") collects, uses, shares, and protects information when you visit our website, interact with us, or use our products and services.
This Notice is intended to describe our public website and service-related data practices at a practical level. Additional terms may apply under a customer agreement, data processing agreement, order form, security addendum, or other written agreement.
1. Information We Collect
We may collect the following categories of information:
1.1 Website and Contact Information
When you visit our website, request a demo, contact us, subscribe to updates, or communicate with us, we may collect information such as name, business email, company name, role, phone number, message content, IP address, browser information, device information, pages viewed, referral source, and interaction data.
1.2 Account and Administrative Information
When a Customer or User creates an account, joins a trial, configures integrations, or uses the Service, we may collect account identifiers, login information, organization details, user roles, permissions, preferences, support requests, billing-related information, and administrative activity.
1.3 Customer-Authorized Collaboration and Security Data
Depending on the Customer's configuration and enabled integrations, the Service may process customer-authorized collaboration data, communication artifacts, metadata, behavioral signals, security events, and related technical information to provide detection, investigation, risk analysis, and response capabilities.
This may include messages, links, files, attachments, sender and recipient information, user-reported items, access events, application activity, identity-related signals, endpoint or browser-related signals, third-party alerts, and other related artifacts made available to the Service.
1.4 Service Usage and Operational Data
We may collect information about how the Service is configured, accessed, and used, including logs, telemetry, feature usage, performance metrics, error reports, workflow events, integration status, analysis requests, system outputs, and security audit information.
1.5 Third-Party Information
We may receive information from third-party platforms and services connected by a Customer, such as collaboration platforms, communication platforms, cloud providers, identity providers, security tools, threat intelligence sources, AI providers, and other integrations authorized by the Customer.
2. How We Use Information
We use information to:
- Provide, operate, maintain, secure, and improve the Service.
- Analyze customer-authorized artifacts, metadata, signals, and events.
- Generate detection, investigation, risk analysis, response recommendations, explanations, reports, and other outputs.
- Support Customer configuration, integrations, workflows, and authorized response actions.
- Troubleshoot issues, prevent abuse, monitor performance, and protect the Service.
- Communicate with Customers and Users about the Service.
- Provide support, onboarding, demos, trials, and product updates.
- Comply with legal, contractual, security, and operational obligations.
- Develop and improve Luma's products, subject to applicable agreements, legal requirements, and the model training limitations described in this Notice.
3. Proprietary and Security-Sensitive Methods
The specific data sources, analysis methods, signals, models, workflows, infrastructure, and decisioning logic used by the Service may vary by configuration, integration, and product capability.
To protect the integrity and security of the Service, Luma may withhold or limit disclosure of certain technical details, internal signals, detection logic, confidence scoring, models, prompts, workflows, infrastructure, or operational methods.
4. AI-Assisted Processing
The Service may use automated, heuristic, statistical, machine learning, artificial intelligence, enrichment, correlation, and other technical methods to provide detection, investigation, risk analysis, and response capabilities.
AI-assisted outputs may be inaccurate, incomplete, or require review. Customers are responsible for determining how to use outputs and whether to approve, automate, or apply recommended response actions.
Unless expressly authorized by the Customer in a written agreement, Luma does not use Customer Data to train general-purpose AI models or third-party foundation models. This does not prevent Luma from using aggregated, anonymized, or de-identified operational information to maintain, secure, analyze, or improve the Service, provided that such information does not identify the Customer or any individual.
5. Customer Responsibility
Customers are responsible for determining which integrations to enable, which data to make available to the Service, which Users may access the Service, which permissions are granted, which response actions are authorized, and whether any notices, consents, approvals, or legal bases are required for their use of the Service.
Where Luma processes Customer Data on behalf of a Customer, the Customer is responsible for ensuring that it has the right to provide that data to Luma and instruct Luma to process it.
6. How We Share Information
We may share information with:
- Service providers and subprocessors that help us host, operate, secure, support, analyze, or improve the Service.
- Third-party platforms and integrations authorized by the Customer.
- Professional advisors, such as lawyers, auditors, accountants, and insurers.
- Authorities or third parties where required by law, legal process, or to protect rights, safety, security, or the integrity of the Service.
- Business counterparties in connection with a merger, acquisition, financing, reorganization, or sale of assets.
- Others with the Customer's or User's direction or consent.
We do not sell Customer Data.
For enterprise or paid deployments, additional data processing terms and subprocessor information may be made available under a separate written agreement or security review process.
7. Third-Party Services
The Service may connect to or rely on third-party services, including collaboration platforms, communication platforms, identity providers, cloud services, security tools, threat intelligence sources, AI providers, infrastructure providers, and APIs.
Third-party services may process information according to their own terms and privacy policies. Luma is not responsible for the privacy, security, availability, or practices of third-party services that are not controlled by Luma.
8. Data Retention
We retain Customer Data for the duration of the applicable customer relationship and for up to ninety (90) days following termination or expiration of access, after which we will delete or anonymize it unless a longer period is required by applicable law or agreed in a customer agreement.
Service operational data, including logs, telemetry, aggregate usage data, and security audit records, may be retained for up to twenty-four (24) months to support security, compliance, and operational requirements.
Website and contact information may be retained for as long as necessary to fulfill the purposes described in this Notice, comply with our legal obligations, resolve disputes, and enforce our agreements.
Customers may request deletion or return of Customer Data as provided in the applicable customer agreement or as required by applicable law.
9. Security
We use administrative, technical, and organizational measures designed to protect information against unauthorized access, loss, misuse, alteration, or disclosure.
No method of transmission, storage, analysis, or processing is completely secure. We cannot guarantee that information will always remain secure or that the Service will detect or prevent every security issue.
In the event of a security incident that affects the confidentiality, integrity, or availability of Customer Data, Luma will notify affected Customers without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the incident, to the extent required by applicable law or the applicable customer agreement. Notification will be provided to the primary contact designated by the Customer.
10. International Data Transfers
We may process and store information in countries other than the country where it was originally collected. Where required, we use appropriate safeguards for international transfers of personal information.
Specific transfer terms may be addressed in a customer agreement or data processing agreement.
11. Privacy Rights
Depending on your location and applicable law, you may have rights to access, correct, delete, restrict, object to, or obtain a copy of certain personal information.
To exercise privacy rights, contact us using the details below. If your information is controlled by one of our Customers, we may direct your request to that Customer.
12. Cookies and Similar Technologies
We may use cookies, pixels, local storage, analytics tools, and similar technologies to operate the website, remember preferences, understand usage, improve performance, and support security.
You can control cookies through your browser settings. Some website features may not work properly if cookies are disabled.
13. Children
The Service is intended for business use and is not directed to children. We do not knowingly collect personal information from children.
14. Marketing Communications
We may send marketing or product communications where permitted by law. You may opt out of marketing emails by using the unsubscribe link or contacting us. We may still send non-marketing service, security, legal, or transactional communications.
15. Changes to This Notice
We may update this Notice from time to time. If changes are material, we will use reasonable efforts to provide notice. The updated Notice will be effective when posted unless otherwise stated.
16. Contact
Questions about this Privacy and Data Notice may be sent to: