Skip to main content
LUMORQ

Privacy Policy

Last updated: May 2026

LUMORQ (“we”, “us”, “our”) provides messaging automation for businesses on Meta channels (WhatsApp, Instagram, Messenger). This policy explains what personal data we process, why we process it, who we share it with, and the choices you have. By using our service you agree to this policy and our Terms of Service.

Introduction

This policy applies to visitors of our website, account holders, and end customers whose messages are processed when you connect Meta channels to LUMORQ.

We act as a data processor for message content you receive through connected channels, and as a controller for account, billing, and product usage data.

Data we collect

We collect the following categories of data:

  • Account data: name, email, password hash, team membership, and role.
  • Business configuration: brand tone, FAQs, routing rules, automation settings, and integration metadata.
  • Messaging data: conversation threads, message bodies, media references, channel identifiers, and delivery status from connected Meta channels.
  • Technical data: IP address, user agent, session identifiers, audit logs, and security events.
  • Billing data: subscription status and payment references processed by Stripe (we do not store full card numbers).
  • Support communications: emails or tickets you send to us.

How we use data

We use personal data to operate the platform, deliver automated and assisted replies, provide analytics, prevent abuse, improve reliability, and comply with law.

We do not sell personal data. We do not use customer message content to train public AI models.

Legal bases (EEA/UK)

Where GDPR or UK GDPR applies, we rely on:

  • Contract: to provide the service you signed up for.
  • Legitimate interests: security monitoring, fraud prevention, and product improvement (balanced against your rights).
  • Consent: where required for optional marketing communications.
  • Legal obligation: tax, accounting, or regulatory requests.

Meta platform data

When you connect WhatsApp, Instagram, or Messenger, Meta shares data with us according to your authorization and Meta’s Platform Terms.

You must have a lawful basis to message your customers and to use automation. You are responsible for notices, opt-outs, and platform policy compliance.

If a user requests deletion through Meta, we process signed Meta callbacks and queue deletion per our data-deletion procedure below.

AI & OpenAI

We use OpenAI’s API to generate draft replies, summaries, and related inference. Message text may be sent to OpenAI only for real-time processing required to deliver the feature.

Under OpenAI’s API terms, API inputs and outputs are not used to train OpenAI’s models by default. Verify your OpenAI organization settings for your account.

We may store prompts, drafts, and outcomes in our database for inbox history, quality review, and your configured retention. Optional conversation summarization sends recent message text to OpenAI.

Subprocessors

We use trusted infrastructure providers. Material subprocessors include:

ProviderPurposeLocation
SupabaseDatabase hosting & authentication infrastructureEU/US (region-dependent)
Vercel / cloud hostingApplication hosting & CDNGlobal
OpenAIAI inference (no model training via API per provider terms)US
MetaWhatsApp, Instagram, Messenger messaging APIsGlobal
StripeSubscription billingUS/EU
TwilioOptional voice calling featuresUS

Cookies & sessions

We use essential HttpOnly session cookies for authentication (typically 7-day TTL). These are required to access the workspace.

Production cookies use Secure and SameSite attributes appropriate to your deployment. Mutating requests from the browser require a valid Origin matching our configured frontend URL.

We do not use third-party advertising cookies on the product.

Retention

We retain data while your account is active and as needed to provide the service.

After account deletion, we mark the business cancelled, disconnect integrations, and purge or anonymize data on our operational schedule (typically within 30–90 days unless law requires longer retention).

Security audit logs and billing records may be retained longer where required for compliance.

International transfers

Your data may be processed in the United States, European Union, and other regions where our subprocessors operate.

Where required, we rely on appropriate safeguards such as Standard Contractual Clauses offered by subprocessors.

Your rights

Depending on your location you may have rights to access, correct, export, restrict, or delete personal data, and to object to certain processing.

Account owners can export workspace data from Settings → Privacy & data, or email {privacyEmail}.

To delete your account, use Settings → Privacy & data and confirm deletion, or contact us. Deletion disconnects integrations and schedules purge of your tenant data.

Meta data deletion

Meta users may request deletion of data obtained through Meta platforms. When Meta sends a valid signed deletion callback, we acknowledge the request and remove or anonymize associated records tied to the Meta user identifier.

Status of Meta-initiated requests: we process verified callbacks within 30 days unless a legal hold applies. Contact {privacyEmail} with your Meta confirmation code for status.

Security measures

We implement encryption at rest for integration secrets, webhook signature verification, tenant isolation in application code, rate limiting, and security monitoring.

See our Security overview for a public summary of controls and responsible disclosure.

Children

LUMORQ is a business-to-business service not directed at children under 16. We do not knowingly collect children’s personal data.

Policy changes

We may update this policy. Material changes will be posted on this page with an updated date. Continued use after changes constitutes acceptance where permitted by law.

Contact us

Privacy inquiries: {privacyEmail}

Security reports: {securityEmail}

Users may request account or data deletion by contacting {privacyEmail} or using Settings → Privacy & data in the workspace.

General support: {supportEmail}