Privacy Policy

Effective Date: March 5, 2025

1. Introduction

Welcome to Lumimail! Lumimail is an AI-powered email creation and management service that integrates with Google services to help you write, send, and track emails effortlessly. Our platform allows you to generate email templates using AI, store those templates in your Google Drive, personalize emails (for example, using data from Google Sheets), and send them via your Gmail account. We also offer features like scheduling emails and tracking email engagement (opens, clicks, replies) – all with your Google account as the hub.

At Lumimail, we understand that your emails and personal information are sensitive. Respecting your privacy and protecting your data are among our highest priorities. This Privacy Policy explains what information we collect through Lumimail, how we use and share that information, and the steps we take to safeguard it. We also outline your rights and choices regarding your personal data. Lumimail is committed to compliance with applicable privacy laws and industry best practices, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By using Lumimail, you agree to the practices described in this policy.

2. Information We Collect

We collect both information that you knowingly provide to us (for example, by signing in or inputting content) and information that is collected automatically as you use Lumimail. This includes:

User-Provided Information

Google Account Information: When you sign in to Lumimail using your Google account, we receive basic profile details such as your name, email address, and Google account ID. This allows Lumimail to identify you and connect to your Google services (Gmail, Google Drive, etc.).
Email Content and Templates: Any information you input into Lumimail is collected to provide the service. This includes email subject lines, body content, preview text, and recipient email addresses that you compose or upload. For instance, if you draft an email or create a template using our editor, the text, images, and attachments you include are captured. If you use our AI email generation feature, any prompt or instructions you give to the AI (e.g. a summary of the email you want to create or style preferences) are also considered user-provided content.
Google Drive and Sheets Data: Lumimail enables you to save email templates to your Google Drive and to import recipient lists or data from Google Sheets. If you choose to use these features, we will collect the necessary data to perform the actions. For example, we might store the ID of a Google Drive folder where templates are saved, template file names, or the content of a Google Sheet (such as column headers and cell values) that you select for a mail merge. This information is only used to facilitate the template storage or mail-merge functionality you request.
Attachments and Other Inputs: If you upload a file attachment via Lumimail to send with your email, we process that file (e.g., to send it through Gmail). Any other data you actively provide through the interface (such as preferences for email design, schedule times for sending, or configuration settings) are collected to operate the service.
Subscription and Billing Information: If you decide to subscribe to a paid Lumimail plan, we will collect information related to your subscription. This includes the plan you selected and your email address (which we use to identify your account and link it to billing). Payment details (such as credit card numbers or billing addresses) are not collected by Lumimail directly; instead, these are handled securely by our third-party payment processor (Stripe) as described below. We may receive limited information from the payment processor, such as confirmation of payment, subscription status, or an ID associated with your account, but we do not store your sensitive payment information on our systems.

Automatically Collected Information

Service Usage Logs: Like most online services, Lumimail and its backend systems automatically record certain data about your use of the service. This may include timestamps and details of actions you take (e.g., logging in, generating an email with AI, saving a template, sending or scheduling an email). For example, we might log that you used the "send emails" feature at a certain time or how many emails you sent in a session. We collect this information to monitor system performance, enforce usage limits (if any apply to your plan), and to detect and debug errors.
Device and Technical Information: When you use Lumimail, our servers automatically receive information about the device and browser you are using. This can include your IP address, browser type, operating system, referring URLs, and other technical data. We use this information for security (for instance, to detect suspicious login attempts), to optimize compatibility (making sure Lumimail works well on popular devices/browsers), and to analyze usage trends in aggregate.
Cookies and Similar Technologies: Lumimail uses cookies and possibly local storage or similar technologies to enhance your experience. For example, when you log in, a session cookie is set so that you remain logged in as you navigate the app. Cookies may also be used to remember your preferences or settings within Lumimail. Additionally, if we employ analytics tools (such as Google Analytics or similar) to understand how users interact with our site, those tools may set their own cookies to collect usage statistics (e.g., page load times, feature usage frequency). You can find more details in the Cookies and Tracking Technologies section below.
Email Delivery and Tracking Data: If you use Lumimail’s email sending, scheduling, or tracking features, certain data about the emails you send and their status are collected automatically:
- Delivery Status and Logs: When Lumimail sends an email via the Gmail API on your behalf, we receive confirmation (or error messages) from Google about the send status. We may log information such as whether the send was successful, the Gmail message ID of the sent email, and the time of sending. If you schedule an email to be sent later, our system will store the email content and scheduling information and later log the send event when it occurs.
- Open and Click Tracking: If you explicitly enable email tracking options for a campaign (such as "track opens" or "track clicks"), Lumimail will collect data on those events. To do this, we embed a small invisible image (tracking pixel) in your email to detect opens, and/or we route the links in your email through our tracking system to record clicks. When a recipient opens your email, our system may record information like the timestamp of the open and an identifier for the email (or the recipient). Similarly, if a recipient clicks a link in the email, we record the click time and which link was clicked. This tracking process may incidentally collect the recipient’s IP address and browser user-agent, which can infer general location and device information of the recipient. We do not use this information for any purpose other than reporting the analytics back to you (the Lumimail user who sent the email) and improving the performance of our service. Important: The email tracking features are optional and user-initiated. If you choose not to use them, your emails will not contain our tracking pixels or tracked links.
- Reply Tracking: Lumimail also offers an option to track replies or manage automated follow-ups (sequences). If you enable "reply tracking" or use automated sequences, our system will need to check if and when a recipient replies to your email. With your permission, Lumimail will access your Gmail inbox to detect replies related to emails sent through our service. We do this in a targeted manner: our system looks for incoming messages that are replies to the specific email threads you sent via Lumimail (using unique identifiers in those emails). We record data such as whether a reply was received, and the time of the reply. We do not download or store the full content of those reply emails, except as needed to identify them as replies (for example, by checking the email’s headers or subject). This allows Lumimail to, for instance, mark a contact as "replied" or halt a sequence of follow-up emails once a reply is received.
Aggregate or Derived Data: We may derive certain aggregate information from your usage. For example, we might calculate the total number of emails sent through Lumimail in a month, or the percentage of AI-generated emails among all emails sent by users. This aggregated data does not identify you personally and is used to understand overall usage patterns or improve our service. If we ever publish or share aggregate statistics (for marketing or research), they will be anonymized – for instance, "X% of Lumimail users use the scheduling feature."
Note on Third-Party Personal Data: In using Lumimail, you may provide us with personal information about others – for example, the names and email addresses of people you are emailing (recipients), or data about your contacts from a Google Sheet. Lumimail will treat this information as part of your content. We will use it only to provide the services you have requested (such as sending emails to those recipients or personalizing content for them). You are responsible for ensuring that you have the necessary permissions or legal basis to use that personal data within Lumimail. We do not independently use or share the personal information of your email recipients for any purpose other than delivering and tracking the emails as instructed by you.

3. How We Use Your Information

Lumimail uses the information collected to operate, maintain, and enhance the services we provide to you. Specifically, we use your information in the following ways:

Providing the Core Service

First and foremost, we use the collected information to let you create, send, and manage emails through Lumimail. For example, the content you input (subjects, bodies, recipient addresses) is used to construct the emails you want to send. Your Google account credentials and tokens are used to connect to Google’s APIs so we can actually send emails via Gmail or save files to your Drive. If you schedule an email or a sequence of emails, we use the details you provided (like schedule time, frequency, and content) to queue those emails and send them at the appropriate times. Essentially, all the features you use – from generating an email template, to importing contacts, to clicking "Send" – rely on using your information as input and acting on it per your requests.

AI-Generated Email Processing

One of Lumimail’s key features is helping you draft emails using artificial intelligence. If you choose to use the AI email generator, we will use the prompt or instructions you give (which might include a summary of what you want the email to say, tone/style preferences, and possibly some context like a color theme) to request a completion from our AI provider. The prompt content is sent securely to the AI engine, which then returns a suggested email draft (including subject and preview text). We then display the AI-generated content to you in the editor. In short, we use your prompt information only to generate the email content you requested. The AI may also use the prompt to improve its own suggestions, but it does not receive any identifying information about you beyond what’s in the prompt itself. (See How We Share Your Information for more on the AI provider.) We do not use your prompts or the AI-generated content for any other purposes – they are your content.

Template Storage and Retrieval (Google Drive)

Lumimail integrates with Google Drive so that you can save email templates and retrieve them later. When you choose to save a template, we use your input (the template content and file name) to create a file in your Google Drive (typically in a dedicated folder, e.g., "Lumimail Templates"). Similarly, when you want to load a template, we query that Google Drive folder to list and fetch your saved templates. Your information (like the template HTML or JSON data) is used only to perform the save or load action you requested. Lumimail may keep a temporary copy of template data in memory while you edit or use it, but the primary storage location is your own Google Drive. We do not move your template content to our own servers except transiently to facilitate editing and saving. This means you remain in control of your templates via Google Drive. (If you delete them from Drive, they are gone from Lumimail as well.)

Email Sending via Gmail API

When you send an email (or a batch of emails) through Lumimail, we use the Gmail API on your behalf. This involves taking the email content (addresses, subject, body, attachments) and sending it to Google’s Gmail service to be delivered. We use your Gmail account credentials (obtained through Google authentication) to do this, so the emails actually come from your Gmail account. The use of your information here is strictly to carry out your request to send emails. If you choose to send a test email to yourself, we use the address you provide for that test. If you send a campaign to many recipients from a Google Sheet, we iterate through the list and send each email via Gmail. We also may use the Gmail API to create drafts (if you choose to save drafts instead of sending immediately) or to apply labels or identifiers for tracking (for example, labeling sent messages or retrieving the Gmail Message-ID as needed for tracking opens/replies). We do not read any of your existing Gmail messages during this process, aside from the messages we send or create on your instruction. The Gmail access granted to us is used only for sending, drafting, and the optional tracking functions you have enabled.

Email Scheduling and Automation

If you schedule an email or set up an automated sequence (multiple emails sent over time), we use the information you provide to execute those features. For scheduling, we store the email content and the scheduled time in our system (securely, as described in the Data Security section below) and then, at the scheduled time, use your Gmail access to send the email. For sequences or follow-ups, we similarly store the necessary details (e.g., sequence steps, timing rules, recipient addresses) and use them to automatically send emails at the appropriate times. If reply-tracking is part of the sequence logic (for example, "send follow-up 2 only if no reply to email 1"), our system will periodically check for a reply in your Gmail as described earlier. Any information obtained (like the fact a particular recipient replied at a certain time) will be used to decide whether to continue or stop the sequence for that recipient. We use this information solely to automate the process that you have set up – effectively acting as an assistant carrying out the scheduling and follow-up rules you defined.

Tracking Email Engagement

When you enable open or click tracking on emails, we use the data collected from those tracking pixels and link redirects to provide you with analytics and improve email deliverability. Specifically, we compile the raw events (opens, clicks) into meaningful information for you – for example, marking a contact as having opened the email, updating a Google Sheet with a "Yes/No" or a timestamp for opens/clicks, or showing you a summary like "20 out of 50 recipients have opened your email." We might also use the aggregate of this data to help refine our service’s performance (e.g., understanding open rates can help us ensure our tracking is working reliably, or highlight if emails might be going to spam). Importantly, any tracking data is used only in relation to the emails you send and for your benefit as the sender. We do not sell or repurpose this engagement data for marketing or profiling of your recipients. If you choose to sync results back to your own records (like writing back to your Google Sheet that a contact opened or clicked), we facilitate that by updating the sheet as part of the service.

Account Management and Authentication

We use your information to maintain your Lumimail account and authenticate you each time you use the service. For example, when you log in via Google, we verify your identity using your Google profile information. We also manage your session through cookies or tokens so you remain securely logged in while using Lumimail. Additionally, we might display some of your profile info in the app interface for your convenience – e.g., showing your Google account name or avatar to indicate which account you’re using. Beyond identification, if you are a subscriber, we use your account status to determine the features and usage limits available to you (for instance, free vs. paid feature access). This is part of fulfilling our contract with you as a user of our service.

Subscription and Billing Purposes

If you have a paid subscription, we use your information for billing-related purposes. For example, we will use your provided email and plan choice to initiate the subscription process through our payment processor. We may send your email and subscription plan details to Stripe to create a customer record and generate a checkout session for you. Once you’re subscribed, we keep track of your subscription status (active, canceled, trial, etc.) and which plan you are on. This allows us to manage your feature access (e.g., token limits or email send limits as per your plan) and to know when to prompt for renewal if applicable. We might also email you invoices, receipts, or notices about your subscription (unless those are handled by Stripe directly). If your plan has usage quotas or limits (like a cap on AI tokens or emails per month), we will use our usage logs to tally your usage and enforce those limits or charge for overages according to the plan terms. We use this data internally to ensure you’re getting what you paid for and to prevent abuse of the service.

Service Improvement and Research

We continuously strive to improve Lumimail. The information collected (both in aggregate and some specific feedback) may be used for this purpose. For instance, we might review common error logs or user actions to identify where the app could be made more reliable or user-friendly. If many users experience a certain failure (like a particular type of email content causing an error), we use that information to fix the bug. We may also use feedback you provide (if you contact support or if there are usage patterns) to develop new features or refine existing ones. When using personal data for improvement, we typically aggregate or anonymize it first. If we ever wish to use your identifiable personal data for something beyond providing the service – such as asking for a testimonial or conducting a user interview – we will ask for your explicit consent. Lumimail will not use any content from your Gmail or Google Drive – or any personal information obtained via Google APIs – to train or improve any general AI or machine learning models. Your data is only used to fulfill your requests within the Lumimail service.

Communication with You

We may use your contact information (primarily your email address) to send you service-related communications. These can include:

Transactional Emails: e.g., a welcome email when you sign up, confirmations when you change a setting or subscribe to a plan, billing receipts, password reset emails (if we ever implement separate credentials), or notifications of important actions (like completion of a large email send or an alert if a scheduled send failed).
Updates and Notifications: If we make important changes to Lumimail or its policies, or if there are security alerts, we might email you to inform you. For example, we might send a message about new features available in your plan, or an alert if we detect suspicious activity on your account (like a new device login).
Promotional Communications: We will not spam you with marketing emails. We may, however, send occasional updates about Lumimail’s features or offers, but only if you have not opted out of such messages. If you are on our mailing list for product updates or newsletters, you can unsubscribe at any time by following the link in those emails or contacting us. We will ensure any marketing communication is compliant with applicable laws (like including proper unsubscribe options as required by CAN-SPAM and GDPR regulations).

We want to emphasize that we do not use the content of your emails (the ones you are writing or sending via Lumimail) to contact your recipients or to send you marketing unrelated to your own use of Lumimail. Any communication we initiate to you will be about your account or usage of our service.

Legal Compliance and Protection

In some cases, we may need to use your information to comply with legal obligations or to protect our rights, our users, or others. For example, if we suspect fraud or misuse of Lumimail, we may analyze relevant data to investigate and take action. We also may use personal information to meet applicable laws and regulations (such as maintaining transaction records for tax and accounting purposes, or responding to lawful requests by authorities).

Our Legal Basis (for EU users)

If you are in a jurisdiction that requires a legal basis for data processing (like the EU under GDPR), know that we process your personal data on the following bases: (i) Contractual Necessity: Much of our data use is to provide the service you requested under our Terms of Service (for example, using your data to send the emails you compose is necessary to perform our contract with you); (ii) Consent: For certain optional features or integrations (such as connecting to your Google account, or using AI generation, or receiving marketing emails from us), we rely on your consent. You can withdraw consent at any time, but note that this might disable the feature (e.g., revoking Google access will prevent Lumimail from functioning fully); (iii) Legitimate Interests: We may use some data for our legitimate interests, such as improving the service or ensuring security, in a way that does not override your privacy rights. We will always consider your rights and provide opt-outs where appropriate.

Importantly, we do not use your personal information for any purpose that is incompatible with the purposes outlined above without first obtaining your consent. We do not sell your personal data or use it for automated decision-making or profiling outside of the context of providing Lumimail’s functionalities.

4. How We Share Your Information

We understand that sharing of personal information is a sensitive topic. Lumimail only shares your information in a few specific situations, each of which is geared towards operating the service or complying with the law. We do not sell or rent your personal information to third-party advertisers or unrelated parties. Here are the ways your information may be shared:

Integration with Google Services

Because Lumimail is built on Google’s platforms for authentication and email delivery, some of your data is shared with Google as part of using those services:

Google OAuth and APIs

When you sign in to Lumimail with Google, the fact that you are using Lumimail is known to Google, and Google provides us with your basic profile info as described earlier. We use Google’s OAuth 2.0 to obtain permission (scopes) to access your Gmail, Drive, and possibly Google Sheets on your behalf. As part of that process, Google is aware that you have granted Lumimail certain permissions. The data accessed from Google (emails, files, etc.) is transmitted via Google’s systems. For example, when we send an email, the email’s content and recipient addresses are sent to Gmail’s send mail API endpoint; when we save or read a file in Drive or a Sheet, the content is transmitted to/from Google’s API endpoints. In that sense, your data (email content, files) is shared with Google’s servers, but under your Google account. Google treats that data per their own privacy policy and the agreements you have with Google. Lumimail does not grant Google any rights to use your content beyond what is necessary to perform the requested actions.

Access Scopes and Limitations

Lumimail may request access to your Google data such as Gmail (sending emails, reading specific messages for tracking), Google Drive (file creation and reading in a specific folder), and Google Sheets (reading contact data or writing back results to sheets). We want to reassure you that we use these permissions strictly for the intended Lumimail features. We do not read your Gmail messages or files on Drive that you haven’t specifically interacted with through Lumimail. For instance, we won’t browse your inbox or Google Drive; we might read a particular message in Gmail only to fetch its ID or check for a reply (and only if you enabled that tracking). Google’s policies (and our promises) require that we only use sensitive scopes (like Gmail read access) to provide you with the functionality you expect and for no other purpose. We do not share your Gmail data with anyone else, and we do not allow any unauthorized access. In accordance with Google API Services User Data Policy, our use and transfer of information from Google APIs to any other app will adhere to Google’s Limited Use requirements: that means we only use your Google data to provide or improve the user-facing features of Lumimail (as described in this policy), and not for anything like serving ads or creating profiles. We also do not allow human staff to read your Gmail message content unless you have given us permission for a specific reason (for example, if you request troubleshooting help that requires looking at a specific message, and even then, only with your consent or request, or as required by law).

Google as a Data Processor

In these interactions, Google is essentially processing data on your behalf (and ours). Any information that goes to Google’s systems (like an email being sent or a file saved) is protected by Google under their terms (e.g., Google Privacy Policy). If you have concerns about Google’s handling of that data, we encourage you to review Google’s privacy documentation. From Lumimail’s perspective, we treat that exchange as a necessary part of the service and ensure that only the minimum required data is transmitted. For example, we wouldn’t send Google data it doesn’t need – only the specific email content for sending, or only the template file content for saving.

Third-Party Service Providers

We rely on a few trusted third-party companies to help us run Lumimail. Whenever we share information with these providers, we ensure it’s only what is needed for their specific service, and that they are contractually obligated to protect your data and use it only for those purposes. Key third parties include:

Payment Processor (Stripe): If you subscribe to a paid plan, your payment will be handled through Stripe, a leading secure payment processing platform. When you decide to make a purchase or start a subscription, Lumimail (via our backend server) will share certain information with Stripe to set up the transaction. This includes your email address (so Stripe can associate the payment with your account and send you receipts if configured) and which plan or product you are purchasing. We may also assign an internal customer ID. Stripe then processes your payment details (credit card number, etc.) on their secure systems. Lumimail does not see or store your full credit card information. Stripe may return to us a token or ID representing your payment method and a confirmation that the payment was made. We keep a record of your subscription status (active, trial, canceled, etc.) and the Stripe customer or subscription ID for reference. Stripe is prohibited from using your personal information for any purpose other than to provide payment services to Lumimail. (For more information, you can review Stripe’s Privacy Policy, which covers how they handle payer information.) In summary, we share minimal data with Stripe to ensure you can pay for the service, and Stripe in turn shares back to us the outcome and necessary identifiers.
AI Service Provider: Lumimail uses an external AI platform (for example, Cohere or a similar AI engine) to generate email content when you use our AI feature. This means that when you input a prompt or summary and request an AI-generated email, that prompt (which may include personal data if you include any in the text) is sent to the AI provider’s system for processing. The AI provider will analyze the text and produce a suggested email. In this process, the provider is acting as a data processor on our behalf – they use the prompt only to generate the result for us to deliver to you. We share no information about you beyond the content of the prompt itself. (We do not, for example, send your name, email, or any account info in that request; however, keep in mind that any info you include in the prompt text will be seen by the AI.) The AI output (the draft email) is returned to Lumimail and displayed to you. We do not believe the AI provider retains or uses your specific prompts for any purpose beyond generating your result, but they may have their own policies on data retention or model training. We have agreements in place to ensure your data is protected (for instance, the AI provider is not allowed to use your prompts to target you or to share with others). Nonetheless, we mention this to be transparent that a third-party machine learning service does handle the content you input for AI generation. If you prefer not to share any content with this service, you may choose not to use the AI features of Lumimail.
Cloud Hosting and Data Storage: Lumimail’s own backend and infrastructure are hosted on cloud platforms (such as Google Cloud Platform or others) to ensure reliability and performance. For example, our scheduling and database might be using Google Cloud Firestore and Cloud Functions/Run, and some tracking services might run on platforms like Cloudflare Workers. These providers technically process data (store it or transmit it) as part of our application. We consider these platforms as extensions of our service – they are not allowed to access the data except to run Lumimail’s functionality. For instance, our database provider stores the schedules and logs, but they do not look at or use the data for any independent purpose. We configure our cloud services with security and privacy in mind (using encryption, access control, etc., as detailed in the Data Security section).
Email and Analytics Services: We may use certain tools to send service emails or analyze usage. For example, if we send a system email (like a welcome or support message) we might use an email delivery service (such as SendGrid, Mailgun, or even Gmail’s SMTP) to actually send that email. This means your email address and the content of the message would pass through that service. Similarly, we might use an analytics service or error tracking service (like Google Analytics, Sentry, or LogRocket) which could capture some usage details or error information along with user identifiers. Any such service is chosen carefully to ensure they have strong privacy practices and do not misuse your data. We will update this policy (or maintain a list available to you) if we add or change significant subprocessors of your data. Rest assured, these services are used to improve your experience and maintain quality of service, not to profile you or advertise to you.

Sharing with Your Consent

Outside of the integrations and processors needed for Lumimail’s operations, we will share your personal information with third parties only if you have given us explicit permission to do so. For example, if in the future Lumimail offers an integration with another platform (say, a CRM system or an address book service) and you choose to enable it, we would share data with that platform only with your authorization and clearly inform you what is being shared. You are in control of which external services you connect to your Lumimail account.

Legal Compliance and Protection

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to:

Comply with a legal obligation, regulatory requirement, judicial proceeding, or court order. For instance, if we receive a subpoena or a request from law enforcement, we might need to provide data if legally compelled (after verifying the request’s validity and scope).
Enforce our Terms of Service or other agreements, or investigate potential violations thereof. If your usage of Lumimail is suspected to be fraudulent, abusive, or dangerous, we may share data with investigators or relevant third parties (like law enforcement or security consultants) to address the issue.
Detect, prevent, or address illegal or suspected illegal activities (such as spamming through our system, or hacking attempts), security issues, or technical problems. This could involve sharing information with security response teams or other service providers to mitigate threats.
Protect the rights, property, or safety of Lumimail, our users, or the public, as required or permitted by law. For example, if someone’s actions pose a threat to others’ safety, data may be shared with those who can help prevent harm.

In any such case, we will only share the information that is reasonably necessary and will, if legally permissible, inform the affected users about the request or disclosure. We have not had any incidents of being compelled to disclose user data, and our philosophy is to fight overly broad or inappropriate requests.

Business Transfers

If Lumimail (or the company or entity behind Lumimail) is involved in a merger, acquisition, sale of assets, or similar corporate transaction, user information may be transferred to the successor or acquiring entity. For example, if another company acquires Lumimail, your information would likely be one of the assets transferred. In such an event, we will ensure that the new owner is contractually bound to respect the terms of this Privacy Policy or provide at least equivalent protection for your data. We will also notify you (for instance, via email or a prominent notice on our website) of any such change in ownership or control, as it may result in a change to the handling of your personal data. You will have the opportunity to discontinue using Lumimail or request deletion of your data if you do not wish to be subject to the privacy practices of the new entity.

Apart from the cases listed above, we do not share your personal information with third parties. We do not sell your personal data to data brokers or marketers. We do not share your email content or usage information with advertisers. All third parties that process your data do so only for the specific functions integrated into Lumimail, under our instructions and in compliance with this Privacy Policy.

5. Data Security and Storage

We take the security of your data very seriously. Lumimail is designed with modern security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. However, no online service can guarantee perfect security, so we want to be transparent about how we safeguard your data and how long we keep it.

Security Measures

Encryption: All communications between your browser and Lumimail’s servers are protected by encryption (HTTPS/TLS). This means any data (your Google OAuth tokens, email content, etc.) transmitted over the internet is encrypted in transit and cannot be easily intercepted by third parties. Additionally, where possible, we encrypt sensitive data at rest. For example, if we store authentication tokens or refresh tokens in our database (to enable Lumimail to send scheduled emails on your behalf), we encrypt these tokens or secure them using industry best practices, so that even if our database were compromised, the attackers cannot readily use them.
Access Controls: We limit access to personal data to only those employees, contractors, and service providers who have a business need to know. The Lumimail development and support team is small, and team members are trained on the importance of confidentiality. Access to production databases, server environments, and third-party dashboards (like Stripe or our AI provider) is protected by strong authentication (such as two-factor authentication) and granted only as needed. Internally, we use role-based access so that, for instance, a support engineer can assist you without being able to view sensitive email content unless absolutely necessary.
Secure Authentication: Since Lumimail uses Google single sign-on, we do not handle your password directly; however, for session management we rely on secure cookies or tokens issued after you authenticate with Google. These tokens are stored in a secure manner (e.g., httpOnly cookies that JavaScript cannot access, and they are transmitted only over HTTPS). If you log out or revoke access, those tokens become invalid. Additionally, your integration with Google is protected by Google’s own security (like their account protection and login alerts).
Development Practices: Our code is developed following best practices to minimize vulnerabilities (for example, input sanitization to prevent injection attacks, secure use of Google APIs, etc.). We periodically review our application for common security issues. If we discover a vulnerability or are alerted to one, we act quickly to patch it. We may also engage in security audits or testing (like penetration testing) by third-party experts to validate our security.
Network and Infrastructure Security: Our servers and databases are hosted in secure data centers provided by reputable cloud providers. These providers maintain high levels of physical and network security. We utilize firewalls, network segregation, and monitoring systems to guard against unauthorized access. Our databases require authentication and are not exposed directly to the public internet. Backups of data (if any) are encrypted and stored securely. Also, where we use third-party services like Stripe or our AI provider, we rely on their proven security measures to protect any data we send to them (e.g., Stripe is PCI-DSS compliant for handling payment info, etc.).
Continuous Monitoring: We employ logging and monitoring on our systems to detect unusual patterns or intrusions. If something suspicious is detected, our team will investigate and take appropriate action. We also have procedures to handle potential data breaches, including notifying users and authorities as required by law.

Data Storage Locations

Depending on our infrastructure, your data may be stored and processed on servers located in the United States or other countries. For instance, if we use Google Cloud in the US region, the data in Firestore (schedules, etc.) resides in the US. If our AI provider or other services are in different jurisdictions, your data (like an AI prompt) might momentarily be processed in those locations. Regardless of location, we ensure that adequate protections are in place. If you are using Lumimail from outside the United States, be aware that your information may be transferred to and stored on servers in the U.S. or elsewhere. These jurisdictions may have data protection laws different from your country. We base such transfers on legal mechanisms (for example, standard contractual clauses under GDPR, or the service providers’ certifications like Privacy Shield’s successor frameworks, if applicable) to ensure your data remains protected. By using Lumimail, you consent to this transfer, storage, and processing of your information in the U.S. and other countries as needed for the services.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. Different types of data may have different retention periods:

Account Information: If you have an account with Lumimail, we retain your basic account details (like your name, email, subscription status) for as long as your account is active. If you decide to delete your Lumimail account or revoke Google access, we will remove or anonymize the personal data associated with your account within a reasonable time, except for data we are required to keep for legitimate business or legal purposes. For example, we may retain records of transactions or payments (linked to your email) for financial reporting and audits. If an account has been inactive for an extended period, we may also choose to delete it after attempting to contact you.
Email Content and User Files: Lumimail generally does not store your email content permanently on our servers, except in specific cases like scheduled emails or sequence drafts. For immediate sends, your email content is relayed to Gmail and not stored by us long-term. For scheduled emails, we store the content until it is sent, and possibly a short period after for verification. After successful sending, we may purge the stored content from our database, keeping only metadata (like "an email was sent to X at time Y with tracking enabled" etc.). If we store templates, they are primarily on your Google Drive; we do not maintain a separate archive of all your templates. Any temporary caches of template or draft data on our side are periodically cleared.
Logs and Analytics: Our server logs and operational records (which might include IP addresses, usage data, error logs) are typically retained for a finite period (for example, 30 days, 90 days, or up to a year) depending on the data. This retention allows us to troubleshoot issues and analyze usage trends. After that, logs are deleted or aggregated. Critical security logs might be kept longer if needed for investigation. Analytics data collected by third-party tools might be retained for analysis (e.g., Google Analytics might keep data for 14 months, as configured). Where possible, we configure these tools to not retain user-level data beyond what’s necessary.
Email Tracking Data: If you use open/click tracking, the raw data of opens and clicks might be stored in our systems or in your Google Sheet. We typically retain the tracking events for as long as the associated campaign or sequence is active, and for a while after to allow you to view reports. We might periodically purge older tracking records from our systems (for instance, remove detailed tracking logs after X months). However, aggregated stats or records that an event happened might be kept for service improvement. If tracking data is written to your Google Sheet or delivered to you, you have control over that copy for as long as you keep it.
Stored Google Credentials: If we store your Google OAuth refresh token (to maintain access for sending scheduled emails or checking replies), we will keep that token secure for as long as you use Lumimail with that Google account. If you revoke Lumimail’s access or disconnect the Google account, we will delete the stored token. We periodically refresh tokens as needed (Google’s tokens expire) — if a token is invalid or unused for a long time, we remove it.

After the relevant retention periods, we either securely delete your personal data or anonymize it so that it can no longer be associated with you. For example, we might keep overall usage statistics but dissociate them from individual user identities.

User Control Over Data

Many aspects of your data you can control directly:

You can edit or delete email content and templates in Lumimail (or in your Google Drive, for saved templates) at any time. If you delete a template from Google Drive, it is gone; Lumimail will no longer have access to it.
You can manage and delete any Google Sheets data that you used with Lumimail (e.g., your contact lists or tracking result sheets) from within Google Sheets.
You may cancel scheduled emails or sequences using Lumimail’s interface (e.g., via a "Manage Schedules" option). Canceling a scheduled email will result in us deleting the associated content from our schedule queue and it will not be sent. We also provide an option to delete schedules entirely, which removes the data from our database for that schedule.
If you want us to delete specific data that isn’t directly accessible (for example, a particular log entry or a stored token), you can contact us with your request (see the User Rights and Control section below for more details on data deletion requests).

We have procedures to handle data deletion or anonymization in a secure manner, ensuring that once data is no longer needed, it’s properly expunged from live systems and backups (within a reasonable time frame).

Data Breach Response

Despite all precautions, if a security breach were to occur that compromised your data privacy, Lumimail will act promptly. We will notify affected users and the appropriate authorities as required by law. We will provide information on the nature of the breach, the data affected, and the steps we are taking to mitigate it and prevent future occurrences. Our incident response plan prioritizes user transparency and support in such events.

In summary, we strive to protect your data using robust security technologies and practices. We also limit how long we keep personal data. Your trust is crucial to us, and we work hard to maintain it by keeping your information secure at all times.

6. User Rights and Control

You have significant control over your personal information and how it’s used by Lumimail. We believe in empowering our users with options and honoring your rights as provided by law. Below is an outline of your rights and the tools or processes to exercise them:

Access and Transparency: You have the right to know what personal data we have about you and to access that information. In practice, much of your data is accessible directly through the Lumimail interface or via your connected Google account. For example, you can see your saved templates in Google Drive, your sent emails in your Gmail Sent folder, and your account email and plan on our site. If you need a comprehensive report of your personal data stored by Lumimail (such as account details, subscription info, or any data in our databases related to your account), you can send us a request (see Contact Information below). We will provide you with a copy of the information we have, typically electronically, in a common format. This includes things like your profile data, subscription status, logs of your usage (to the extent they are linked to you and not already available), and any other personal data we might store.
Rectification (Correction): If any of your personal information is incorrect or has changed, you have the right to have it corrected. Basic profile information like your name or email is usually managed via your Google account (since we pull that from Google). If, for instance, you legally change your name or update your Google profile name, Lumimail will update its records the next time you sign in. If there is any information under our control that is not accurate (for example, an internal profile or subscription detail), contact us and we will update it. For subscription info, if your billing email or contact needs change, we can adjust that as well (though often, the email will remain your Google login). We aim to keep your data accurate and up-to-date.
Deletion (Right to be Forgotten): You have the right to request deletion of your personal data. There are a few ways to achieve this:
- Revoke Google Access / Delete Account: If you no longer want to use Lumimail, you can revoke the app’s access to your Google account from your Google account settings. This will immediately prevent Lumimail from accessing your data. You can also contact us to request full deletion of your Lumimail account. Upon such a request, we will delete or anonymize all personal data that we hold about you that we are not legally required to retain. This includes removing your user record from our database, any saved credentials or tokens, scheduled tasks, and usage logs tied to your identity. Keep in mind that data stored in your own Google services (like emails in Gmail, or templates in Drive, or entries in Sheets) cannot be deleted by us – you would manage those via Google. Also, if you had a subscription, we may retain transaction records for financial/legal obligations, but we can dissociate them from your identity to the extent possible (e.g., keep a record of a payment without attaching it to your name).
- Delete Specific Content: If you wish to delete specific content or data (for example, a particular email template or a stored sequence), you typically can do this through the app or Google. Delete the template file from Drive, or cancel the sequence in Lumimail’s UI. If a particular piece of data isn’t exposed in the UI and you want it removed (say, an old log entry containing something you consider personal), contact us and we will do our best to locate and remove it.
After a deletion request, we will act promptly, and in any case within the timeframe required by applicable law (usually within 30 days for personal data erasure requests under GDPR, for instance). Once completed, your account will be deactivated and personal data scrubbed. Please note that after we delete your account, you will not be able to recover any data or resume the service without starting over.
Withdrawal of Consent / Opt-Out: Many of Lumimail’s features that access your data are based on your consent (for example, connecting to your Google account, or using tracking features). You are free to withdraw that consent at any time:
- If you previously granted Lumimail access to your Google account and want to withdraw it, you can do so via your Google account’s security settings (under "Third-party apps with account access" or a similar section). Revoking access will stop our app from being able to interact with your Google data. If you revoke access but do not delete your Lumimail account, some of your data might remain on our servers (as per retention policy), but we will no longer fetch new data from Google.
- If you have opted in to email marketing from us and no longer wish to receive such emails, you can unsubscribe via the link in the email or by contacting us. We will honor such opt-out requests immediately for marketing. (Note: You will still receive essential transactional emails, like billing or security notices, unless you delete your account.)
- If you agreed to a particular integration or feature and want to disable it, simply stop using that feature (e.g., stop using AI generation if you don’t want your prompts sent out, or turn off tracking if you don’t want to collect recipient data). If there is a setting or toggle, use that to disable it; otherwise, refraining from using a feature means no data for that feature will be collected or shared.
- You can also adjust browser settings to control cookies (see Cookies section). For instance, you can clear cookies or use browser options to refuse cookies, which can effectively withdraw consent for certain types of data collection like analytics. However, note that essential cookies (like session cookies) might be necessary for Lumimail to function properly.
Portability: You have the right to data portability, meaning you can request to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, so you can transfer it to another service if you wish. For Lumimail, the most relevant "provided data" would be things like the content you have created (emails, templates) and your account information. Much of your content already lives in your Google services (emails in Gmail, files in Drive), so you can retrieve them directly from those platforms. If you need other data (like your usage history, or any content that might have been stored only in our system), let us know and we can export what we have in a CSV or JSON format for you. This would allow you to import it to another service or just keep a copy. Note that data portability applies to data you actively provided or data generated by your activities; it does not require us to divulge any proprietary insights or internal assessments.
Objection and Restriction: In certain jurisdictions, you have the right to object to or ask us to restrict processing of your data. For example, you might object to us processing your data for direct marketing or for our legitimate interests. In the context of Lumimail:
- If we were ever to consider using your data for something like research or product development beyond the immediate service (which we currently don’t without anonymizing data), you could object to that. We do not currently engage in any processing of user content that isn’t directly tied to providing the service, except aggregated analysis. If you object to even aggregated usage analysis, we could discuss opting you out (though it’s typically anonymized).
- If you want us to temporarily restrict processing (say, you contest the accuracy of data or have a legal issue), we can put a hold on processing your account (meaning we would stop any automated actions like scheduled sends and hold off on deleting or updating data) until resolved.
To object or request restriction, simply contact us with your specific request. We’ll evaluate and comply if required by law or if your request is reasonable and we have no compelling reason to refuse (if we do, we’ll explain it to you).
Manage Cookies/Tracking: Through your browser settings or tools, you can control the placement of cookies and trackers, which is a form of exercising your rights over passive data collection. See the Cookies and Tracking Technologies section below for more details on how to opt out of analytics tracking if we use any. If you do not want Lumimail to track opens/clicks in emails you send out, you can simply not enable those features when sending, or remove any tracking pixels/links (Lumimail won’t add them unless you choose to). You also have the right to ask us what cookies or similar technologies we use and get information about the data they collect.

We will not discriminate against you for exercising any of these rights. For example, if you are a California resident exercising your CCPA rights to access or delete data, we will not deny you services or provide a lesser experience (beyond the fact that we might not be able to provide certain features if the data needed for them is deleted).

GDPR and International Data Rights: If you are located in the European Economic Area (EEA), United Kingdom, or another region with comprehensive data protection laws, you have the above rights under GDPR/UK GDPR. Lumimail is the “data controller” for your personal information provided to or collected by Lumimail (except for the content that resides in Google’s system, where Google is also a controller). To exercise your rights, you can contact us as described in the Contact section. You also have the right to lodge a complaint with your country’s data protection authority if you believe we have infringed your data rights. We encourage you to contact us first so we can address your concerns directly.

CCPA (California) Rights: If you are a California resident, the CCPA gives you specific rights regarding your personal information:

Right to Know: You can request that we disclose to you the categories and specific pieces of personal information we have collected about you, as well as the categories of sources, the purpose for collecting it, and the categories of third parties with whom we share it. This Privacy Policy is intended to provide much of that information generally. You can also request more detail or a report specific to you (which overlaps with the “Access” right above).
Right to Delete: You can request that we delete any personal information about you that we collected from you and retained, subject to certain exceptions (for example, if it’s necessary to complete a transaction or for legal compliance). This is the same as the deletion right described above. We will inform you what data, if any, we cannot delete due to legal obligations.
Right to Opt-Out of Sale: The CCPA gives you the right to opt out of the "sale" of your personal information. Lumimail does not sell personal information to third parties for monetary value or any other valuable consideration as defined by CCPA. We do not share your data in a way that would be considered a sale. Therefore, there is no need for you to opt out — by default, your data is not sold. We still include this in compliance with CCPA transparency requirements. If in the future our practices change, we will update this and provide a “Do Not Sell” link, but we have no intention of selling data.
Shine the Light: California’s "Shine the Light" law allows users to request certain information about our disclosure of personal information to third parties for their direct marketing purposes. Lumimail does not disclose personal information to third parties for direct marketing of those third parties, so this is not applicable.

To make a CCPA request, you can contact us through the methods in the Contact Information section. We will ask you to verify your identity (to ensure we’re providing data to the correct person or their authorized representative) and then respond within the legally required time frame (generally within 45 days for CCPA requests).

Revoking Google Permissions: It’s worth repeating, since Lumimail relies on Google access: you can always control the permission Lumimail has by visiting your Google Account’s permissions page. Removing certain permissions (like Gmail access) might effectively disable a lot of Lumimail’s functionality until you re-grant them. But you have that control at all times. After revocation, we cannot access new data from Google, and if you also want us to delete what we previously stored, let us know.

Account Termination: If you want to stop using Lumimail, you can simply stop using the service and/or revoke access. If you want a more thorough termination, reach out for account deletion. If you have an active subscription and wish to cancel it, you can usually do so via our billing portal (which will be provided via Stripe). Canceling your subscription stops future billing, and you can still choose whether to retain your account (maybe to use the free version) or have us delete it.

We aim to make it as straightforward as possible for you to exercise these rights. If you have any questions or need assistance, please contact us. We will do our best to accommodate your requests and provide clear answers. Your privacy and control over your information are extremely important to us, and we want you to feel confident using Lumimail.

7. Cookies and Tracking Technologies

Lumimail uses cookies and similar tracking technologies to provide, customize, and improve the user experience on our site. This section explains what these technologies are and how we use them.

What Are Cookies?

Cookies are small text files that are placed on your device (computer, smartphone, etc.) when you visit a website. Cookies serve a variety of functions: they can remember your login state, store preferences, and gather information about how you interact with a site. Cookies can be "session cookies" (which expire when you close your browser) or "persistent cookies" (which remain on your device for a set period or until you delete them).

How Lumimail Uses Cookies

We use cookies in a few ways within Lumimail:

Essential Cookies (Strictly Necessary): These cookies are necessary for the website/app to function properly. For example, when you log in through Google, a session cookie keeps you logged in as you navigate through different pages or features of Lumimail. Without this, you would have to authenticate for every action. These cookies do not gather information for marketing or track you across other sites; they are just to maintain the state of your session and security. Another example might be a cookie to remember certain UI settings or whether you have seen a particular in-app notification (so it doesn’t show repeatedly).
Preference Cookies: We may use cookies to remember your preferences and settings. For instance, if Lumimail has a light mode/dark mode toggle or if you collapse a sidebar, a cookie (or local storage entry) might save that preference so that it’s the same next time you use the app. These enhance your experience by personalizing it.
Analytics Cookies: To understand how users use our service and to improve it, we may use analytics tools that rely on cookies or similar trackers. For example, we might use Google Analytics or a privacy-focused analytics service to collect information like which pages of our site are visited, how long users spend on certain pages or features, and how they found our site. These tools might set cookies to identify your browser (not you personally, but a random ID) so they can recognize if you visit again or track navigation flow. The information collected is typically aggregated and does not include personal details like your name or email. It helps us see usage patterns (for example, if a lot of users drop off at a certain step, which might indicate a UX problem to fix). You can opt out of Google Analytics by installing a browser add-on or by using browsers that block trackers if you wish (more on opting out below).
Functional/Feature Cookies: Sometimes, additional features might involve cookies. For instance, if we implement a tutorial that you can dismiss, a cookie might note that you’ve completed or dismissed it so it doesn’t appear on every login.
Third-Party Cookies: Lumimail itself does not serve advertising and thus does not use advertising cookies. The main third-party that could set cookies during your use of Lumimail might be Google, due to the OAuth process or if we embed something like a Google file picker. When you sign in with Google, Google may set cookies on their domain to manage the authentication. Similarly, if any portion of our app uses a Google widget or if we integrate a third-party help chat, those could set a cookie. We aim to keep third-party cookies to a minimum. Our payment page through Stripe might also use cookies to remember your session or payment progress (likely on Stripe’s domain).
Tracking Pixels and Local Storage: Besides cookies, we might use other local storage mechanisms in your browser for certain tasks (for example, storing a draft email content locally to prevent loss if your connection drops – this would use local storage on your device, not our server). These are not shared and usually only persist on your browser. As mentioned, we also use tracking pixels in the emails you send if you enable that (to track opens). Those are different from website cookies: an open-tracking pixel is an image file referenced in an email which, when loaded, tells our server that the email was opened. That pixel doesn’t store data on your device; it just triggers a server call. We handle the data from that call as described earlier. In terms of tracking technologies on our website, we do not currently use any marketing pixels (like Facebook Pixel or similar) since we’re not doing targeted advertising campaigns. If that ever changes, we’ll update this policy and ensure you have the ability to opt out.

Your Choices Regarding Cookies

You have the right to decide whether to accept or reject cookies (except the strictly necessary ones, which are needed for basic operation). Here are some ways you can manage cookies:

Browser Controls: Most web browsers allow you to manage cookies through their settings. You can typically choose to block third-party cookies (which will reduce cross-site tracking), block all cookies (which may break functionality), or clear cookies whenever you like. You can also see what cookies are stored and selectively remove them. Please note, if you disable all cookies, Lumimail’s web app might not function properly because the session cookie is essential. We recommend allowing at least first-party cookies for Lumimail’s domain.
Do Not Track Signals: Some browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want to be tracked. There is currently no standard interpretation of DNT signals across all websites. While Lumimail does not track users across third-party sites in a way that DNT would typically address, our stance is to treat DNT seriously: we don’t change behavior because we already limit tracking to necessary service analytics only. If we use Google Analytics, we might configure it to respect DNT if possible or provide other opt-outs.
Opting Out of Analytics: If we use Google Analytics, you can opt out by using the Google Analytics Opt-out Browser Add-on, which prevents GA from collecting data on your browser. If we use any other analytics services, we will provide instructions on how to opt out of them in an update to this policy or on our website. Additionally, some browsers and extensions automatically block analytics scripts.
Cookie Banners/Consent: When you first visit our site, we may display a cookie notice or banner if required by law (especially for users in the EU), asking for your consent to use non-essential cookies (like analytics). If you choose not to accept, we either won’t load those tools, or we’ll ensure no cookies beyond essentials are set. If you accept and later change your mind, you can clear cookies and adjust preferences. We will always treat your most recent preference as overriding any previous ones.
Local Storage: If we use local storage (e.g., to save a draft), that data resides on your browser. You can usually clear your browser’s site data or use incognito mode to avoid leaving such data behind. Note: local storage is separate from cookies but can be cleared similarly via your browser settings (usually by clearing cached data).

Tracking in Emails: Since this section is about tracking technologies, we reiterate that tracking pixels in emails (for open tracking) are only added if you, as the user of Lumimail, decide to use that feature for the emails you send out. Recipients of your emails might have their own ways to block or detect such pixels (like certain email clients that block remote images by default). That is outside Lumimail’s web privacy scope, but it’s important for transparency: you are effectively choosing to track your recipients when you turn that on, and those recipients can opt out by not downloading images or clicking links. Lumimail doesn’t set cookies on recipients, but it will log their interactions as explained earlier.

We do not use cookies to serve ads or to track you on other websites. Our use of cookies is primarily to ensure the service works correctly and to gather insights on usage that help us improve Lumimail. We do not share cookie-derived data with advertisers or social media platforms.

If you have any questions about our use of cookies or how to manage them, feel free to contact us. We can provide more information or assist you in adjusting your settings.

8. Third-Party Links and Services

Lumimail may contain links to external websites or integrate with third-party services that are not operated by us. It’s important to understand that this Privacy Policy applies solely to Lumimail (our website and application) and not to any third-party websites or services that you may interact with through our platform.

External Links

If our website or documentation provides links to resources (for example, a link to a tutorial video on YouTube, or a link to our Twitter/Facebook page, or a link to Google’s security settings for convenience), clicking those will take you to a site governed by someone else’s privacy policy. We are not responsible for the content or privacy practices of those external sites. We encourage you to review the privacy policies of any website you visit via links from Lumimail, especially if you intend to share any personal information with them.

For example, if you click a "Contact Us" email link (mailto:), your email client opens and any information you send there is governed by your email provider and whatever you include in that email. Or if our blog (if we have one) links to an article on another site, that other site’s data collection is outside our control.

Third-Party Services Integrated with Lumimail

We have described in earlier sections how Lumimail integrates with Google services, Stripe, and an AI provider. These are third-party services that are essential to our functionality. When you use these through Lumimail:

Google: Using Google Sign-In and Google APIs means you are also subject to Google’s Terms of Service and Privacy Policy. Google’s privacy policy is available at policies.google.com/privacy. We suggest reviewing it to understand how Google handles your account data, as Google might log the fact that you used Lumimail, etc. Google also provides a dashboard where you can see and manage third-party apps (like Lumimail) that have access to your Google account.
Stripe: If you go through a Stripe checkout or billing portal (which might have a URL like stripe.com or checkout.stripe.com), that experience is governed by Stripe’s privacy policy. They may collect certain data necessary for payment and fraud detection (such as your IP address or your credit card info). Stripe’s privacy policy can be found on their official site (usually at stripe.com/privacy).
AI Provider: While you interact with the AI feature entirely through our interface, the processing happens on a third-party server. The AI API provider (like Cohere, OpenAI, etc.) will have its own privacy commitments. We have agreements with them to protect your data, but if you’re interested, you could review the provider’s policy (for example, Cohere’s privacy policy if Cohere is used). We can provide the exact provider name and link upon request (or list it here once finalized).
Others: If we add, say, a plug-in to connect Lumimail to another service (like a CRM or Slack notifications for email events), those services might receive some data when you use the integration. We will inform you at the point of enabling such an integration what data will flow and ensure you authorize it. Those services will handle the data under their own terms. We’ll endeavor to limit data shared and to integrate only with reputable services.

No Endorsement of Third-Party Practices: Just because we link to or integrate with a third party does not mean we endorse their privacy or security practices. We do our due diligence and choose partners carefully, but we cannot control them. For example, if a third-party website misuses data you gave them, that’s beyond Lumimail’s scope (though we would reconsider linking to them in the future if we learned of malpractices).

Social Media

If Lumimail has official pages on social media platforms (like a Twitter handle, LinkedIn page, etc.), and you interact with those, any information you provide in those interactions (comments, likes, etc.) is subject to the privacy policy of the respective platform. We might see aggregated information about engagement on our social pages, but we don’t collect that into our systems. If you direct-message us or mention us, we might use that information to respond, but we won’t add it to your Lumimail user profile without your request.

Third-Party Content in Emails

This is tangentially related: When you use Lumimail to send emails, you might include third-party content in those emails (like linking to an external site, or using images hosted on another server). If your recipients click those links or download those images, they may interact with third-party servers and those actions are not covered by Lumimail’s Privacy Policy. For example, if you link to your company’s website in an email and have Google Analytics on that site, your recipients could be tracked by that when they click. That is outside Lumimail’s control.

In summary, we want you to be aware when you leave our domain or when you connect Lumimail to other services. We strive to inform you of these hand-offs. We encourage you to be cautious and to read the privacy statements of other websites or services that you visit or use.

If you believe a third-party linked or integrated with Lumimail is misusing your personal information or have any issue related to them, please let us know. We will do what we can to help or clarify, but ultimately you may need to address concerns directly with that third party.

9. Children’s Privacy

Lumimail is not directed to children, and we do not knowingly collect personal information from individuals under the age of 13 (or under the applicable age of consent in your jurisdiction, which might be 16 in some regions such as the European Union). Our service is designed for use by adults or businesses, and by using Lumimail, you affirm that you are at least 13 years old (and, if between 13 and 18, that you are using the service with parental or guardian consent and supervision, as may be required by your country’s laws).

No Services for Under 13: We do not intend for anyone under 13 to use Lumimail. We do not offer accounts to children or design portions of our service to attract them. The nature of Lumimail (integrating with email, possibly requiring a Google account) inherently requires users to be of an appropriate age to have those accounts (Google generally does not allow under 13s to create accounts without special supervision via Family Link). If you are under 13, please do not attempt to register for or use Lumimail, and do not provide us with any personal information.

No Data Collection from Children: Because we do not allow children to sign up, we do not knowingly collect any information from children. This includes not knowingly collecting personal details like name, address, email, or any kind of content from children under 13. If somehow a child interacts with our service (for example, a child’s email address is included by a user as a recipient in a campaign), that data is provided by the adult user and used only in context of that adult user’s actions. If we were to realize that personal data of a child under 13 is present in our system in a way not authorized by a parent, we would take steps to delete or anonymize that information.

COPPA Compliance: The Children’s Online Privacy Protection Act (COPPA) in the United States imposes requirements on websites/apps that collect information from children under 13. We strive to comply with COPPA by not collecting or storing data from children under 13. We also do not target children with any marketing or content. If in the future we wanted to offer educational or child-friendly versions of Lumimail (which is unlikely given the type of service), we would implement COPPA-compliant measures (like verifiable parental consent). But as of now, we simply do not allow sign-ups from that age group at all.

Parental Controls: If you are a parent or guardian and you discover that your child under 13 has created an account with Lumimail or is somehow using our service without your consent, please contact us immediately (see Contact Information below). We will take prompt action to remove the child’s information and delete the account. We may ask for proof of guardianship to ensure we are speaking with the child’s parent or guardian before taking action that affects an account.

Users Between 13 and 18: While our service is primarily aimed at business users or adults, we recognize some tech-savvy teenagers might be interested in using it (for example, a 17-year-old learning email marketing). If you are under the age of majority (which is 18 in many places), you should use Lumimail only with the involvement and permission of a parent or guardian. Some jurisdictions require parental consent for processing personal data of individuals under 16 (like certain interpretations of GDPR). In such cases, we rely on the authorized adult’s consent. If we learn that we inadvertently collected personal information from someone under the applicable age of consent without proper approval, we will delete that data.

We reserve the right to ask for age verification if we suspect an account is being used by someone underage. However, we generally don’t have age information on users since we only get what Google provides (and Google accounts for under-13 users are typically not allowed to authorize third-party apps).

In summary, Lumimail is intended for users who are old enough to manage a Google account and use email in a professional or personal capacity responsibly. We aim to comply with all laws protecting children’s privacy. If you have any concerns about children’s data in relation to Lumimail, please reach out to us.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Effective Date" at the top of the policy to indicate when those changes take effect. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

How we will notify you of changes:

Minor changes: If the updates are minor or do not materially affect your rights or how we use your data (for example, clarifying language or updating contact information), we may simply post the revised policy on our website with a new effective date. Your continued use of Lumimail after the effective date of the updated policy will constitute acceptance of the revised terms (to the extent permitted by law).
Material changes: If we make significant changes to the policy, especially changes that affect what data we collect, how we use it, or how we share it, we will provide a more prominent notice. This may include posting a notice on our website’s homepage or dashboard, and/or emailing you a notification to the primary email address associated with your Lumimail account. For example, if we were to start collecting additional personal information not previously collected, or if we plan to use your data for a new purpose, we would inform you in advance.
Consent for new uses: In the event a change requires your consent (for instance, if in the future we wanted to use your personal data for a purpose that you didn’t agree to before), we will obtain your consent before applying that change to your data. We might provide an opt-in mechanism for any new uses or, if applicable, allow you to opt out. We will never retroactively apply material changes in our policy to personal data we collected in the past without obtaining consent as required.
Version history: For transparency, we may keep prior versions of this Privacy Policy available (for example, on our website or by request) so you can see how the policy has evolved. We’ll likely highlight the differences or summarize the changes when we notify you, so you understand what’s different.

Using Lumimail after a Privacy Policy update goes into effect means that you acknowledge and agree to the revised policy. If you do not agree with the changes, you should stop using Lumimail and may request the deletion of your data as outlined in the User Rights section.

We believe your privacy is a dynamic part of our relationship with you, and we will always strive to be upfront about how we handle your data. If you have questions or concerns about any changes in the Privacy Policy, please contact us – we’re happy to clarify any aspect of it.

11. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please don’t hesitate to contact us. We are here to help and address any issues you may have about your privacy and our service.

Contact Details:

Email: privacy@lumimail.com (If Lumimail does not yet have a dedicated privacy email, you can use [support@lumimail.com] or another appropriate contact email. We will update this once established.)
Mailing Address: [Lumimail Inc., 1234 Example Street, Suite 100, City, State, Postal Code, Country] (This address is a placeholder. Please insert the official business address of Lumimail or its owning entity once available. A physical address is often required for official correspondence and per privacy regulations.)
Contact Form: You may also reach out to us through a contact form on our website (if available), or any support chat provided within the Lumimail app. Please mention that your inquiry is about the Privacy Policy or data privacy so we can route it appropriately.

We aim to respond to all legitimate inquiries as promptly as possible, typically within a few business days. If you are contacting us to exercise any of your rights (such as accessing or deleting your data), please provide sufficient information for us to verify your identity and locate your records (for example, the email you use for Lumimail, and the specific request). For certain requests, we may need to ask for additional verification to ensure we’re protecting your data from unauthorized access, but we’ll guide you through that process.

Data Protection Officer (DPO): (If applicable) At this time, Lumimail is not required by law to appoint a Data Protection Officer. If our status changes or if we voluntarily appoint a DPO, we will update this section with their contact information. In the meantime, our privacy team or management will handle data inquiries.

Supervisory Authority: If you are in the European Union and have a concern about our data practices, you have the right to lodge a complaint with your local data protection supervisory authority. We would appreciate the chance to address your concerns directly first, but you are within your rights to contact the authorities. The contact details for data protection authorities in the EU can be found on the European Data Protection Board’s website.

Once again, protecting your privacy is important to us. We welcome feedback on this Privacy Policy. If anything is unclear or if you have suggestions for improvement, let us know – privacy laws and best practices evolve, and we want to ensure our policy remains understandable and comprehensive.

Thank you for trusting Lumimail with your email communication needs. We are committed to safeguarding your personal information and using it only to serve you in the best way possible.