Legal · Effective 1 May 2025
GDPR & Data Protection
Data controller
| Legal entity | Lumipact LLC |
| Registration | New Mexico, United States |
| Address | 500 4th St NW, Suite 102 #1378, Albuquerque, NM 87102, United States |
| Contact | legal@lumipact.com |
| EU representative | Available on request for EU data subjects |
Lumipact LLC is the data controller for personal data collected through lumipact.com and the Lumipact marketing surfaces. For personal data you upload into the Lumipact application (app.lumipact.com), you are the data controller and we act as your data processor under our Data Processing Addendum (lumipact.com/dpa).
What personal data we collect
We collect personal data in two contexts:
Account and marketing data (we are controller):
| Name and email address | Provided when you sign up, contact us, or submit a lead form. |
| Authentication data | OAuth tokens or hashed passwords via Supabase Auth. |
| Billing information | Payment method details processed by Stripe — we do not store card numbers. |
| Usage data | Pages visited, features used, session duration — collected via PostHog and GA4. |
| Communication history | Emails and messages you send us. |
| IP address and device | Collected for security and analytics purposes. |
Contract and operational data (you are controller): Any personal data contained in contracts you upload — counterparty names, signatory details, contact information — is processed by us on your behalf under the DPA.
Legal basis for processing
| Performance of a contract | Processing your account data, delivering the service, sending transactional emails, and processing payments. |
| Legitimate interests | Aggregate analytics to improve the product, fraud prevention, and security monitoring. We have assessed that these interests do not override your rights. |
| Consent | Marketing emails (where you have opted in) and analytics cookies beyond strictly necessary. |
| Legal obligation | Retaining billing records as required by applicable law. |
How we use your data
- To create and manage your account and tenant workspace.
- To deliver renewal alerts, notifications, and product emails.
- To process payments and manage your subscription via Stripe.
- To provide customer support when you contact us.
- To analyse aggregate usage patterns and improve the platform.
- To comply with legal obligations including tax and accounting requirements.
We do not sell personal data. We do not use personal data for advertising or share it with third parties for their own commercial purposes.
Data retention
| Account data | Retained while your account is active, plus 30 days after deletion for recovery purposes. |
| Billing records | Retained for 7 years as required by applicable tax and accounting law. |
| Analytics data | Aggregated, anonymised usage data retained indefinitely. Session-level data deleted after 12 months. |
| Support correspondence | Retained for 3 years after last contact. |
| Marketing consent records | Retained for the duration of the marketing relationship plus 3 years. |
Your rights as a data subject
Under the GDPR you have the following rights regarding personal data we hold about you as controller:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — request deletion of your data where there is no overriding legal basis for retention.
- Right to restriction — ask us to pause processing while a dispute is resolved.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests, including for direct marketing.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email legal@lumipact.com with the subject line "Data subject request". We will respond within 30 days. Where a request is complex or numerous, we may extend this by a further 60 days with notice.
If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority. EU residents may contact their national supervisory authority (a list is available at edpb.europa.eu).
International transfers
Our primary data infrastructure is hosted within the EU (Supabase EU region, AWS EU region). Some third-party sub-processors operate outside the EEA (Resend, Stripe, OpenAI). In all cases, we rely on EU Standard Contractual Clauses (SCCs) to ensure an adequate level of protection. A full sub-processor list is available in our DPA (lumipact.com/dpa).
Automated decision-making
Lumipact uses AI to extract structured data from uploaded contract documents (counterparty name, dates, value, type). This is a processing operation that supports your workflow — it does not constitute automated decision-making with legal effect under Article 22 GDPR. You review and can correct all AI-extracted data before it is saved.
Changes to this page
We may update this page when our processing practices change. Significant changes will be communicated by email to registered users.
Contact
For data protection questions, contact us at legal@lumipact.com or by post at Lumipact LLC, 500 4th St NW, Suite 102 #1378, Albuquerque, NM 87102, United States.