Skip to content

Privacy Policy

Last updated: June 2026

Who we are

LumaVista is operated from the Canary Islands, Spain. We provide AI-powered research automation tools. This policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR).

What data we collect

  • Account information: name, email address, and password (hashed) when you register.
  • Research data: the queries you submit and the reports generated by our AI agents. This data is encrypted with your personal encryption keys, stored to provide the service, and owned by you.
  • Usage data: pages visited, features used, and performance metrics to improve the service. No third-party advertising trackers are used.
  • Technical data: IP address, browser type, and device information collected automatically via server logs.

Consent record

When you register, we record that you accepted our Terms of Service and this Privacy Policy, together with your attestation that you are 18 years of age or older. This consent record includes a timestamp and the version of each document you accepted. We keep it as evidence that consent was given. Because this record is the evidence of a legal relationship, it is retained — in pseudonymized form, with your account identifier replaced by a non-reversible reference — even after you delete your account, for the establishment, exercise, or defence of legal claims (GDPR Art. 17(3)(e)).

Web server logs

Like any web server, ours sees the IP address, browser identifier, and requested page of every visitor — this is technically necessary for the server to respond to the request. We process this raw data on-the-fly to produce aggregate traffic statistics (page-view counts, country breakdowns, funnel paths) and then discard the IP address and browser identifier. We do not store, share, or sell raw logs. Lawful basis: legitimate interests (GDPR Art. 6(1)(f)) in understanding usage of our own website. Retention: 90 days for the salted, anonymised event records; aggregate statistics (which contain no personal data) are kept indefinitely.

Form-submission notifications

When you submit our contact form, we receive a notification from our form provider (Formspree) recording that a submission happened. We do not receive a copy of your message through this notification — the message itself goes to Formspree's dashboard, per their privacy policy. The notification contains only metadata (submission timestamp, country of origin, which fields you filled).

How we use your data

We process your data on the following legal bases:

  • Contract performance: to provide the research automation service you signed up for.
  • Legitimate interest: to improve our service, detect abuse, and ensure security.
  • Consent: for optional communications such as product updates (you can opt out at any time).

Data retention

Account data is retained for the duration of your account. Research data is retained until you delete it or close your account. Usage and technical data is retained for up to 12 months. When you delete your account, all associated data is permanently removed within 30 days.

Your rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Delete your data ("right to be forgotten").
  • Port your data to another service in a machine-readable format.
  • Object to processing based on legitimate interest.
  • Restrict processing while a complaint is being resolved.

To exercise these rights, contact us at privacy@lumavista.ai.

Data security

Your data is encrypted with keys that only you control. When you create an account, a unique encryption key is generated on your device — it never leaves your device in plaintext. All your research data, memories, and settings are encrypted at rest using AES-256-GCM. When you log out or your session ends, decryption keys are wiped from server memory, leaving only opaque ciphertext on disk.

During an active session, decryption keys are held in server memory to process your research queries. This is necessary for our AI agents to work with your data. When the session ends, all key material is immediately destroyed.

AI safety

Every research query passes through a multi-layered safety pipeline before and after AI processing:

  • Inbound filtering: your queries are scanned for sensitive data (credentials, personal identifiers, proprietary information) and classified by sensitivity level before reaching any AI model.
  • Model trust matching: your data is only sent to AI models that meet the required clearance level for its sensitivity classification. Highly sensitive data is never routed to external models.
  • Outbound redaction: AI-generated reports are scanned for inadvertently leaked sensitive data, which is automatically redacted before delivery.

AI model providers are contractually prohibited from using your queries or data to train their models.

We take a defense-in-depth approach to protecting your research. For a detailed overview of our encryption architecture, key management, AI safety measures, and data isolation model, visit our Security page.

Third-party services

We use third-party AI model providers to process research queries. Your queries are sent to these providers for processing but are not used to train their models. We do not sell or share your personal data with advertisers.

International transfers

Our servers are located in the European Union. If data is transferred outside the EU (e.g., to AI model providers), we ensure appropriate safeguards are in place, including Standard Contractual Clauses.

Changes to this policy

We may update this policy from time to time. Significant changes will be communicated via email or an in-app notice. Continued use of the service after changes constitutes acceptance.

Contact

For privacy-related questions or requests, contact us at privacy@lumavista.ai.