Privacy
How Lumialo handles your personal data.
Last updated 2026-05-30.
What we collect
Account data. When you sign in we store your email address so we can send you the magic link and identify your account. We do not ask for, and do not store, a password. Analysis data you give us. To run an AI Visibility analysis we store the brand description, brand or company name, competitor names, query groups and questions you enter. This is the input you provide to the product; we keep it associated with your account so you can re-run or adjust an analysis later. Usage and cost telemetry. For every analysis we record technical metadata: which AI providers were called, response time, token counts, the dollar cost of each call, and the credits charged. We need this to run the credit system, to investigate failed runs, and to keep the service reliable. Behavioural product analytics. If — and only if — you click Accept on the cookie banner, we load PostHog and record anonymous product events such as which pages you view and which buttons you click. If you click Reject, or if you never interact with the banner, no behavioural analytics are loaded.
Why we collect it
To deliver the product you asked for. Your email and analysis inputs are what we need to actually run the analysis, email you the report, and let you return to your account later. To run the credit system honestly. Usage and cost telemetry is how we calculate what each paid-plan run actually costs in API spend, convert that into credits, and refund credits when a run fails or evidence is insufficient. To keep the service reliable. The same telemetry tells us when a provider is slow, when costs drift, or when something is broken — so we can fix it before it affects more users. To improve the product (only with your consent). Behavioural analytics via PostHog help us understand which parts of the product work and which confuse people. This data is collected only after you accept the cookie banner; if you reject, we improve the product without it. We do not sell your data. We do not share your data with advertisers, data brokers, or third parties for their own marketing. The only third parties involved are the service providers we need to operate (see Cookies and Contact).
Cookies
Consent cookie. We set one functional cookie, `lumialo_consent`, with a value of `accept` or `reject`, lifetime one year, to remember your choice on the cookie banner. This cookie is essential and is set as soon as you choose; without it we would have to ask again on every page. Analytics cookies (only after Accept). If you click Accept, we initialise PostHog, which sets its own cookies to record anonymous product analytics — which pages you visit, which buttons you click, how long sessions last. These cookies are not loaded if you reject or have not yet answered the banner. No advertising cookies. We do not load advertising trackers, social-media pixels, or third-party marketing cookies. There is no Google Analytics, no Facebook pixel, no remarketing. Changing your mind. When you are signed in, visit Account → Privacy & data → "Manage cookies & tracking" to toggle categories or revoke all consent at once. When signed out, you can change your consent by clearing the `lumialo_consent` cookie in your browser and reloading the page — the banner will reappear and you can answer again.
Your rights
Your privacy rights vary by where you live. The rights below apply to all Lumialo users; EU/EEA residents have additional statutory rights under GDPR — see the EU/EEA section below. - Know what we have. You can ask us what personal data we hold about you and download a machine-readable copy of it directly from your account at any time: Account → Privacy & data → Download my data. - Delete your data. You can permanently delete any individual analysis you have run from your account: Account → Usage history → ⋯ → Delete this analysis. To delete your whole account and the personal data tied to it, use Account → Danger zone → Delete my account — the cascade fires after you confirm via the link we email you. If you cannot reach the Account → Privacy & data area, email privacy@lumialo.com and we will confirm and process the request within one month. - Withdraw consent for product analytics. If you previously clicked Accept on the cookie banner, you can revoke that consent at any time. Signed in: Account → Privacy & data → Manage cookies & tracking → Revoke all consent. Signed out: clear the `lumialo_consent` cookie in your browser and reload — the banner will reappear and you can choose again. Either path unloads PostHog and persists your analytics opt-out. - Ask a human. For anything not yet covered by a self-service option in your account, email privacy@lumialo.com. We aim to respond within one month.
Additional rights for EU/EEA residents (GDPR)
If you live in the EU or EEA, the GDPR gives you statutory rights in addition to the universal rights above. The self-service buttons listed in Your rights are the same; what changes is the legal basis and the timelines. - Access (Art. 15) — request a copy of the personal data we hold about you. Self-service: Account → Privacy & data → Download my data (JSON, with optional CSV bundle). - Rectification (Art. 16) — correct data that is wrong or incomplete. Email-only: privacy@lumialo.com. - Erasure (Art. 17) — delete your data. Self-service per analysis: Account → Usage history → ⋯ → Delete this analysis. Self-service whole-account: Account → Danger zone → Delete my account. Email fallback: privacy@lumialo.com — we will confirm and process within one month. - Restriction (Art. 18) — ask us to stop processing while a dispute is resolved. Email-only: privacy@lumialo.com. - Portability (Art. 20) — receive your data in a machine-readable format. Self-service: Account → Privacy & data → Download my data (JSON-formatted; satisfies Art. 20). - Objection (Art. 21) — object to processing we base on legitimate interest, including product analytics. Self-service: Account → Privacy & data → Manage cookies & tracking → Revoke all consent. How long we take. We aim to respond within one month of a request as required by Art. 12(3); if your request is unusually complex we may extend by two further months and will tell you why. Right to complain. If you are not satisfied with how we handle your data, you may complain to a supervisory authority. In Denmark this is Datatilsynet (datatilsynet.dk). If you live in another EU/EEA country you may also contact the supervisory authority in your country of residence. AI transparency. Lumialo uses generative AI models from OpenAI and Anthropic to produce analyses and recommendations. AI outputs vary across runs and can contain inaccuracies. Reports clearly identify AI-generated content. Lumialo is not an AI-model provider; we are a downstream user of third-party AI services. Under the EU AI Act (Regulation (EU) 2024/1689), our use of these services qualifies as low-risk AI deployment. We monitor regulatory developments and will adjust our posture as additional Act articles enter force.
Other regions — UK, US, rest-of-world
Lumialo is operated from Denmark but serves users worldwide. The universal rights above apply to you regardless of where you live. - United Kingdom. The UK GDPR mirrors the EU GDPR substantively; the rights and timelines in Additional rights for EU/EEA residents apply to UK residents as if they were EU rights. Complaints can be addressed to the Information Commissioner's Office (ico.org.uk). - United States — California (CCPA / CPRA). California residents have additional rights under CCPA/CPRA, including the right to know what personal information we collect, the right to delete, the right to opt out of "sale" or "sharing" of personal information, and the right to non-discrimination for exercising those rights. We do not sell or share personal information for advertising. To exercise a CCPA right, email privacy@lumialo.com with subject `CCPA request`. - United States — other states + rest-of-world. Users elsewhere may have rights under state or national laws (Colorado, Virginia, Brazil LGPD, Canada PIPEDA, Australia Privacy Act, etc.). The universal rights above are available to you, and we will honour applicable statutory requests received at privacy@lumialo.com.
Which law governs
Lumialo is operated by Bertram Consulting in Denmark. These privacy practices are interpreted under Danish law and, for EU/EEA users, the GDPR. Nothing on this page limits a non-waivable consumer right you may have under the law of your country of residence. The full governing-law clause for the service is on the Terms page (see Governing law).
Contact
Data controller. Lumialo is operated by Bertram Consulting, based in Denmark. Privacy questions. privacy@lumialo.com General questions. hello@lumialo.com We answer in English. If we are slow it is because Lumialo is a small operation, not because we are ignoring you — please follow up if you have not heard back within a month.