Privacy Policy

Lumoras AI ("Lumoras", "we", "us", or "our") is a vertical AI orchestration platform. We build and operate multi-agent systems that help businesses in Real Estate, Enterprise operations, and specialized industrial verticals automate document ingestion, compliance auditing, and workflow coordination.

Our registered business address and data controller contact can be reached at: privacy@lumoras.ai.

We collect information in three ways:

a) Account Information

When you request access to the platform, we collect your full name, work email address, company name, and target industry vertical. Passwords are hashed with bcrypt (cost factor 12) before storage — we cannot recover your plaintext password.

b) Uploaded Documents

Our core service processes documents you upload — including purchase and sale contracts, inspection reports, property disclosures, and other business documents. These files are transmitted over TLS, processed by our AI inference pipeline, and the structured output (JSON) is returned to you.

Document content is sent to our configured LLM inference endpoints (Ollama cloud or local inference) as part of the processing pipeline. We do not permanently store the raw text of your documents beyond the duration needed to complete the requested analysis unless you explicitly enable audit logging in your account settings.

c) Usage and Technical Data

We collect standard server logs including IP addresses, request timestamps, HTTP status codes, and agent execution metrics. This data is used for platform reliability, security incident investigation, and aggregate analytics. Logs are retained for 90 days.

We use your information to:

• Provide, operate, and improve the Lumoras AI platform.
• Authenticate users and manage access control (admin approval flow).
• Route documents to the appropriate AI agent pipeline.
• Detect and prevent fraud, abuse, or unauthorized access.
• Respond to support requests and account inquiries.
• Comply with applicable legal obligations.

We do not sell your data, use it for advertising, or share it with third parties for their independent marketing purposes.

Lumoras AI uses a hybrid inference architecture. Depending on the complexity of your request and your account configuration:

• Local inference (Ollama): Document content is processed by a model running on infrastructure you or your organization controls. No data leaves your network for these calls.
• Cloud inference (Ollama Pro / third-party APIs): Portions of document text (capped payloads — typically ≤ 3,000 characters per API call) are sent to cloud LLM providers. These providers are subject to their own privacy policies. We contractually prohibit them from training on your data where such terms are available.

You can review and configure your inference routing preferences in your account settings. Enterprise plans support fully local-only inference.

Account data is stored in a SQLite database (migrating to PostgreSQL for production). Database files are encrypted at rest and access is restricted to authorized platform services.

Agent execution logs and audit records are retained for a maximum of 12 months, after which they are automatically purged unless required for an ongoing legal matter or compliance obligation.

Uploaded document files are deleted from our servers within 24 hours of the analysis completing unless your plan includes document archiving.

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate information in your account.
• Erasure — request deletion of your account and associated personal data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to certain processing activities.

To exercise any of these rights, contact us at privacy@lumoras.ai. We will respond within 30 days.

We use a single HTTP-only cookie named auth_token to maintain your authenticated session. This cookie:

• Contains a signed JWT (HS256) that expires after 7 days.
• Is flagged HttpOnly — inaccessible to client-side JavaScript.
• Is flagged Secure in production — sent only over HTTPS.
• Is flagged SameSite=Lax — protects against CSRF.

We do not use advertising cookies, analytics cookies, or tracking pixels.

We implement technical and organisational measures to protect your data, including TLS 1.2+ for all data in transit, bcrypt password hashing, JWT-based stateless sessions, database encryption at rest, and role-based access controls with admin approval gates.

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to security@lumoras.ai.

The Lumoras AI platform is intended for business users aged 18 and older. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before they take effect. The "Effective date" at the top of this page reflects the date of the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

For privacy-related questions, data requests, or concerns, contact our data team at:

Lumoras AI — Privacy
privacy@lumoras.ai