Privacy Policy

Lumoras AI ("Lumoras", "we", "us", or "our") is a vertical AI orchestration platform. We build and operate multi-agent systems that help businesses across any regulated, operations-heavy, or data-driven industry automate document ingestion, compliance auditing, and workflow coordination.

Our registered business address and data controller contact can be reached at: [email protected].

We collect information in three ways:

a) Account Information

When you request access to the platform, we collect your full name, work email address, company name, and target industry vertical. Passwords are hashed with bcrypt (cost factor 12) before storage — we cannot recover your plaintext password.

b) Uploaded Documents

Our core service processes documents you upload — including purchase and sale contracts, inspection reports, property disclosures, and other business documents. These files are transmitted over TLS, processed by our AI inference pipeline, and the structured output (JSON) is returned to you.

Document content is sent to our configured LLM inference endpoints (Claude Opus 4.6 and GPT-5.5) as part of the processing pipeline. We do not permanently store the raw text of your documents beyond the duration needed to complete the requested analysis unless you explicitly enable audit logging in your account settings.

c) Usage and Technical Data

We collect standard server logs including IP addresses, request timestamps, HTTP status codes, and agent execution metrics. This data is used for platform reliability, security incident investigation, and aggregate analytics. Logs are retained for 90 days.

We use your information to:

• Provide, operate, and improve the Lumoras AI platform.
• Authenticate users and manage access control (admin approval flow).
• Route documents to the appropriate AI agent pipeline.
• Detect and prevent fraud, abuse, or unauthorized access.
• Respond to support requests and account inquiries.
• Comply with applicable legal obligations.

We do not sell your data, use it for advertising, or share it with third parties for their independent marketing purposes.

Lumoras AI routes all AI inference through the OpenClaw Gateway — a unified API layer that delivers structured prompts to premium cloud LLM providers. Lumoras AI uses exclusively:

• Claude Opus 4.6 (Anthropic): Used for high-reasoning tasks including contract extraction, compliance auditing, and multi-step orchestration planning.
• GPT-5.5 (OpenAI): Used for document summarisation, structured data generation, and cross-validation of agent outputs.

Portions of document text (capped payloads — typically ≤ 3,000 characters per API call) are transmitted to these providers over TLS. Each provider is subject to their own privacy policy. We contractually prohibit them from training on your data where such data-processing terms are available.

No document content is processed by local or on-premise models. All inference occurs exclusively through the OpenClaw Gateway to Anthropic and OpenAI endpoints.

Account data is stored in a SQLite database (migrating to PostgreSQL for production). Database files are encrypted at rest and access is restricted to authorized platform services.

Agent execution logs and audit records are retained for a maximum of 12 months, after which they are automatically purged unless required for an ongoing legal matter or compliance obligation.

Uploaded document files are deleted from our servers within 24 hours of the analysis completing unless your plan includes document archiving.

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate information in your account.
• Erasure — request deletion of your account and associated personal data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to certain processing activities.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

We use a single HTTPS-only cookie named auth_token to maintain your authenticated session. This cookie:

• Contains a signed JWT (HS256) that expires after 7 days.
• Is flagged HttpOnly — inaccessible to client-side JavaScript.
• Is flagged Secure — sent only over HTTPS.
• Is flagged SameSite=Lax — protects against CSRF.

We do not use advertising cookies, analytics cookies, or tracking pixels.

We implement technical and organisational measures to protect your data, including TLS 1.2+ for all data in transit, bcrypt password hashing, JWT-based stateless sessions, database encryption at rest, and role-based access controls with admin approval gates.

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to [email protected].

The Lumoras AI platform is intended for business users aged 18 and older. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before they take effect. The "Effective date" at the top of this page reflects the date of the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

For privacy-related questions, data requests, or concerns, contact our data team at:

Lumoras AI — Privacy
[email protected]