🔐 Lumenly Data Privacy & Retention Policy

Last updated: December 2025

At Lumenly, we are committed to protecting your personal data and ensuring compliance with applicable data privacy laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and other relevant privacy legislation.

This Data Privacy & Retention Policy outlines our comprehensive data deletion and retention practices, your rights regarding your personal data, and how we ensure compliance with applicable data privacy laws.

1. Data Retention Policy

1.1 Active Account Data

We retain your personal data and financial information for as long as your account is active and you continue to use our Service. This includes:

  • Account information (name, email, phone number)
  • Business profile data
  • Financial account connections and transaction data
  • User preferences and settings
  • Analytics and usage data

Retention Period: Data is retained while your account is active. If your account becomes inactive (no login for 24 months), we will contact you before initiating data deletion procedures.

1.2 Financial Data

Financial data obtained through Plaid or other integrations is retained as follows:

  • Transaction Data: Retained for the duration of your account plus 7 years for tax and compliance purposes, or as required by applicable law
  • Account Information: Retained while the account connection is active
  • Plaid Access Tokens: Retained only while the connection is active; revoked immediately upon disconnection

1.3 Legal and Compliance Retention

We may retain certain data beyond account deletion when required by law, including:

  • Financial records: 7 years (tax compliance)
  • Legal disputes: Until resolution plus applicable statute of limitations
  • Regulatory requirements: As specified by applicable regulations
  • Fraud prevention: As necessary to prevent and detect fraudulent activity

2. Data Deletion Policy

2.1 User-Initiated Deletion

You have the right to request deletion of your personal data at any time. Upon receiving a verified deletion request:

  • We will permanently delete your account and all associated personal data within 30 days of verification
  • All financial account connections will be immediately disconnected and Plaid access tokens revoked
  • All transaction data, insights, and preferences will be permanently deleted
  • You will receive confirmation of deletion via email

To request account deletion: Contact us at support@lumenly.ai with the subject line "Account Deletion Request" and include your account email address for verification.

2.2 Automatic Deletion

We automatically delete data in the following circumstances:

  • Inactive Accounts: After 24 months of inactivity, we will attempt to contact you. If no response is received within 60 days, we will proceed with account deletion
  • Disconnected Financial Accounts: When you disconnect a financial account, all associated transaction data is deleted within 30 days, except where retention is required by law
  • Expired Sessions: Temporary session data is automatically purged after 30 days of inactivity
  • Backup Data: Automated backups are retained for 90 days, then permanently deleted

2.3 Deletion Process

Our data deletion process includes:

  1. Verification: We verify your identity before processing deletion requests
  2. Immediate Actions: Financial connections are disconnected and access tokens revoked immediately
  3. Data Removal: All personal data is removed from active databases within 30 days
  4. Backup Cleanup: Data is removed from backups within 90 days
  5. Third-Party Cleanup: We request deletion of your data from service providers (e.g., Plaid, Twilio) within 30 days
  6. Confirmation: You receive written confirmation of deletion completion

3. Data Deletion Scope

3.1 What Gets Deleted

Upon account deletion, we permanently delete:

  • All account information (name, email, phone number, password hashes)
  • Business profile and onboarding data
  • All financial account connections and access tokens
  • All transaction history and financial data
  • All insights, alerts, and recommendations
  • User preferences and settings
  • Communication history and support tickets
  • Analytics and usage data linked to your account

3.2 What May Be Retained

We may retain certain data in anonymized or aggregated form, or as required by law:

  • Anonymized Analytics: Aggregated, non-identifiable data used for service improvement
  • Legal Records: Data required for legal compliance, dispute resolution, or fraud prevention
  • Financial Records: Transaction data required for tax or regulatory compliance (7 years)
  • Log Data: System logs may be retained for security purposes but are anonymized after 90 days

4. Compliance with Data Privacy Laws

4.1 GDPR Compliance (European Union)

For users in the European Economic Area (EEA), we comply with GDPR requirements:

  • Right to Erasure (Article 17): You can request deletion of your personal data at any time
  • Right to Access (Article 15): You can request a copy of all personal data we hold about you
  • Right to Rectification (Article 16): You can correct inaccurate personal data
  • Right to Data Portability (Article 20): You can request your data in a machine-readable format
  • Right to Object (Article 21): You can object to processing of your personal data
  • Data Protection Officer: Contact privacy@lumenly.ai for GDPR-related inquiries

4.2 CCPA Compliance (California)

For California residents, we comply with CCPA requirements:

  • Right to Know: You can request disclosure of personal information we collect, use, and share
  • Right to Delete: You can request deletion of your personal information
  • Right to Opt-Out: We do not sell personal information, but you can opt-out of data sharing
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

4.3 PIPEDA Compliance (Canada)

For Canadian users, we comply with PIPEDA requirements:

  • Consent: We obtain your explicit consent before collecting personal information
  • Purpose Limitation: We only collect data necessary for providing our Service
  • Retention Limitation: We retain data only as long as necessary for the stated purposes
  • Access and Correction: You can access and correct your personal information
  • Accountability: We are responsible for protecting your personal information

5. Data Security During Retention

While we retain your data, we maintain the same security standards:

  • Encryption at rest and in transit
  • Access controls and authentication
  • Regular security audits and monitoring
  • Compliance with industry security standards

6. Third-Party Data Deletion

When you request account deletion, we also request deletion of your data from our service providers:

  • Plaid: We revoke all access tokens and request deletion of your financial data
  • Twilio: We request deletion of SMS communication logs and phone number data
  • Hosting Providers: We ensure data is removed from all backup systems
  • Analytics Providers: We request deletion of user-specific analytics data

Third-party deletion requests are processed within 30 days of your account deletion request.

7. Data Minimization

We practice data minimization principles:

  • We only collect data that is necessary for providing our Service
  • We do not collect sensitive data beyond what is required
  • We regularly review and purge unnecessary data
  • We use anonymization and aggregation where possible

8. Your Rights

You have the following rights regarding your personal data:

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Request limitation of how we process your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing of your personal data
  • Right to Withdraw Consent: Withdraw consent for data processing at any time

To exercise any of these rights, contact us at support@lumenly.ai or privacy@lumenly.ai. We will respond to your request within 30 days.

9. Enforcement and Monitoring

We enforce our data deletion and retention policies through:

  • Automated deletion processes and scheduled cleanup jobs
  • Regular audits of data retention practices
  • Employee training on data privacy and retention requirements
  • Documentation of all deletion requests and their completion
  • Compliance monitoring and reporting

10. Changes to This Policy

We may update this Data Privacy & Retention Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of our Service after such changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about our data deletion and retention practices, or wish to exercise your privacy rights, please contact us:

Lumenly Data Privacy Team

General Inquiries: support@lumenly.ai

Privacy & GDPR Inquiries: privacy@lumenly.ai

← Back to home