Privacy Policy

LUMA ("we," "us," or "our") operates a Shopify application that provides AI-powered customer service automation, including Instagram DM management and Shopify storefront chat. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you install and use the LUMA application.

This policy is provided in compliance with the Shopify Partner Program Agreement, Shopify API License and Terms of Use, Meta Platform Terms, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and all applicable US state privacy laws effective as of 2026.

1. Information We Collect

1.1 Information from Shopify (Merchant Data)

When you install LUMA from the Shopify App Store, we access certain data through the Shopify API with your authorization:

• Store information: Store name, domain, email, currency, timezone, and locale settings
• Product catalog: Product titles, descriptions, variants, pricing, inventory levels, and images for the purpose of powering AI-assisted customer inquiries
• Order data: Order numbers, fulfillment status, tracking numbers, and shipping information solely to respond to customer order tracking inquiries
• Customer data: Customer names and conversation context necessary to handle support inquiries. We do not access or store payment information, credit card details, or full customer addresses

1.2 Information from Meta / Instagram

When you connect your Instagram Business or Creator account, we access data through the Instagram Graph API in accordance with Meta Platform Terms:

• Page/account info: Instagram Business account name and ID
• Messages: Instagram Direct Message content sent to your business page, solely for the purpose of automated customer service responses
• Message metadata: Timestamps, sender identifiers (Instagram-scoped IDs only)

We only access Instagram Business or Creator accounts that you explicitly authorize. We do not access personal Instagram accounts, follower lists, or public content beyond your authorized DM conversations.

1.3 Information You Provide Directly

• Account configuration preferences (auto-reply templates, escalation rules, bot personality settings)
• Support inquiries and communications with our team

1.4 Automatically Collected Information

• Usage analytics: Feature usage, message volumes, resolution rates (aggregated)
• Technical logs: Error logs, API response times, system performance metrics
• Device/browser information when accessing the LUMA dashboard within Shopify Admin

2. How We Use Your Information

We use the information we collect exclusively for the following purposes:

• Providing the Service: Powering AI-automated customer replies, order tracking lookups, product catalog queries, and human escalation workflows
• Improving the Service: Analyzing aggregated, anonymized usage patterns to improve response accuracy, pre-filter efficiency, and overall performance
• Customer Support: Responding to your support inquiries and troubleshooting issues
• Security: Detecting and preventing fraud, abuse, and security incidents
• Legal Compliance: Fulfilling legal obligations, including Shopify's GDPR/privacy compliance requirements

We do not:

• Sell, rent, or trade your data or your customers' data to third parties
• Use merchant or customer data for advertising or marketing purposes
• Use data collected through the Shopify API or Instagram API for any purpose other than providing and improving the LUMA service
• Share data between different merchant accounts (multi-tenant data isolation)

3. AI Processing & Data Handling

LUMA uses AI language models (currently Claude by Anthropic) to generate customer responses. Here is how your data interacts with AI:

• Pre-filter layer: Approximately 80% of messages (greetings, order tracking, duplicates, emoji-only) are handled by deterministic rules without any AI processing. No data is sent to any AI provider for these messages.
• AI-processed messages: For complex inquiries, message content and relevant product/order context is sent to the AI provider to generate a response. This data is processed in real-time and is not used to train AI models.
• Data minimization: We send only the minimum context needed for each response. We do not send full customer profiles, payment data, or unrelated order history.

4. Data Sharing & Third Parties

We share data only with the following categories of service providers, all of whom are bound by data processing agreements:

• Anthropic (Claude AI): Message content for AI response generation. Subject to Anthropic's commercial API data policy — data is not used for model training.
• Supabase: Database hosting and real-time infrastructure. Data stored with encryption at rest and in transit.
• Shopify: Data exchanged through Shopify's authenticated API as part of the embedded app framework.
• Meta / Instagram: Message replies sent back through the Instagram Graph API to the customer's DM conversation.

We do not share data with any advertising networks, data brokers, or analytics platforms that would use your data for their own purposes.

5. Data Retention & Deletion

• Active use: We retain conversation data, analytics, and configuration for as long as the LUMA app is installed on your Shopify store.
• After uninstall: When you uninstall LUMA, we initiate deletion of all your store data within 30 days. This includes all conversations, customer data, product catalog data, and configuration settings.
• Shopify GDPR webhooks: We implement and respond to all mandatory Shopify GDPR webhooks:
  • customers/data_request — We provide all stored data about a specific customer
  • customers/redact — We delete all stored data about a specific customer
  • shop/redact — We delete all stored data for the entire shop
• Backup retention: Encrypted backups may persist for up to 90 days after deletion for disaster recovery, after which they are permanently purged.

6. Data Security

We implement industry-standard security measures to protect your data:

• All API communications use HTTPS/TLS encryption
• Shopify webhook signatures verified using HMAC-SHA256
• Multi-tenant architecture with complete data isolation between merchant stores
• Database encryption at rest (AES-256)
• Access tokens stored encrypted and scoped to minimum required permissions
• Regular security reviews and monitoring

7. Your Rights

7.1 GDPR Rights (EU/EEA/UK Residents)

If you or your customers are located in the EU, EEA, or UK, the following rights apply:

• Right of Access: Request a copy of the personal data we hold
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of personal data
• Right to Restriction: Request restriction of data processing
• Right to Data Portability: Receive data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests

Our legal basis for processing is contractual necessity (providing the service you installed) and legitimate interest (improving service quality).

7.2 CCPA/CPRA Rights (California Residents)

• Right to Know: Request disclosure of data collected and shared
• Right to Delete: Request deletion of personal information
• Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

7.3 Additional US State Privacy Laws

We comply with all applicable US state privacy laws effective as of 2026, including laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Kentucky, Rhode Island, and others. Residents of these states may exercise similar rights as described above.

8. Meta Platform Compliance

In addition to the above, we comply with Meta's Platform Terms and Developer Policies:

• We only access Instagram data that users explicitly authorize
• We do not store Instagram data longer than necessary to provide the service
• We do not transfer Instagram data to third parties except as described in this policy
• We delete all Instagram-related data upon user request or upon disconnection of the Instagram account
• We maintain all versions of this privacy policy available upon Meta's request
• All service providers with access to Instagram data have signed data processing agreements

9. Cookies & Tracking

The LUMA dashboard operates as an embedded Shopify app and does not set its own cookies. We rely on Shopify's session management for authentication. We do not use any third-party tracking pixels, advertising cookies, or behavioral analytics tools.

10. Children's Privacy

LUMA is a B2B service designed for Shopify merchants. We do not knowingly collect or process data from children under 16 (or under 13 in the US). If we become aware that we have collected data from a child, we will delete it immediately.

11. International Data Transfers

Your data may be processed in countries outside your jurisdiction. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required for EU/UK data transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the LUMA dashboard and updating the "Last Updated" date. Continued use of LUMA after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related inquiries, data requests, or to exercise your rights:

• Email: privacy@lumabot.app
• Data Protection Officer: dpo@lumabot.app
• Mailing Address: LUMA, [Your Business Address]

We will respond to all privacy requests within 30 days (or sooner as required by applicable law).