Privacy Policy

Your privacy is important to Lumu. Our full legal name is Lumu Technologies Inc., a Delaware duly incorporated company with offices at 8600 NW 36^th Street, Suite 150, Doral, Florida, 33166.

In this privacy policy, we refer to –

“Applications” as our technology to identify and mitigate security breaches. Our technology comprises of the various software components listed in the “Product” section of our website at www.lumu.io (the “Lumu Public Site”);

“Customer” as our customer with whom we have entered into an agreement to provide the Services;

“Digital Properties” as the Lumu Public Site, each Lumu Private Site (if any), each Lumu Software Components (if any) and all of the Intellectual Property Rights of Lumu.

“Lumu Solutions” as those solutions designated on the Lumu Public Site that we have developed for one or more of our Applications or Third Party Applications;

“Services” as the various software-as-a-service (SaaS) offerings that we make available to our Customers for their authorized user’s access to and use of the Applications online through a password-protected, specific site that we make available to our Customers.

This privacy policy sets out how we collect and treat personal information provided, or made available, to us. The personal information means any information relating to an identified or identifiable natural person. A natural person is an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as name, email, or more factors specific to the identity of that natural person. Personal information does not include information that is anonymized and/or corporate information that relates to an organization, such as corporate name, corporate address or corporate phone number but if it is combined with personal information, it will be treated as personal information under this privacy policy.

Information that we collect and how we use that information

(a) Information we collect from the Lumu Public Site

Voluntarily Provided Information – We collect the following information on the Lumu Public Site: if you voluntarily provide this information to us from the various web submission forms on the Lumu Public Site (collectively “Voluntarily Provided Information”): your first name, your last name, your company name, the state or region of your location, your email address, your phone number, your comments to us, your LinkedIn address, our products that you indicate you are interested in learning more information about, the services that you indicate you are interested in learning more information with regard to how our products integrate with our Applications or any third-party applications. These web submission forms on the Lumu Public Site include, but are not limited to, demo requests, datasheet requests, contact requests, survey requests, recording requests and job application requests. We collect Voluntarily Provided Information to respond to your requests to contact you regarding demos, product information or product integration information or your requests regarding job opportunities at Lumu. Lumu may use Voluntarily Provided Information to contact you about our products and services or about job opportunities at Lumu, depending on the nature of your inquiry to Lumu. You are not obligated to provide us with your Voluntarily Provided Information but if you do not provide this information, we may not be able to provide all the functionalities of our Public or Private Site, answer your questions and/or enter into an agreement with you. We will never provide your Voluntarily Provided Information to third-party product or service providers to market their products and services to you. You may opt-out of Lumu using your Voluntarily Provided Information by contacting us at [email protected]. Within ten (10) days after our receipt of your opt-out request, we will delete all of your Voluntarily Provided Information in our possession or control and cease any further attempt to contact you about our products and services or job opportunities at Lumu.

(b) Information that we collect from the Digital Properties

With respect to each active Customer, we maintain a separate database of that Customer’s information that is accessible through a Lumu Private Site that is specific to that Customer. The following are the types of information that we collect on the Lumu Private Site (collectively, the “Customer Provided Information”): (i) the Customer’s account information such as the Customer’s name, mailing address, website address, and phone number; (ii) name, email address and mailing address for each of Customer’s principal contacts; (iii) name, username and password specific to the Lumu Private Site, job title, organization department, phone number and email address for each Customer’s authorized user for the Lumu Private Site; (iv) Customer prospect information to enable use of our Services which information includes, but is not limited to: account name, contact name, title and phone number; and (v) any information necessary to enable integration of an Application with Customer’s networks, if any.

With respect to our Customers who enable integration of an Application with any Lumu Solution, the following metadata may be collected in order to obtain the maximum value of the Lumu Solutions: IP Addresses, DNS Queries, networks summaries in the form of Netflow or a similar technology specification, and emails categorized as SPAM by the antispam technology implemented by the Customer. Lumu Applications never collect full packet capture of encrypted or unencrypted traffic in Customer’s network.

During the term of each Customer’s agreement with Lumu, our Customer has the ability to delete and export its Customer Provided Information stored in the Applications. After the end of the term of Lumu’s agreement with its Customer, Lumu will continue to maintain the Customer Provided Information until the earlier of (i) Lumu electing to delete the information, or (ii) within (10) days after Customer’s authorized representative has directed Lumu to delete all Customer Provided Information. We only retain and use a Customer’s Customer Provided Information to provide that Customer the Services that the Customer has entered into agreement with Lumu to provide, and as described in the “Other disclosures” section below.

(c) Site usage information that we collect on our Digital Properties

Through the use of cookies (as further described below), information is collected automatically when you access our Digital Properties through a web browser or communicate with us through a web browser on those sites. This information includes data about your visit, including the pages you view, the links you click, and other actions taken in connection with our Services. We also collect certain standard information that your browser sends to our Digital Properties that you visit, such as your IP address, browser type and language, access times, and referring website addresses. When you receive our newsletters or promotional emails, we may use Web beacons (described below), customized links, or similar technologies to determine whether the email has been opened and which links you click in order to tailor our newsletters and promotional emails to your interests.

With respect to our Customers, we require each Customer’s authorized users to log-in to the Applications to use our Services. We monitor and collect certain usage information in connection with the use of our Services. For example, we track the computer or other devices that an authorized user is logging in from, the Applications and Services that are used by the authorized user, and other usage data such as the date and time the Applications and Services were used.

Cookies – When you visit our Digital Properties we send one or more “cookies” to your computer or other devices. Cookies are alphanumeric identifiers stored on your computer or device through your web browser and are used by most websites to help personalize your web experience. Some cookies may facilitate additional site features for enhanced performance and functionality such as remembering preferences, allowing social interactions, analyzing usage for site optimization, providing custom content and serving images or videos from third party websites. Some features on our Digital Properties will not function if you do not allow cookies. We may link the information we store in cookies to any Voluntary Provided Information or Customer Provided Information that you submit while on any of our Digital Properties. We use both session ID cookies and persistent cookies. A session ID cookie expires when you close your browser. A persistent cookie remains on your hard drive for an extended period of time. Persistent cookies enable us to track and target the interest of our users to enhance their experience on our Digital Properties. You can remove persistent cookies by following directions provided in your Internet browser’s “help” file. Functional cookies, persistent and session type, store information to enable core site functionality, such as Live Chat and login credential remembrance. Analytics cookies allow us to count page visits and traffic sources so we can measure and improve the performance of our Digital Properties and our marketing campaigns. If you reject cookies, you may still use the Digital Property pertaining to the deleted cookie, but some features on that site will not function properly.

Web Beacons – We use Web Beacons alone or in conjunction with cookies to compile information about our Digital Properties. A Web Beacon is a tiny graphic object that is embedded in a web page or email and is usually invisible to the user but allows checking that a user has viewed the page or email. Web Beacons may be used within the Digital Properties to track email open rates, web page visits or form submissions. In some cases, we tie the information gathered by Web Beacons to the Voluntarily Provided Information or the Customer Provided Information. For example, we use clear gifs in our HTML-based emails to let us know which emails to potential respondents have been opened. This allows us to gauge the effectiveness of certain communications and the effectiveness of our services.

Third-Party Tracking Technologies – The use of cookies and web beacons by any tracking utility company or third-party service provider is not covered by this privacy policy. We do not have access or control over these cookies and web beacons.

Analytics Software – We and our third-party tracking-utility partners use log files on the Lumu Public Site to gather certain information automatically and store it for analytical purposes. This information includes internet protocol (“IP”) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information to track and aggregate non-personally identifiable information to analyze trends, administer our Digital Properties, track users’ movements around our Digital Properties and to gather demographic information about our user base in the aggregate.

Social Media Features and Widgets – The Lumu Public Site includes social media features such as Facebook, Instagram, Twitter, and LinkedIn. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. Social Media Features and widgets are either hosted by a third party or hosted directly on our Digital Properties. Your interactions with these Features are governed by the policy of the company providing it. We do not enable social media features on the Lumu Private Site.

“Do not track” and similar mechanisms – Some web browsers may transmit “do-not-track” signals to websites with which the browser communicates. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they are even aware of them. Participants in the leading Internet standards-setting organization that is addressing this issue are in the process of determining what, if anything, websites should do when they receive such signals. Lumu currently does not take action in response to these signals. If and when a final standard is established and accepted, we will reassess how to respond to these signals.

(d) The Legal basis of processing

Some jurisdictions require explanation of the legal basis for the collection and processing of personal information. These are our legal grounds on which we collect and process personal information: (a) as necessary to perform a transaction (such as in order to provide the products and services you requested); (b) as necessary to comply with a legal obligation (such as when we use Personal Data for record keeping to substantiate tax liability); (c) consent (where you have provided consent as appropriate under applicable law, such as for direct marketing or certain cookies); and (d) necessary for legitimate interests (such as when we act to maintain our business generally, including maintaining the safety and security of our Sites).

(e) The Lumu Public and Private Sites are intended for business use, and we do not knowingly collect any Personal Data from children younger than the age of eighteen (18), or otherwise as prohibited by applicable law.

Other disclosures

In addition to the disclosures reasonably necessary for the purposes identified elsewhere in this privacy policy, we may disclose Voluntarily Provided Information and Company Provided Information in the following circumstances: (i) to the extent that we are required to do so by law; (ii) in connection with any legal proceedings or prospective legal proceedings; (iii) in order to establish, exercise or defend our legal rights; and (iv) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Security

We will take reasonable precautions to prevent the loss, misuse or alteration of your personal information. Data transmission over the Internet is inherently insecure and we cannot guarantee the security of data sent over the Internet. Lumu requires the use of Secure Socket Layer (SSL) encryption while utilizing our Services which ensures that our Customer’s data is encrypted during the transmission between a Customer’s authorized user’s browser and Lumu’s servers. Data encryption mitigates the risk that no unauthorized changes are made to the data during transmission and mitigates the risk that the data will be viewed during transmission by any unauthorized party. Each Customer’s data set in our possession or control is stored in a separate database in our data center which is compliant with the SOC 2 Type II standards. In addition, Lumu performs quarterly external audits on Lumu external facing servers and equipment. Each Customer’s authorized user is responsible for keeping his or her password to our Applications confidential. We will not ask you for your passwords.

You are responsible for the accuracy of all personal information that you provide to us. We will use reasonable efforts to maintain the accuracy and integrity of your persona information and to update that information as appropriate upon your request. We process and retain your persona information for the duration of the business relationship. This may not only be for the time necessary to answer any user request, but may also include the initiation of an agreement (pre-contractual legal relationship) and the performance of such agreement, including any post-contractual obligations.

With whom we may share your Information

1. We transact business internationally. Accordingly, from time to tome and subject to the provisions of this Privacy Policy governing your rights and choices, we may share your personal information within our subsidiaries to the extent permitted by law and/or in connection with the performance of our obligations derived from agreements signed and executed with you. The agreements will include the necessary safeguards, including in particular with respect to the protection of your personal information, the exercise of your rights and our or our subsidiaries obligations under the applicable laws and this Privacy Policy. The information may be used for internal business and operational purposes, as well as for purposes consistent with the purpose for which the information was originally collected or authorized by you.
2. Like everyone who participates in economic activities, we are also subject to a large number of legal obligations. These are primarily statutory requirements (such as, but not limited to, commercial and tax laws), but also, where applicable, regulatory or other official requirements. The purposes of processing may include identity and age verification, fraud and money laundering prevention, the prevention, combating and investigation of terrorist financing and offences endangering assets, the fulfilment of fiscal control and reporting obligations and the archiving of data for the purposes of data protection and data security as well as verification by tax and other authorities. Furthermore, the disclosure of personal information within the framework of official/judicial measures may become necessary for the purposes of taking evidence, prosecution or the enforcement of civil law claims. Unless prohibited by applicable mandatory laws, we may access, use, preserve, transfer and disclose to third parties your personal information to: (1) satisfy any applicable law, regulation, subpoena, governmental request, or legal process if in our good faith opinion such is required or permitted by law; (2) protect and/or defend this Privacy Policy or other policies or terms of use applicable to our Sites, including investigations of potential violations thereof; (3) protect the safety, rights, property or security of Lumu or any third party; and/or (4) detect, prevent or otherwise address fraud, security issues or breaches, or technical issues.
3. Lumu Public and Private Sites and the servers on which they are hosted are operated in various countries around the world in which we conduct our business. Thus, your personal information associated with our Lumu Public and Private Sites may be transferred to and/or processed in a country other than that from which it was collected. The data protection laws in those countries may differ from those of the country in which you are located. Nevertheless, we will impose upon such third-party service providers any and all obligations we are assuming hereunder, and will at least take all measures imposed by mandatory applicable laws in view of protecting and securing the processing of any personal information by such third party service providers.

Policy amendments

We may update this privacy policy from time-to-time by posting a new version on the Lumu Public Site. We encourage you to periodically review this privacy policy to be informed of how Lumu is protecting your information.

Third-party websites

The Lumu Public Site may contain links to other websites. We are not responsible for the privacy policies of third-party websites or such site operators’ actions including the collection or use of your personal information.

Accountability for Onward Transfers

Lumu uses a limited number of third-party service providers to assist us in providing our Services to Customers. These third-party providers assist with the transmission of data and provide data storage services and assist with certain call handling features that require manual intervention (“Call Handlers”). Call Handlers only receive temporary encrypted remote access to that set of data necessary to perform their services and Customer Provided Information is not stored on Call Handler computers or devices. Lumu’s data transmission and data storage service providers all certify compliance with the EU-U.S. Data Privacy Framework and Call Handlers are restricted from direct access to Voluntary Provided Information and Customer Provided Information but, if necessary, may be granted access to such information only to the extent necessary to permit them to perform their contracted services, are bound by confidentiality agreements are restricted from using the information for other purposes.

Access

Upon request, Lumu will grant individuals reasonable access to their personal information in Lumu’s possession or control and allow the individual to correct, amend or delete information that is demonstrated to be inaccurate or incomplete, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. In this regard, Lumu depends on its Customers to update and correct personal information to the extent necessary for the purposes for which the information was collected or subsequently authorized by the individuals. Customers may contact Lumu as indicated below to request that Lumu update or correct relevant personal information.

Contact

If you have any questions about this privacy policy or our treatment of your personal information, please write to us by email to [email protected] or by mail to Lumu Technologies. Inc., 8600 N.W. 36th Street Suite 150, Doral, FL 33166.

In compliance with the EU-U.S. Data Privacy Framework Principles, Lumu commits to resolve complaints about your privacy and our collection or use of your personal information. EU residents with inquiries or complaints regarding this privacy policy should first contact Lumu at:

Lumu Technologies, Inc.
c/o Legal Affairs
8600 N.W. 36th Street Suite 150
Doral, FL 33166
Or at: [email protected]

EU-U.S. and UK Data Privacy Framework (EU and UK Residents)

This section of our privacy policy is only applicable to EU and UK residents.

Lumu complies with the EU-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom to the United States. Lumu has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability, and the 16 Supplemental Principles (collectively, “Data Privacy Framework Principles“). Such adherence is subject to investigation and enforcement by the U.S. Federal Trade Commission.

Lumu processes data submitted by our Customers for the purpose of us providing our Services to our Customers. To fulfill these purposes, Lumu may access the data to provide the Services, to correct and address technical or service problems, or to follow instructions of our Customer who submitted the data, or in response to contractual requirements.

Lumu’s participation in the Data Privacy Framework applies to all personal information that is subject to this privacy policy and is received by or on behalf of Lumu from the European Union and European Economic Area and the United Kingdom. The personal information collected would be (i) the Customer’s account information such as the Customer’s name, mailing address, website address, and phone number; (ii) name, email address and mailing address for each of Customer’s principal contacts; (iii) name, username and password specific to the Lumu Private Site, job title, organization department, phone number and email address for each Customer’s authorized user for the Lumu Private Site; (iv) Customer prospect information to enable use of our Services which information includes, but is not limited to: account name, contact name, title and phone number; and (v) any information necessary to enable integration of an Application with Customer’s networks, if any.

Lumu and all of its entities and/or subsidiaries including but not limited to Lumu Technologies S.A.S, Lumu do Brasil LTDA., Lumu Technologies Canada Inc., and all the entities incorporated afterwards, will comply with the Data Privacy Framework Principles in respect of such personal information. If there is any conflict between the terms of this privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern in respect of such personal information. Lumu’s adherence to the Data Privacy Framework Principles may be limited to the extent necessary to meet national security, public interest, or law enforcement requirements.

Lumu’s accountability for personal information that it receives under the Data Privacy Framework and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Lumu remains responsible and liable under the Data Privacy Framework Principles if third-party agents that we engage to process personal information on our behalf do so in a manner inconsistent with the Data Privacy Framework Principles, unless we prove that we are not responsible for the event giving rise to the damage.

EU residents have rights to access personal data about them and to limit the use and disclosure of their personal data. With our Data Privacy Framework certification, Lumu has committed to respect those rights. Because Lumu personnel have limited ability to access data our Customers submit to our services, if you wish to request access, to limit use, or to limit disclosure, please provide the name of the Lumu Customer who submitted your data to our Services. We will refer your request to that Customer, and will support them as needed in responding to your request.

In addition, Lumu provides individuals with certain choices regarding how we use and disclose personal information we receive under the Data Privacy Framework. First, if Lumu uses your personal information for a materially different purpose than that for which it was originally collected or discloses your personal information to a third party (other than third-party providers acting on our behalf), we will first provide you with a clear, conspicuous, and readily available mechanism to opt-out of any such use or disclosure (for example, by sending you an email seeking your consent). Further, all of our email communications include the ability to opt-out from receiving future emails, except those emails that are necessary to provide you with the Services that are Customers have contracted with us to provide. If you have any questions about your choices regarding how we use and disclose your personal information, or how to exercise these choices, please contact us according to the “Contact” section above.

You, as a resident of the EU and/or the UK, have a number of rights when it comes to personal information. Such rights are the following:

1. The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your personal information and your rights. This is why we’re providing you with the information in this Policy.
2. The right of access. You have the right to obtain access to your personal information, so you’re aware and can check that we’re using your information in accordance with data protection law.
3. The right to rectification. You are entitled to have your personal information corrected or amended if it is no longer inaccurate or incomplete or, as the case may be, collected in violation of the EU-US Data Privacy Framework.
4. The right to erasure. This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your personal information where there is no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.
5. The right to restrict processing. You have rights to ‘block’ or suppress further use of your personal information. When processing is restricted, we can still store your personal information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in the future.
6. The right to data portability. You have rights to obtain and reuse your personal information for your own purposes across different services. This is not a general right and there are exceptions.
7. The right to object to processing. You have the right to object to certain types of processing, and may change your preferences as described above.
8. The right to lodge a complaint. You have the right to lodge a complaint about the way we handle or process your personal data with your national data protection regulator:

• UK Information Commissioner’s Office (ICO) at www.ico.org.uk
• EU authorities at http://ec.europa.eu/justice/article-29/structure/data-protectionauthorities/index_en.html

1. The right to withdraw your consent. As noted above, if you have given your consent to anything we do with your personal information, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your information with your consent up to that point is unlawful). You can withdraw your consent to the processing of your personal information at any time.

Former, current, or prospective corporate customer contacts have the right to exercise choice (opt-out) from our use of their GDPR personal information for direct marketing purposes. To exercise this right, please send us an email or postal mail request to opt-out, to the email and/or address provided in the Contact Us section above.

Please contact us as specified below if you have any questions. In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

Please contact us at [email protected] if you have any questions, wish to exercise your rights of access, or seek other assistance as described above.

EU Personal Information and Extra-territorial

Lumu safeguards personal data received in the United States from the United Kingdom (“UK”), European Union, or European Economic Area (“EU”) about former, current, or prospective corporate customer contacts and which is regulated by the UK General Data Protection Regulation (“GDPR”). We are committed to protecting such GDPR personal information in accordance with our obligations under applicable law, such as EU GDPR Articles 45 to 50, and the Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.

To the extent permitted by applicable law, your use of this site constitutes your consent to the transfer of your Personal Data to Lumu in the United States in the context of the EU-US Data Privacy Framework as set out in Commission Implementing Decision of July 10, 2023 pursuant to the GDPR on the adequate level of protection of personal data under the EU-US Data Privacy Framework.

Lumu complies with the EU-US Data Privacy Framework (EU-US DPF) and the UK Extension to the the EU-US DPF, as set forth by the U.S. Department of Commerce. Lumu has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU- U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework Program, and to view our certification, please visit: https://www.dataprivacyframework.gov/list

Exercise of Rights and Complaints

LUMU commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to VeraSafe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/ for more information or to file a complaint. The services of VeraSafe are provided at no cost to you.

If you would like to exercise your rights under this Policy or the GDPR, or would like to lodge a complaint with respect to the implementation of this Policy and our processing of your personal information, please contact:

LUMU TECHNOLOGIES INC.

8600 NW 36^th Street, Suite 150

Doral, Florida, 33166, United States of America

Legal Team

[email protected]

Please note that we may request official identification information, such as a copy of your ID card, drivers’ license, etc. from you when you submit a complaint.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Lumu commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

You may, subject to its terms, invoke binding arbitration in accordance with Annex I of the DPF Principles: https://www.dataprivacyframework.gov/EU-US-Framework.

This provides that you may invoke binding arbitration by delivering notice to Lumu and following the procedures and subject to conditions set forth in Annex I of the Principles.

To learn more about the Data Privacy Framework program, please visit https://www.dataprivacyframework.gov/. To view our certification, please visit https://www.dataprivacyframework.gov/list.