Privacy Policy

Last updated: February 2026

1. Introduction

Lumina (“we”, “our”, “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our AI-powered business coaching platform. This policy applies to all users of the Lumina platform and is compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Lumina is the data controller for the personal data collected through our platform. For any data protection enquiries, please contact our Data Protection Officer at dpo@equalsthree.co.uk.

3. Data We Collect

We collect the following categories of personal data:

  • Account Information: Name, email address, role, and clinic affiliation.
  • Subscription Data: Payment information processed securely through Stripe. We do not store credit card details on our servers.
  • Usage Data: Chat messages, conversation history, AI agent interactions, and feature usage patterns.
  • Uploaded Content: Documents, protocols, and other materials you upload to the Knowledge Base.
  • Technical Data: Device type, browser information, IP address, and app usage analytics.

4. How We Use Your Data

We use your personal data for the following purposes:

  • Providing and improving the AI coaching service
  • Generating personalised business advice through our AI agents
  • Processing subscription payments and managing your account
  • Sending service-related communications and coaching reminders
  • Generating insights and session summaries
  • Ensuring compliance with UK medical aesthetics regulations
  • Improving our AI models and service quality (using anonymised, aggregated data only)

5. Legal Basis for Processing

We process your data under the following legal bases:

  • Contract Performance: Processing necessary to provide the Service you have subscribed to.
  • Legitimate Interests: Improving our service, ensuring security, and preventing fraud.
  • Consent: Where you have opted in to receive marketing communications.
  • Legal Obligation: Where processing is required by law.

6. Data Sharing and Third Parties

We share data with the following categories of third parties:

  • Supabase: Our infrastructure provider for secure data storage and authentication.
  • Google (Gemini AI): For AI processing of coaching queries. Queries are processed in real-time and not retained by Google for training purposes.
  • Stripe: For secure payment processing.
  • Google Cloud: For text-to-speech voice coaching features.

We do not sell your personal data to third parties. All third-party processors are bound by data processing agreements that ensure the protection of your data.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit and at rest, row-level security policies for tenant data isolation, access controls and authentication, and regular security reviews. While we strive to protect your data, no method of electronic transmission or storage is completely secure.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Chat history and conversation data are retained for the duration of your subscription. AI-generated insights have a 14-day retention period. Upon account deletion, your personal data will be permanently removed within 30 days, except where retention is required by law.

9. Your Rights

Under the UK GDPR, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate personal data.
  • Right to Erasure: Request deletion of your personal data.
  • Right to Restrict Processing: Request restriction of processing in certain circumstances.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact us at privacy@equalsthree.co.uk.

10. Cookies

We use essential cookies required for the functioning of our platform. We do not use tracking or advertising cookies. Any analytics cookies are strictly anonymised and used solely for service improvement purposes.

11. International Transfers

Some of our third-party processors may be based outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions, in accordance with UK GDPR requirements.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service. The updated policy will be effective from the date of publication.

13. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

14. Contact Us

For any questions about this Privacy Policy or our data practices, please contact us at privacy@equalsthree.co.uk.