Privacy Policy

Section 01

Overview

Lumina Signage ("Lumina", "we", "us", "our") is committed to protecting the privacy of everyone who uses our digital signage and device management platform (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over it.

This policy applies to all personal data processed in connection with the Service, including data provided by account holders, invited users, and data collected automatically when you use the platform or our website at luminasignage.com.

We are committed to compliance with the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws. If you have any questions, please contact us at the address in Section 13.

Section 02

Data We Collect

We collect personal data in three ways: data you provide directly, data collected automatically, and data about the devices you manage through the Service.

Data you provide:

• Account information: Name, email address, password (hashed), organisation name, and billing information when you register or subscribe
• Profile information: Profile photo and any other information you optionally add to your profile
• Communications: Content of emails or messages you send to our support team
• Content: Media files, playlists, templates, and other content you upload to the Service

Data collected automatically:

• Usage data: Pages visited, features used, actions taken within the dashboard, timestamps
• Log data: IP address, browser type, operating system, request IDs, and error logs
• Session data: Authentication tokens, session identifiers, and MFA state
• Cookies: See Section 6 for details

Device data (from enrolled signage screens):

• Device identifiers, model, operating system version, and firmware version
• Device health metrics: CPU usage, memory, storage, uptime, and connectivity status
• Content playback logs and proof-of-play data associated with your enrolled devices
• Network information: IP address, data usage, and connection quality of enrolled devices

We do not collect special categories of sensitive personal data (e.g., health, biometric, or financial data) through the Service.

Section 03

How We Use Your Data

Purpose	Data used
Providing the Service — creating accounts, authenticating users, managing devices	Account info, session data, device data
Billing & subscriptions — processing payments, issuing invoices, managing licences	Account info, billing info, licence data
Transactional emails — account confirmation, password reset, trial expiry warnings, invoices	Name, email address
Security & fraud prevention — detecting and preventing unauthorised access, audit logging	Log data, session data, usage data
Product improvement — understanding how the Service is used, diagnosing errors	Usage data, log data (anonymised where possible)
Support — responding to enquiries and resolving issues	Account info, communications, log data
Legal compliance — meeting legal obligations, responding to lawful requests	All categories as required

We do not sell your personal data to third parties. We do not use your data for advertising profiling.

Section 04

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and the United Kingdom, we rely on the following legal bases to process personal data:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service under our Terms of Service — account management, authentication, device management, billing
• Legitimate interests (Art. 6(1)(f) GDPR): Security monitoring, fraud prevention, product analytics, and service improvement, where these interests are not overridden by your rights
• Legal obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws, including financial record-keeping and responding to lawful requests from authorities
• Consent (Art. 6(1)(a) GDPR): Where we have asked for and received your consent, such as for optional marketing communications. You may withdraw consent at any time

Section 05

Sharing & Disclosure

We do not share your personal data with third parties except in the following circumstances:

• Service providers: We engage trusted third-party providers who process data on our behalf under data processing agreements. These include cloud infrastructure (hosting), email delivery, and payment processing. These providers are contractually prohibited from using your data for their own purposes.
• Within your organisation: Data is shared among users you invite to your Lumina organisation, in accordance with the roles and permissions you configure.
• Legal requirements: We may disclose data where required by law, court order, or lawful request from a government authority, to the extent required and permitted by applicable law.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred as part of the transaction. We will notify you before this occurs and before any data becomes subject to a different privacy policy.
• With your consent: We may share data in other circumstances with your explicit prior consent.

Section 06

Cookies

We use cookies and similar technologies to operate the Service. The cookies we set fall into the following categories:

Cookie	Type	Purpose	Duration
accessToken	Strictly necessary	Authenticates your session with the Lumina API. httpOnly and Secure — not accessible by JavaScript.	15 minutes
refreshToken	Strictly necessary	Enables silent session refresh without requiring re-login. httpOnly and Secure.	7 days

You can configure your browser to block or delete cookies, but doing so will prevent you from logging in to the Service.

Section 07

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.

• Account data: Retained for the duration of your account. Following account deletion, we retain data for 30 days to allow for recovery, then permanently delete it.
• Billing records: Retained for a minimum of 7 years to comply with applicable financial regulations.
• Audit logs: Retained for 12 months by default, configurable by the account Owner.
• Device telemetry: Retained for 90 days on a rolling basis.
• Support communications: Retained for 3 years from the date of last interaction.

Where we no longer have a lawful basis to retain data, we securely delete or anonymise it.

Section 08

Security

We implement a range of technical and organisational security measures to protect your data, including:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent
• Passwords stored as bcrypt hashes — never in plaintext
• Authentication tokens stored as httpOnly, Secure cookies to prevent XSS access
• Role-based access controls and principle of least privilege
• Multi-factor authentication (MFA) available for all user accounts
• Comprehensive audit logging of all access and administrative actions
• Regular security reviews and dependency updates

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with applicable data protection law.

Section 09

International Data Transfers

Lumina operates infrastructure that may be located outside your country of residence. Where we transfer personal data outside the EEA or UK, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequate level of protection as determined by the relevant authorities.

For more information about the safeguards we apply to international transfers, please contact us at the address in Section 13.

Section 10

Your Rights

Depending on where you are located, you may have the following rights regarding your personal data. We will respond to all valid requests within 30 days.

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure ("right to be forgotten"): Request deletion of your personal data, subject to our legal obligations to retain certain records
• Restriction: Request that we restrict processing of your data in certain circumstances
• Portability: Receive your data in a structured, commonly used, machine-readable format
• Objection: Object to processing based on legitimate interests or for direct marketing purposes
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
• Lodge a complaint: File a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national data protection authority in the EU)

To exercise any of these rights, contact us at admin@luminasignage.com. We may ask you to verify your identity before processing your request.

Section 11

Children's Privacy

The Service is not directed at or intended for use by children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will take steps to delete it.

Section 12

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by a prominent notice within the Service, at least 14 days before the changes take effect. The updated policy will be posted on this page with the revised effective date.

Your continued use of the Service after the effective date constitutes your acknowledgement of the updated policy.

Section 13

Contact & Data Inquiries

If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us: