Lumio

Privacy Policy

Last updated: December 1, 2025

Company: Lumio Agents Inc. ("Lumio," "we," "our," or "us")

This Privacy Policy explains how Lumio collects, uses, shares, and protects information in connection with our websites and marketing pages, our web applications and dashboards, and our AI voice agent platform for self-storage and related services (collectively, the "Services").

This Privacy Policy does not apply to third-party services that we do not control, such as your facility management system (FMS), telephony providers, or other tools you integrate with Lumio.

1. Who We Are & Contact Information

Lumio Agents Inc. is a provider of AI-powered voice agent and automation services for self-storage and related industries.

  • Controller: For personal data we collect for our own purposes (e.g., marketing, billing, product analytics), Lumio acts as a "controller" (or "business" under California law).
  • Processor / Service Provider: For personal data we process on behalf of our customers (e.g., your tenants or callers), we act as a "processor" or "service provider" under applicable law, and the processing is governed by our Enterprise Agreement and any Data Processing Addendum.

Contact for privacy questions: privacy@lumiostorage.com

2. Information We Collect

The types of information we collect depend on how you interact with the Services.

2.1 Information You Provide to Us

  • Account & Profile Data: Name, email address, company, job title, password, and similar information when you create an account.
  • Billing & Payment Data: Billing address, subscription details, and payment method information (typically processed by third-party payment processors on our behalf).
  • Configuration & Content: Facility details, policies, FAQs, agent scripts, workflows, prompts, and other configuration you add to the platform.
  • Communications: Information in emails, support requests, or feedback you send us.

2.2 Information We Process on Behalf of Customers

When you deploy Lumio for live calls or interactions, we may process information about your callers, tenants, or prospective tenants (collectively, "End Users"), such as:

  • Phone numbers and call metadata (time, duration, routing information)
  • Call audio recordings (where recording is enabled by you)
  • Transcripts of calls and chats
  • Unit, lease, account, or ticket information supplied via integration with your FMS or CRM
  • Payment-related information provided during calls, as configured by you

We process this information only to provide the Services to you, under your direction, in accordance with our Enterprise Agreement and DPA.

2.3 Automatically Collected Information

When you visit our website or use our dashboard, we may automatically collect:

  • Device & Usage Data: IP address, browser type, operating system, referring URLs, pages viewed, actions taken, and usage timestamps.
  • Cookies & Similar Technologies: We use cookies and similar technologies for authentication, session management, analytics, and to understand how the Services are used.

You can typically control cookies through your browser settings and, where required by law, through cookie consent tools.

3. How We Use Information

We use the information we collect for the following purposes:

Providing the Services

  • Operating, maintaining, and securing the platform
  • Configuring and running your AI agents and call flows
  • Processing calls, transcripts, and integrations according to your settings

Improving and Developing the Services

  • Monitoring performance and reliability
  • Debugging and optimizing agent behavior
  • Analyzing usage trends to improve features and user experience

We may use Usage Data and de-identified or aggregated information derived from Customer Content for these purposes, including to develop and refine AI models, in line with the limits in your MSA and these Terms.

AI & Machine Learning

  • Operating AI and machine-learning models (including third-party models) that power the Services
  • Generating responses, summaries, and actions as part of your configured agents

When we use Customer Content for training or improvement of models beyond your own tenant interactions, we do so in aggregated or de-identified form so that it does not identify you or your End Users.

Security & Abuse Prevention

  • Detecting and preventing fraud, abuse, and security incidents
  • Protecting the integrity of the Services and our customers

Billing & Account Management

  • Managing subscriptions and billing
  • Sending service and transactional emails (e.g., invoices, subscription notices)

Marketing & Communications

  • Sending you product updates, newsletters, and promotions where permitted by law
  • Running surveys, webinars, and other marketing activities

You can opt out of marketing communications at any time by using the unsubscribe link or contacting us.

Legal & Compliance

  • Complying with legal obligations
  • Responding to legal requests and enforcing our agreements

4. Legal Bases (EEA/UK Only)

Where GDPR or UK GDPR applies, we rely on the following legal bases to process personal data:

  • Performance of a Contract: To provide the Services and fulfil our agreements with you.
  • Legitimate Interests: To maintain and improve the Services, secure our platform, and communicate with you about our products (where these interests are not overridden by your rights).
  • Consent: For certain marketing activities and for placing non-essential cookies, where required.
  • Legal Obligations: To comply with applicable laws and regulations.

When we act as a processor for our customers, we rely on the legal bases determined by those customers in their relationship with End Users.

5. How We Share Information

We may share information in the following circumstances:

5.1 Service Providers & Subprocessors

We engage trusted third parties ("Service Providers") to perform functions on our behalf, such as:

  • Cloud infrastructure and hosting
  • Telephony and SMS providers
  • AI and ML providers
  • Payment processors
  • Analytics, logging, and monitoring
  • Email and CRM tools

These Service Providers are bound by contract to process personal data only for our instructions and to provide appropriate safeguards.

5.2 With Your Instructions

We share information with third-party systems you intentionally connect to the Services (e.g., FMS, CRM, help desk tools, or other integrations) according to your configuration.

5.3 Corporate Transactions

If we are involved in a merger, acquisition, financing, or sale of all or part of our business, personal data may be transferred as part of that transaction, subject to appropriate safeguards.

5.4 Legal Requirements

We may disclose information if we believe in good faith that it is reasonably necessary to:

  • Comply with a law, regulation, or legal request
  • Protect the safety, rights, or property of Lumio, our customers, or the public
  • Enforce our agreements and policies

5.5 Aggregated or De-Identified Data

We may share aggregated or de-identified information that does not reasonably identify you or your End Users, for example in reports, benchmarks, or product insights.

6. International Data Transfers

Lumio is headquartered in the United States, and information we collect may be transferred to and processed in the U.S. and other countries where we or our Service Providers operate. These countries may have data protection laws different from your country.

Where required by law, we use appropriate safeguards for cross-border transfers (such as Standard Contractual Clauses or equivalent frameworks) and ensure that Service Providers provide adequate protection for personal data.

7. Data Retention

We retain personal data for as long as reasonably necessary to:

  • Provide the Services and maintain your account
  • Comply with legal, tax, or accounting obligations
  • Resolve disputes and enforce our agreements
  • Meet internal reporting and audit needs

For call recordings and transcripts, retention periods may be configurable in the Services or governed by your Enterprise Agreement. We may retain aggregated or de-identified data derived from Customer Content after deletion for analytics and improvement, provided it does not identify you or your End Users.

8. Security

We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or disclosure, such as:

  • Encryption in transit and at rest (where appropriate)
  • Access controls and authentication
  • Logging and monitoring
  • Regular backups and resilience practices

However, no system can be guaranteed 100% secure. You are responsible for maintaining the security of your account credentials and for configuring the Services in a secure manner.

9. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights with respect to personal data we hold about you:

  • Access: Request a copy of your personal data.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data, subject to legal exceptions.
  • Restriction: Request restriction of processing in certain circumstances.
  • Portability: Request a copy of certain personal data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests, including direct marketing.

For EEA/UK/Swiss residents, GDPR and related laws provide these rights; for California residents, CPRA provides rights to know, delete, and correct, as well as to opt out of "sale" or certain "sharing" of personal information.

We do not sell personal information as "sale" is defined under California law. If we ever engage in activities that qualify as "sharing" for cross-context behavioral advertising, we will provide appropriate opt-out mechanisms.

To exercise any of these rights, please contact us using the details in Section 1. We may need to verify your identity and may be limited in our ability to respond where we act as a processor on behalf of a customer (in which case we will direct you to that customer).

You also have the right to lodge a complaint with your local data protection authority if you believe our processing violates applicable law.

10. Children's Privacy

The Services are intended for use by businesses, not by individuals under 18 years of age. We do not knowingly collect personal data directly from children. If you believe a child has provided personal data to us, please contact us so we can take appropriate steps.

11. Third-Party Links and Services

The Services may contain links to third-party websites or integrations with third-party tools. We are not responsible for the privacy, security, or practices of those third parties. We encourage you to review their privacy policies.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top and may provide additional notice (e.g., by email or in the product) if changes are material. Your continued use of the Services after such changes become effective signifies your acknowledgment of the updated Privacy Policy.

13. How to Contact Us

If you have questions or concerns about this Privacy Policy, or if you wish to exercise your privacy rights, please contact us at: privacy@lumiostorage.com