Privacy

Privacy Policy

Effective: 8 May 2026 Version: 1.0 Controller: Lumaa AI FZ-LLC, Dubai, UAE

This Privacy Policy describes how Lumaa AI FZ-LLC ("Lumaa", "we", "us") collects, uses, stores, and shares personal data. It is written to comply with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL"), the UAE Telecommunications and Digital Government Regulatory Authority ("TDRA") consumer protection regulations, and applicable Dubai free-zone data-protection rules.

It applies to (a) visitors to lumaa.ai, (b) Clients who sign up to the Lumaa Service, and (c) end-users (call recipients) whose data Clients process via the Service.

1. Personal data we process

From Clients (account holders)

Identity: name, role, company, trade licence number.
Contact: email, phone.
Authentication: email + scrypt-hashed password, optional PIN, session token.
Billing: billing contact, payment method tokens (we never store full card numbers — those go to our payment processor), invoices.

From end-users (call recipients) — processed on behalf of the Client

Phone number (E.164).
Voice audio of calls placed by the Client's AI.
Speech-to-text transcripts of those calls.
Outcome / status fields the Client's AI infers from the call ("Interested", "Not interested", "Call back").
Lead metadata the Client uploads (name, custom fields).

In this second flow, the Client is the controller and Lumaa is the processor. Our obligations are governed by our Data Processing Agreement.

2. Why we process it (lawful bases)

Purpose	Legal basis (UAE PDPL Art. 4)
Authenticating you and providing the Service	Contract performance
Billing and tax records	Legal obligation (UAE FTA)
Detecting abuse, fraud, AUP violations	Legitimate interests
Aggregate, anonymised analytics for product improvement	Legitimate interests
Sending product updates / marketing	Consent (opt-in checkbox; opt-out anytime)

3. How long we keep it

Data class	Retention
Account credentials (active client)	Lifetime of the account
Account credentials (after termination)	30 days, then hard-deleted
Audit log	7 years (UAE consumer-protection record-keeping)
Call recordings	90 days default, configurable per Client
Call transcripts	90 days default, configurable per Client
Backups	60 days rolling
Billing invoices	5 years (UAE Federal Tax Authority compliance)

We share the personal data we process only with:

Sub-processors listed in our Sub-processor List (AWS, OpenAI, Deepgram, ElevenLabs, payment processor, optional Twilio). Each is contractually bound under a DPA.
Authorities when compelled by a UAE court order, regulatory subpoena, or where disclosure is required by UAE law. We will notify the Client first unless legally prohibited.
Successor entities in the event of a merger, acquisition, or asset sale — clients receive 30 days' notice.

We do not sell personal data to anyone, ever.

5. International transfers

Some processing happens outside the UAE — primarily AWS regions and US-based AI providers. We rely on Standard Contractual Clauses (or equivalent UAE PDPL adequate-protection mechanisms) with each non-UAE sub-processor. Clients sensitive to cross-border transfers may request a UAE-only deployment (currently roadmap).

6. Your rights under UAE PDPL

Under UAE PDPL Articles 13–22 (and analogous GDPR rights for EU subjects), you can:

Access the personal data we hold about you.
Rectify inaccuracies.
Erase ("right to be forgotten") — subject to exceptions like legal-retention obligations.
Restrict processing pending a dispute.
Object to processing based on legitimate interests.
Data portability — receive your data in a machine-readable format.
Withdraw consent at any time where processing is consent-based.
Lodge a complaint with the UAE Data Office or your local data-protection authority.

To exercise any right, email privacy@lumaa.ai — we respond within 30 days.

7. Security

Credentials hashed with scrypt (N=32768, salt per record).
Local store at-rest encrypted with AES-256-GCM.
TLS 1.2+ in transit; HSTS enforced.
Production access scoped to named engineers via SSH keys; no shared accounts; quarterly access review.
Annual penetration test; quarterly automated dependency scan.
Incident response: data breach notification to clients within 72 hours of confirmed scope, per PDPL Art. 9.

8. Cookies

We use a minimal set of cookies. The CRM session cookie (lumaa_crm_session) is HttpOnly, Secure, SameSite=Lax, and used solely for authentication. We do not use third-party tracking cookies. Full details in our Cookie Policy.

9. Children

The Service is not directed at individuals under 18. We do not knowingly process data of minors. If you believe we have, email privacy@lumaa.ai for immediate deletion.

10. Changes

Material changes are notified to active Clients 30 days before they take effect. The "Effective" date at the top reflects the latest revision.

11. Contact

Data Protection Contact: privacy@lumaa.ai
General enquiries: hello@lumaa.ai
Postal: Lumaa AI FZ-LLC, Dubai, United Arab Emirates