Lumo

Privacy Policy

Last updated: 5 June 2026

This Privacy Policy explains how Lumo ("we", "us", or "our") collects, uses, shares, and protects personal data when you use our website and the Lumo business-management application (the "Service").

We are the data controller for the personal data described in this Policy. If you access Lumo as a member of an organization that subscribes to the Service, that organization is the controller of the business data it manages in Lumo, and we act as its processor for that data.

1. Information we collect

Information you provide. Account details (name, email address, password), the business information you enter into Lumo (such as products, orders, customers, suppliers, employees, invoices, and documents), and any messages you send us.

Billing information. When you subscribe to a paid plan, payment is processed by our payment provider (Stripe). We do not store full card numbers; we receive limited billing metadata such as the card brand, the last four digits, and the subscription status.

Information from integrations. If you connect a third-party service (for example Odoo, Google, a payment terminal, an e-signature provider, or a messaging provider), we receive data from that service as needed to operate the integration you enabled.

Information collected automatically. Log and usage data (IP address, browser and device information, pages viewed, and timestamps), and cookies or similar technologies strictly necessary to keep you signed in and to keep the Service secure.

2. How we use your information

We use personal data to: provide, maintain, and improve the Service; create and secure your account; process subscriptions and payments; operate the integrations you enable; respond to your requests and provide support; send service and security notices; detect, prevent, and address fraud, abuse, and technical issues; and comply with our legal obligations.

3. Legal bases for processing

Where the LGPD or GDPR applies, we process personal data on the bases of: the performance of our contract with you; your consent (which you may withdraw at any time); compliance with a legal or regulatory obligation; and our legitimate interests in operating, securing, and improving the Service, balanced against your rights.

4. How we share information

We do not sell your personal data. We share it only with:

  • Service providers (sub-processors) who host and operate the Service on our behalf, under contractual confidentiality and data-protection obligations. These currently include cloud and database hosting, application hosting, payment processing, transactional email, rate-limiting infrastructure, and the integrations you choose to connect.
  • Other members of your organization, who may see business data you enter into the shared workspace, according to the permissions configured by your organization's administrators.
  • Authorities or third parties where required by law, to comply with a legal process, or to protect the rights, property, and safety of Lumo, our users, or the public.
  • A successor entity in connection with a merger, acquisition, or sale of assets, subject to this Policy.

5. International data transfers

The Service is operated primarily for customers in Brazil, but our providers may process data in other countries. Where personal data is transferred internationally, we rely on appropriate safeguards (such as standard contractual clauses or an adequacy decision) as required by applicable law.

6. Data retention

We retain personal data for as long as your account is active and as needed to provide the Service, and thereafter only as required to comply with our legal obligations, resolve disputes, and enforce our agreements. Business data you enter remains available to your organization until it is deleted by your organization or the account is closed.

7. Your rights

Subject to applicable law, you have the right to: confirm whether we process your personal data and access it; correct incomplete, inaccurate, or outdated data; request anonymization, blocking, or deletion of unnecessary data; request portability of your data; obtain information about with whom we share your data; withdraw consent; and object to or restrict certain processing. You may also lodge a complaint with the competent data-protection authority (in Brazil, the ANPD).

To exercise these rights, contact us at privacy@lumoerp.com. We will respond within the timeframe required by applicable law. Note that some data is controlled by the organization whose workspace you use; in that case we will direct your request to that organization.

8. Security

We use technical and organizational measures designed to protect personal data, including encryption in transit, access controls, tenant isolation, and audit logging. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

9. Children

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

10. Cookies

We use cookies and similar technologies that are strictly necessary to authenticate you, remember your preferences (such as language), and keep the Service secure. Because these are essential to the Service, they are not used for advertising.

11. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the Service. Your continued use of the Service after the changes take effect constitutes acceptance of the updated Policy.

12. Contact

For privacy questions or to exercise your rights, contact our data protection officer at dpo@lumoerp.com or write to us at privacy@lumoerp.com.