LumoAuth Privacy Policy

Effective: April 21, 2026

This Privacy Policy describes how LumoAuth (“LumoAuth,” “we,” “us,” or “our“) collects, uses, discloses, and otherwise processes personal information in connection with the LumoAuth identity platform, including our websites, dashboards, APIs, SDKs, and related services (together, the “Services“).

A separate policy covers our companion mobile authenticator, Lumo Push Auth: see https://lumoauth.dev/legal/privacy-policy-push-auth-app. That policy governs what the mobile app does on the device, including the camera permission and push-notification behavior.

1. Scope and our role

LumoAuth is a business-to-business authentication and authorization platform. Depending on the data in question, we act in one of two roles:

Controller. For information about our customers — the developers, administrators, and organizations that sign up for a LumoAuth account to deploy authentication for their own applications — we determine the purposes and means of processing and act as the controller (or “business” under U.S. state privacy laws).
Processor. For information about our customers’ end users — the people who sign in to our customers’ applications through LumoAuth — we act as a processor (or “service provider”) on behalf of the customer. The customer is the controller of that information and is responsible for obtaining the appropriate notices and consents from their end users. In that role, we only process end-user data as instructed by the customer under a Data Processing Agreement (“DPA”) and applicable law.

If you are an end user of an application that uses LumoAuth, the privacy notice of the organization that operates that application — not this one — is the primary disclosure that applies to you. This Policy explains what we do on their behalf.

This Policy applies worldwide, including to individuals in the United States, the European Economic Area, the United Kingdom, Switzerland, Canada, Australia, and other regions.

2. Information we collect

2.1 Information customers provide directly

When a developer or administrator creates an account, configures a tenant, or contacts us, we receive:

Account information: name, work email, password hash, organization name, job title.
Billing information: where applicable, billing contact, tax identifiers, and payment details collected and stored by our payment processor — we do not store full card numbers.
Tenant configuration: application and identity-provider settings, branding, permission schemas, OAuth client registrations, SCIM and SAML metadata, webhook endpoints, API keys, and similar configuration.
Support correspondence: messages, attachments, and records of support or sales interactions.

2.2 End-user information we process on our customers’ behalf

When an end user signs up for or signs in to an application that uses LumoAuth, we process — strictly as a processor for our customer — the authentication data the customer has configured the Service to handle, which may include:

Identifiers such as email address, username, phone number, or external directory ID.
Passwords (stored as a one-way cryptographic hash), WebAuthn/FIDO2 public keys, and TOTP secrets (encrypted at rest).
Session data, OAuth/OIDC tokens, refresh tokens, and related metadata.
Profile attributes provided by the end user or federated from a third-party identity provider (SSO/SAML/OIDC/social login).
Device and request metadata associated with each sign-in event — IP address, user agent, approximate geolocation derived from IP, timestamps, and risk signals (for example, impossible-travel detection).
Audit and security logs of authentication and authorization decisions, including success/failure outcomes and reasons.
Push-authentication enrollment metadata, when the end user enrolls the Lumo Push Auth mobile app.

We do not intentionally collect special categories of personal data (for example, health, biometric identifiers, or protected-class attributes) through the Services, and we ask our customers not to send such data to us unless they have a valid lawful basis and have entered into supplemental terms with us.

2.3 Information collected automatically from the Services

When visitors use our public website or customers use our dashboards and APIs, we automatically receive:

Log and device data: IP address, user agent, referrer, pages viewed, API endpoints called, response status, and timestamps.
Cookies and similar technologies: strictly necessary cookies for authentication and security; optional analytics cookies where you have consented. See §9 (“Cookies and tracking”).
Diagnostic and security telemetry: error and crash reports, rate-limit events, and security-audit signals.

2.4 Information from other sources

We receive limited information from:

Identity providers that a customer configures (for example, Google Workspace, Microsoft Entra ID, Okta, or a customer-run SAML/OIDC IdP) — we receive only the claims the customer has mapped in their configuration.
Payment, email, and support vendors used to deliver the Services.
Enrichment and threat-intelligence feeds used for abuse detection and fraud prevention (for example, IP reputation, known-breach password lists).

3. How we use information

We use information for the following purposes:

To provide and operate the Services — create accounts, authenticate users, issue tokens, enforce policies, deliver push prompts, and sync directory data.
To secure the Services — detect and prevent abuse, brute-force attempts, account takeover, fraud, and violations of our Acceptable Use Policy; investigate incidents; apply rate limits and risk signals.
To provide support — respond to requests, diagnose issues, and restore service.
For billing and administration — invoice customers, manage subscriptions, and maintain records required for tax, accounting, and audit purposes.
For product improvement — generate aggregated, de-identified usage metrics (for example, feature adoption rates) that do not identify any individual.
For communications — send service announcements, security advisories, and, where permitted, product updates. You can opt out of non-essential email at any time; we will still send transactional and security-critical messages.
For legal compliance — respond to lawful requests, enforce our agreements, and exercise or defend legal claims.

Legal bases (EEA / UK / Switzerland). Where GDPR or UK GDPR applies and we are the controller, we rely on: (a) performance of a contract (to provide the Services to a customer); (b) legitimate interests (to secure the Services, prevent fraud, and improve the product), balanced against your interests and rights; (c) consent (for example, optional analytics cookies and opt-in marketing); and (d) legal obligation (to comply with law).

Where we act as processor, the legal basis is determined by our customer, the controller.

Our commitments: what we will not do

We want to be explicit about some things we will not do with personal information we process about you or on behalf of our customers:

We do not sell personal information. We do not sell, rent, or otherwise make personal information available to any third party in exchange for money or other valuable consideration.
We do not share personal information for advertising. We do not share personal information for cross-context behavioral advertising, and the Services do not carry third-party advertising trackers.
We do not profile you for our own purposes. We do not use end-user data to build advertising, marketing, or behavioral profiles for LumoAuth’s benefit.
We do not train AI models on customer data or end-user data. Data our customers and their end users send through the Services is not used to train or improve any generative-AI model — ours or a third party’s. When a customer enables an AI-assisted feature (§4), only the specific input required for that feature is sent to the AI provider, and not any end-user authentication data.
We do not mix one customer’s data with another’s. Each customer tenant is isolated; we do not combine data across tenants for product use.

4. AI features

Certain optional features of the Services use large language models (for example, AI-assisted policy authoring, AI-assisted theming, and AI-assisted risk narrative). A customer’s administrator must explicitly enable these features in tenant configuration. The underlying AI provider is selected and operated by LumoAuth at the platform level (currently Mistral AI); the current provider is listed in our subprocessors list, and any change of provider is subject to the advance notice set out in our Data Processing Agreement. When these features are enabled:

Only the specific input required for the feature (for example, a natural-language policy draft) is sent to the AI provider.
End-user personal data is not sent to the AI provider as part of normal authentication flows.
Outputs are presented to the administrator for review; no automated decision producing legal or similarly significant effects is made solely on the basis of AI output.

We share personal information only as described below. We do not sell personal information, and we do not share it for cross-context behavioral advertising.

Subprocessors and service providers. We engage vetted third parties to provide hosting, email delivery, push-notification delivery, payments, analytics, logging, and support infrastructure. Each is bound by written data-protection terms and may process personal information only for the purposes we specify. A current list of subprocessors is maintained at lumoauth.dev/legal/subprocessors; material changes are announced to customers in advance so they can object.
Within a customer’s tenant. Information about an end user is made available to the controller — the customer operating that tenant — and to administrators they authorize.
Identity providers chosen by the customer. When SSO, SAML, or social login is configured, we exchange the claims needed to federate the sign-in with the provider the customer selected.
Legal and safety disclosures. We may disclose information when required by law, to cooperate with lawful government requests, to enforce our terms, to prevent fraud or abuse, or to protect the rights, safety, or property of LumoAuth, our customers, or the public.
Business transfers. If LumoAuth is involved in a merger, acquisition, financing, reorganization, or asset sale, personal information may be transferred subject to standard confidentiality protections; we will notify affected customers.
With your consent or at your direction. We share information in other ways you explicitly authorize.

6. International data transfers

LumoAuth is operated from the United States, and subprocessors may process data in other jurisdictions. Where personal data originating in the EEA, the United Kingdom, or Switzerland is transferred outside those regions to a country that has not received an adequacy decision, we rely on appropriate transfer mechanisms, including the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum / Swiss addendum as applicable), together with supplementary technical and organizational measures. Customers may request a copy of the current transfer mechanisms in effect.

Where regional data-residency options are offered (for example, an EU region endpoint), customers may choose to keep their tenant’s production data within the selected region.

7. Data retention

We retain personal information only as long as necessary for the purposes described in this Policy or as required by law.

Customer account data is retained for the duration of the customer’s relationship with LumoAuth and for a reasonable period afterward to satisfy tax, accounting, and audit obligations.
End-user data is retained under the terms set by the customer in the DPA and the customer’s own retention policy. Administrators can delete, export, or anonymize end-user data through dashboard and API controls.
Security, audit, and abuse-prevention logs are retained for a limited period appropriate to the purpose, typically measured in months, subject to legal-hold requirements.

Residual data in backups. To be candid: when you or your administrator deletes a record in the Services, we remove it from our production systems immediately, but it may remain in encrypted, off-host backups until those backups age out of their rolling retention window (normally within 30 days). We do not restore backed-up copies back into production except in the event of a disaster-recovery need, in which case the deletion is re-applied to the restored copy. Closure of a customer account works the same way: data is removed from production within the deletion window in §9 of our Data Processing Agreement, and cycled out of backups shortly afterwards.

When retention periods lapse, we delete, anonymize, or aggregate the information.

8. Your rights

Depending on your location, you may have the following rights regarding personal information we process about you as a controller:

Access and receive a copy of your personal information.
Rectify inaccurate or incomplete information.
Erase your information, subject to legal exceptions.
Restrict or object to processing, including opting out of certain analytics.
Data portability — receive your information in a structured, commonly used, machine-readable format.
Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
Object to automated decisions. Where applicable, you have the right under GDPR Article 22 (and equivalent state-law provisions) not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects. The Services do not make such decisions about end users in normal operation. Risk signals generated by our platform are advisory only and are surfaced to human administrators for review; they do not, on their own, deny access, terminate accounts, or make any other legally significant decision about a Data Subject.
Non-discrimination for exercising rights under the California Consumer Privacy Act (“CCPA“) or similar state laws.
Lodge a complaint with your local supervisory authority (EEA / UK / Switzerland) or state attorney general.

How to exercise your rights. If you are a customer or are dealing directly with us, email privacy@lumoauth.dev. If you are an end user of an application built on LumoAuth, please contact the organization operating that application first — they are the controller of your data. If they direct you to us, or if we cannot identify the controller, we will route the request appropriately and confirm the outcome.

We will not require a fee to exercise a right unless the request is manifestly unfounded or excessive, and we will respond within the time frames required by applicable law.

Notice for California residents. In the preceding twelve months, we have collected the categories of personal information identified in §2, for the business purposes identified in §3, and disclosed them to the categories of recipients identified in §5. We have not “sold” or “shared” personal information as those terms are defined under the CCPA. Californians may designate an authorized agent to submit a request on their behalf.

9. Cookies and tracking

Our public website, marketing pages, and customer dashboard use cookies and similar technologies. We try to keep the list short and the choices honest.

Cookies we consider strictly necessary. These are always set because the Services don’t work without them:

a session cookie that keeps you signed in to the dashboard;
a CSRF token to prevent request-forgery attacks;
security and rate-limit cookies used to detect and slow down abuse.

Optional cookies. Where required by law, we ask for your consent before setting any non-essential cookies and you can change your choice at any time through the cookie preferences control on the site. Optional cookies cover:

Product analytics used internally to understand how the dashboard is used and improve it. We prefer privacy-respecting analytics tools that do not share identifiable data with third parties for their own advertising purposes. The current list of analytics tools, if any, is published alongside our subprocessors list.
Preference cookies that remember UI choices such as theme or language.

Things we do not do. We do not set third-party advertising cookies, we do not participate in cross-site ad networks, and we do not embed tracking pixels from ad-tech vendors.

Automated signals we honor. We respect the Global Privacy Control (GPC) signal as an opt-out of sale / sharing under U.S. state privacy laws where applicable, and we treat a browser Do-Not-Track (DNT) signal as an additional opt-out of optional analytics.

10. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including:

Encryption in transit (TLS) and at rest for tenant data;
Cryptographic protection of authenticator material — passwords hashed, WebAuthn/FIDO2 credentials stored as public keys, TOTP secrets and push-authentication material encrypted;
Tenant isolation with row-level scoping enforced at the service tier;
Principle-of-least-privilege access controls for LumoAuth personnel, with auditing;
Secure software-development practices, vulnerability management, and regular third-party assessments.

No system is perfectly secure. If we become aware of a breach affecting personal information we process as a controller, we will notify affected individuals and regulators as required by law. Where we act as a processor, we will notify the affected customer without undue delay per the DPA.

Limitation of liability for unauthorized third-party access. LumoAuth takes reasonable measures to protect personal information, but the internet is not a perfectly secure medium and no safeguard is infallible. To the maximum extent permitted by applicable law, and without limiting any right you have under Data Protection Laws or any commitment in our Data Processing Agreement, LumoAuth shall not be liable for unauthorized third-party access to its systems or the Services — including intrusions, interceptions, or exploits by malicious actors operating outside LumoAuth’s control — where LumoAuth has maintained the safeguards described in this Policy and the technical and organizational measures set out in our DPA. Nothing in this paragraph limits liability that cannot be excluded or limited as a matter of law.

11. Children’s information

The Services are not directed to children, and we do not knowingly collect personal information from children under 16 (or the applicable age of digital consent in the relevant jurisdiction) as a controller. Customers deploying LumoAuth to serve minors are responsible for obtaining any parental or guardian consent required by law.

By providing personal information to LumoAuth — for example, by creating an account, signing in, or otherwise using the Services — you acknowledge and expressly consent to the collection, use, and disclosure of that information as described in this Policy. If you do not agree with any part of this Policy, please do not use the Services.

Where you provide personal information about another individual (for example, a colleague’s contact details), you represent that you have the authority to do so and, where required by law, that you have obtained the necessary consent from that individual.

You may withdraw your consent at any time as described in §8 (“Your rights”). Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and may limit our ability to continue providing certain parts of the Services. Nothing in this section limits any other legal basis on which we rely for processing (for example, contract performance, legitimate interests, or legal obligation) as described in §3.

13. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the “Effective” date above and, where appropriate, notify customers through the dashboard, by email, or by prominent notice on our website. Your continued use of the Services after a change takes effect indicates that you accept the updated Policy. We encourage you to review this Policy periodically.

14. Contact

Questions, requests, or complaints about this Policy can be sent to:

Email: privacy@lumoauth.dev

LumoAuth LLC
600 California Street, 11th Floor
San Francisco, CA 94108