Effective Date: September 27, 2024

These Terms of Use (“Terms”) govern your access to and use of the Lumair platform, applications, software, APIs, websites, and related services (collectively, the “Services”), provided by Lumair MH, Inc., a Delaware corporation (“Lumair,” “we,” “us,” or “our”).

By accessing or using the Services, you agree to be bound by these Terms and our Privacy Policy. If you do not agree, you may not use the Services.

1. Eligibility and Acceptance

You must be at least 18 years old and legally capable of entering into a binding contract. If you use the Services on behalf of an organization, you represent that you are authorized to bind that organization to these Terms.

2. Nature of the Services

2.1 Clinical Decision Support Software

Lumair provides software-based Clinical Decision Support (“CDS”) tools intended to assist licensed professionals with clinical documentation, information synthesis, workflow support, and evidence-informed insights.

The Services are designed to support, not replace, professional judgment.

2.2 No Direct Patient Care

Lumair does not provide direct medical, psychological, psychiatric, or therapeutic care to patients. Lumair does not independently diagnose, prescribe, or treat any condition.

2.3 No Professional or Fiduciary Relationship

Use of the Services does not create a clinician-patient, therapist-client, fiduciary, or professional relationship between Lumair and any patient or end user.

2.4 User Responsibility

You retain full responsibility for:

  • Clinical decisions

  • Documentation accuracy

  • Regulatory compliance

  • Patient communications

  • Treatment planning and delivery

3. AI-Assisted Clinical Decision Support

  1. Certain CDS features leverage artificial intelligence and machine learning.

  2. AI-generated outputs are assistive, informational, and non-deterministic.

  3. AI outputs must be reviewed, validated, and approved by a qualified professional prior to clinical use.

  4. Lumair does not guarantee accuracy, completeness, or clinical appropriateness of AI outputs.

  5. You agree not to rely on the Services as a sole basis for clinical decisions.

3.1 Model Training and Anonymized Data Use

Lumair may use anonymized, aggregated, and non-identifiable data to develop, train, validate, and improve its machine learning and artificial intelligence models.

For clarity:

  • No Protected Health Information (“PHI”) is used for model training

  • No identifiable personal data is used for model training

  • No encrypted customer content is decrypted for training purposes

  • No data subject to HIPAA, UK GDPR, or EU GDPR is used in identifiable form

All data used for model training is processed in a manner that cannot reasonably be re-identified, does not permit linkage to any individual, and is permanently excluded from customer-controlled encrypted data stores.

4. Account Registration and Security

You must provide accurate information and safeguard your credentials. You are responsible for all activity under your account.

You must notify Lumair promptly of unauthorized access or security incidents.

5. License and Acceptable Use

5.1 License Grant

Lumair grants you a limited, non-exclusive, non-transferable, revocable license to access and use the Services for lawful, internal professional and clinical decision support purposes.

5.2 Prohibited Uses

You may not:

  • Reverse engineer, copy, or modify the Services

  • Circumvent encryption, access controls, or security mechanisms

  • Use the Services for unlawful or deceptive purposes

  • Use Lumair outputs to train competing AI systems

  • Represent CDS outputs as autonomous clinical determinations

6. User Content and Data Responsibility

6.1 User-Controlled Content

You retain ownership and control of all data and content you submit (“User Content”).

You are solely responsible for:

  • Obtaining patient consent

  • Ensuring lawful processing of regulated data

  • Compliance with professional and ethical obligations

6.2 Limited Processing License and Model Training Exclusion

You grant Lumair a narrowly limited, non-exclusive license to process User Content only as technically necessary to provide, secure, and maintain the Services.

User Content is expressly excluded from use in machine learning or artificial intelligence training, except where such data has been fully anonymized, irreversibly de-identified, and aggregated such that it no longer constitutes personal data or PHI under applicable law.

Lumair does not use identifiable User Content for advertising, profiling, or third-party data sharing.

7. Privacy, Encryption, and Zero-Access PHI Architecture

7.1 Encryption

All sensitive data, including any Protected Health Information (“PHI”), is encrypted in transit and at rest using industry-standard cryptography.

7.2 Zero-Access Architecture and Data Isolation

Lumair operates under a zero-access data architecture:

  • Lumair cannot access, view, or decrypt PHI

  • Encryption keys are controlled exclusively by the user or user-designated systems

  • Lumair personnel do not have access to readable PHI or identifiable clinical data

  • Model training environments are logically and technically isolated from customer data environments

7.3 HIPAA Positioning

Because Lumair cannot access PHI:

  • Lumair does not store PHI in readable form

  • Lumair does not independently use or disclose PHI

  • A Business Associate Agreement (“BAA”) applies only if separately executed

7.4 UK & EU Data Protection

For UK/EU users:

  • Users act as Data Controllers

  • Lumair acts as a technical processor without access to decrypted personal data

  • Data subject rights remain the responsibility of the controller

8. Fees and Billing

Paid features require payment of applicable fees. Fees are non-refundable except where required by law. Pricing may change with prior notice.

9. Intellectual Property

All Services, software, interfaces, models, and documentation (excluding User Content) are owned by or licensed to Lumair and protected by intellectual property laws.

No ownership rights are transferred to you.

10. Third-Party Integrations

The Services may integrate with third-party tools. Lumair is not responsible for third-party availability, security, or compliance.

11. Disclaimers

THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE.”
LUMAIR DISCLAIMS ALL WARRANTIES, INCLUDING WARRANTIES OF ACCURACY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

12. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

  • LUMAIR SHALL NOT BE LIABLE FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES

  • LUMAIR’S TOTAL LIABILITY SHALL NOT EXCEED THE AMOUNT PAID BY YOU IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM

Nothing limits liability that cannot be excluded under applicable law.

13. Indemnification

You agree to indemnify Lumair from claims arising from:

  • Your clinical decisions

  • Your use of CDS outputs

  • Your User Content

  • Your regulatory or ethical obligations

  • Your reliance on AI-assisted features

14. Record Retention and Data Preservation

14.1 Practitioner Responsibility for Record Retention

You acknowledge and agree that you, as a licensed healthcare provider, are solely responsible for compliance with all applicable federal, state, and local laws and professional regulations governing the retention of medical and mental health records. Lumair does not act as a records custodian and does not assume any obligation to maintain records on your behalf for compliance purposes.

14.2 Applicable Retention Periods

Record retention requirements vary by jurisdiction. The following is provided for informational purposes only and does not constitute legal advice:

United States

Federal (HIPAA): HIPAA requires covered entities to retain HIPAA-related documentation (policies, procedures, authorizations) for six (6) years. HIPAA does not prescribe retention periods for clinical records; state law governs.

California: California Business and Professions Code §2919 requires physicians to retain medical records for a minimum of seven (7) years from the date of the last service, or for minors, until the patient reaches age 18 plus seven (7) years, whichever is longer. Mental health records may be subject to additional requirements under California Code of Regulations, Title 9.

Colorado: Colorado Board of Medical Examiners Rule 3 CCR 713-30 requires retention of medical records for a minimum of seven (7) years from the date of last treatment, or for minors, until age 18 plus seven (7) years.

Texas: Texas Administrative Code, Title 22, Part 9, §165.1 requires physicians to retain medical records for seven (7) years from the date of last treatment, or for minors, until age 18 plus seven (7) years.

New York: New York Education Law §6530(32) and 10 NYCRR §415.5 require retention of medical records for at least six (6) years from the date of last treatment, or for minors, until age 18 plus six (6) years. Mental health records may require ten (10) years under certain licensing boards.

Florida: Florida Administrative Code Rule 64B8-10.002 requires retention of medical records for five (5) years from the date of last patient contact, or for minors, until age 18 plus five (5) years.

Other States: Many states require retention periods ranging from seven (7) to ten (10) years. You are responsible for determining and complying with the requirements applicable to your practice jurisdiction(s).

United Kingdom

NHS Records Management Code of Practice 2021 recommends retention of adult mental health records for a minimum of twenty (20) years after the last contact, or eight (8) years after the patient’s death if sooner. Records for children and young people should be retained until the patient’s 25th birthday (or 26th if the patient was 17 at the conclusion of treatment), or eight (8) years after death. Private practitioners should consult applicable professional body guidance (e.g., BPS, BACP, UKCP).

14.3 Lumair Data Retention Period

Lumair retains encrypted User Content for a period of ten (20) years from the date of creation or last modification, regardless of account status. This retention period is designed to support practitioners in meeting common regulatory requirements; however, it does not relieve you of your independent obligation to maintain compliant records. Lumair’s retention of encrypted data does not constitute a guarantee of accessibility, and you remain solely responsible for ensuring you have independent access to records as required by law.

14.4 Data Export Prior to Account Termination

Before terminating your account, you must export all User Content necessary to satisfy your record retention obligations. Lumair provides data export functionality within the Services for this purpose. You acknowledge that failure to export records prior to account termination may result in loss of access to such records, and Lumair shall have no liability for any consequences arising from your failure to export data.

15. Termination and Post-Termination Data Handling

15.1 Termination by You

You may terminate your account at any time by following the account closure process within the Services. Prior to initiating termination, you must: (a) export all User Content required to satisfy your record retention obligations; and (b) acknowledge that you have obtained or will independently maintain all records necessary for regulatory compliance.

15.2 Termination by Lumair

Lumair may suspend or terminate your access to the Services for material violations of these Terms, security risks, non-payment, or as required by law. Where practicable, Lumair will provide reasonable notice and an opportunity to export User Content prior to termination, except where immediate termination is necessary to protect system integrity or comply with legal requirements.

15.3 Post-Termination Retention of Encrypted Data

Following account termination:

United States: Lumair will retain encrypted User Content for the remainder of the ten (20) year retention period described in Section 14.3, measured from the date of creation or last modification of each record. During this period, the data remains encrypted and inaccessible to Lumair. Upon written request submitted to legal@lumair.ai within the retention period, and subject to identity verification and payment of any applicable fees, Lumair may provide you with access to export your encrypted data, provided you retain the necessary decryption credentials. After expiration of the retention period, encrypted data will be permanently deleted in accordance with Lumair’s data destruction policies.

United Kingdom: For UK-based practitioners, Lumair will retain encrypted User Content for the remainder of the ten (20) year retention period or such longer period as required to comply with NHS Records Management Code of Practice 2021 or applicable professional body guidance, where Lumair has been notified in writing of such requirements. UK practitioners may request data retrieval as described above. After expiration of the applicable retention period, encrypted data will be permanently deleted. Nothing in this section limits your rights under UK GDPR or the Data Protection Act 2018.

15.4 No Ongoing Access After Termination

Upon account termination, you will immediately lose access to the Services and User Content through the platform interface. Post-termination data retrieval, if available, is subject to the procedures and limitations described in Section 15.3 and may require payment of retrieval fees. Lumair is under no obligation to maintain active access to encrypted data after account termination.

15.5 Survival

The following sections survive termination: Section 6 (User Content and Data Responsibility), Section 9 (Intellectual Property), Section 11 (Disclaimers), Section 12 (Limitation of Liability), Section 13 (Indemnification), Section 14 (Record Retention and Data Preservation), Section 15.3 (Post-Termination Retention of Encrypted Data), Section 16 (Governing Law), and any other provisions that by their nature should survive.

15.6 Acknowledgment

By using the Services, you acknowledge that: (a) you are solely responsible for compliance with applicable record retention laws; (b) Lumair’s retention of encrypted data is a technical measure and does not constitute legal compliance on your behalf; (c) you must independently maintain accessible copies of all records required by law; and (d) Lumair shall not be liable for any regulatory penalties, malpractice claims, or other consequences arising from your failure to maintain compliant records.

16. Governing Law

  • U.S. Users: Laws of the State of Delaware

  • U.K. Users: Laws of England and Wales, with mandatory consumer protections preserved

17. Changes to These Terms

We may update these Terms. Continued use after updates constitutes acceptance.

18. Contact Information

Lumair MH, Inc.
Email: legal@lumair.ai