Effective Date: September 27, 2024

Lumair MH, Inc. (“Lumair,” “we,” “us,” or “our”) is a Delaware corporation that provides secure technology infrastructure and software tools supporting mental-health professionals. Privacy, data minimization, and security-by-design are foundational to Lumair’s platform.

This Privacy Policy explains how we collect, use, and protect limited personal information when you access or use our websites, applications, and services (collectively, the “Services”).

Lumair is architected so that we cannot access Protected Health Information (“PHI”) or clinical content processed through the platform. All sensitive data is end-to-end encrypted and accessible only to authorized users.

1. Architectural Overview & Roles

Lumair is designed as a privacy-preserving platform:

  • Clinical content and PHI are end-to-end encrypted

  • Encryption keys are controlled by users or their organizations

  • Lumair does not have the technical ability to view, access, or decrypt PHI

  • We do not store plaintext clinical data

Depending on context:

  • Lumair acts as a data processor for limited non-clinical metadata

  • Lumair may act as a HIPAA Business Associate contractually, but without access to PHI

  • Lumair acts as a data controller only for minimal account-level information

2. Information We Collect

2.1 Information We Do NOT Access

Lumair cannot access:

  • Clinical notes

  • Session recordings or transcripts

  • Encounter data

  • Diagnoses, assessments, or treatment content

  • Any decrypted PHI or patient data

All such data remains encrypted at rest and in transit.

2.2 Limited Information We May Collect

We collect only the minimum data necessary to operate the platform:

Account & Administrative Data

  • Name

  • Email address

  • Organization or practice name

  • Authentication and access-control metadata

  • Subscription and billing status

Technical & Usage Metadata

  • IP address (for security and fraud prevention)

  • Device and browser type

  • Timestamps and system logs

  • Feature usage signals (non-content)

We do not analyze, inspect, or process the contents of encrypted data.

3. How We Use Information

We use limited information solely to:

  • Provide and operate the Services

  • Authenticate users and enforce access controls

  • Maintain system reliability and security

  • Provide customer support (without accessing encrypted content)

  • Meet legal, regulatory, and compliance obligations

  • Prevent misuse, abuse, or security incidents

Lumair does not use user data for advertising, profiling, or resale.

4. AI & Machine Learning Use

Lumair may provide AI-enabled features that operate within the platform. These systems are designed to be:

  • Privacy-preserving

  • User-directed

  • Isolated from Lumair access

Importantly:

  • Encrypted content is never reviewed by humans at Lumair

  • AI outputs are generated only as initiated by authorized users

AI features are intended to support professional workflows, not replace clinical judgment.

5. Legal Bases for Processing (GDPR / UK GDPR)

For users in the UK and EU, Lumair processes limited personal data under the following lawful bases:

  • Performance of a contract

  • Compliance with legal obligations

  • Legitimate interests, such as platform security and reliability

  • Consent, where required by law

Clinical data remains encrypted and outside Lumair’s access scope.

6. HIPAA Alignment

Lumair’s platform is designed to support HIPAA-regulated environments through:

  • End-to-end encryption

  • Access controls and audit logging

  • Data minimization

  • Secure infrastructure

Even where Lumair operates under a Business Associate Agreement (BAA), we do not access, view, or process PHI in an unencrypted form.

7. Data Sharing

Lumair does not sell personal data.

We may share limited information with:

  • Infrastructure and service providers operating under strict confidentiality and security agreements

  • Legal or regulatory authorities when required by law

  • Successors in the event of a lawful corporate transaction

No third party receives access to decrypted PHI through Lumair.

8. International Data Transfers

Where applicable, Lumair uses lawful safeguards for international data transfers, including:

  • Standard Contractual Clauses (SCCs)

  • UK International Data Transfer Addendum

  • Equivalent approved mechanisms

9. Data Retention

We retain limited account and technical metadata only as long as necessary to:

  • Operate the Services

  • Meet legal and regulatory requirements

  • Maintain audit and security records

10. Security Measures

Lumair employs industry-standard security controls, including:

  • End-to-end encryption

  • Encryption at rest and in transit

  • Access controls

  • Network isolation and monitoring

  • Continuous security review

No system is completely secure, but Lumair is designed to minimize risk by design.

11. Your Rights

UK / EU (GDPR & UK GDPR)

You may have the right to:

  • Access your personal data

  • Request correction or deletion

  • Restrict or object to processing

  • Data portability

  • Lodge a complaint with the UK Information Commissioner’s Office (ICO)

United States

State privacy laws may provide rights to:

  • Access or delete personal information

  • Receive disclosures about data use

Requests are limited to data Lumair can actually access.

12. Children’s Privacy

The Services are not intended for direct use by children except as permitted by healthcare providers and applicable law. Lumair does not knowingly collect personal data directly from children.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated through the Services or other reasonable means.

14. Contact Information

Lumair MH, Inc.

Email: privacy@lumair.ai