Privacy Notice

Effective May 21, 2026 · Last updated May 21, 2026

This Privacy Notice explains how Lumivexa LLC ("Lumivexa", "we", "us") collects, uses and shares personal data when you visit our website, sign up for a Vendor account, or purchase a product from a Vendor that uses the Lumivexa platform.

1. Who is the controller

Lumivexa is the controller for personal data we process about Vendors (signed-in users of the platform) and about visitors to our marketing website.

For personal data of End Customers collected during a purchase, Lumivexa is the controller for the payment and order data we are legally required to keep as seller of record. For data that Vendors load into the customer workspace (notes, segments, tags), Lumivexa acts as a processor on behalf of the Vendor.

2. What we collect

From Vendors

• Account data — name, email, password hash, role, locale.
• Business data — company name, address, tax identifiers, beneficial-ownership information collected for KYC and KYB verification.
• Banking data — payout account details.
• Usage data — pages visited, features used, API calls, device and browser information.

From End Customers

• Order data — name, email, billing address, product purchased, price, currency, tax amount, transaction time.
• Payment data — payment method type and last four digits of the card number; full card numbers are tokenised by our payment service providers and not stored by Lumivexa.
• Device data — IP address, browser, device fingerprint for fraud prevention.

From website visitors

• Analytics data — pages visited, referrer, session duration, country (derived from IP), aggregated and anonymised wherever possible.

3. Why we use it

• To provide, operate and improve the Services.
• To process payments, issue receipts, and meet our obligations as seller of record (legal basis: contract and legal obligation).
• To verify Vendor identity and prevent fraud, money laundering and abuse (legal basis: legal obligation and legitimate interest).
• To send transactional emails (receipts, renewal reminders, dunning).
• To send product updates and marketing communications you have opted into.
• To comply with tax, accounting and regulatory record-keeping obligations.

4. Who we share it with

We share personal data with vetted third-party processors solely to provide the Services. Our current key subprocessors include:

• Payment service providers — to authorise, capture and settle transactions.
• Cloud infrastructure — for hosting and backups.
• Email delivery — for transactional and marketing communications.
• Fraud and identity verification — to verify Vendor identity and detect risky transactions.
• Analytics — privacy-aware product and marketing analytics.

We also share data with authorities or regulators when legally required to do so, and with professional advisers under appropriate confidentiality obligations.

5. International transfers

Personal data may be processed in countries outside your country of residence, including in the United States. Where data is transferred from the European Economic Area, the United Kingdom or Switzerland, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

6. How long we keep it

We keep personal data for as long as necessary to provide the Services and to meet legal, tax and accounting record-keeping obligations. Order and invoice data is generally retained for at least seven (7) years after the transaction. Account data is deleted or anonymised within ninety (90) days after account closure, except where longer retention is legally required.

7. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict or object to the processing of your personal data, and to data portability. You can also withdraw consent for marketing at any time using the unsubscribe link in our emails. To exercise any of these rights, write to privacy@lumivexa.io.

If you live in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your local supervisory authority. If you live in California, you have additional rights under the CCPA/CPRA, including the right to opt out of the sale or sharing of personal information — Lumivexa does not sell personal information.

8. Cookies

We use a small number of strictly necessary cookies for authentication and security, and privacy-respecting analytics cookies on our marketing site. You can manage cookies through your browser settings.

9. Security

We use industry-standard administrative, technical and physical safeguards to protect personal data, including encryption in transit and at rest, principle-of-least-privilege access controls, audit logging, and regular security reviews.

10. Children

The Services are not directed to children under 16 and we do not knowingly collect personal data from them.

11. Changes

We may update this Privacy Notice from time to time. Material changes will be communicated to active Vendors by email at least 30 days before they take effect.

12. Contact

For questions about this Privacy Notice or to exercise your rights, contact us at privacy@lumivexa.io or by post at Lumivexa LLC, 1566 S Gilbert St #9537, Iowa City, IA 52240, USA.