Privacy Policy

1. Data controller

The data controller for LumenWeave customer accounts is LumenWeave Ltd, registered in England and Wales. Where LumenWeave processes personal data on behalf of a customer (for example, the contact details of subcontractors invited into a customer's flows), we act as a data processor. Our processor obligations are set out in our Data Processing Agreement.

2. What we collect

• Account data: your name, email address, company name, and industry. Collected when you sign up and when you update your profile.
• Usage data: login times, pages visited, features used. Used to run the service and to improve it.
• Document data: files uploaded by subcontractors through flows you create. Stored encrypted at rest and in transit.
• Communication data: the email addresses, phone numbers, and names of the contacts you add for chase sequences. These are provided by you, and you are the controller for that data.
• Payment data: handled entirely by Stripe. We do not store card numbers. We keep a record of invoices, amounts, and Stripe customer identifiers.
• Analytics: anonymous usage analytics via Vercel to understand how the site is used. No advertising cookies.
• Compliance check data: if you use the compliance pre-check service, we collect the structured building data you enter (site dimensions, floor layouts, building use, exit locations, corridor widths, and similar regulatory data points), any technical drawings or sketches you upload as supporting evidence, and the compliance risk assessment results we generate.
• Property and land documentation: where you upload land ownership certificates, site plans, or building approval documents as part of a flow or compliance check, these are stored encrypted at rest and in transit. These documents may contain personally identifiable information (owner names, addresses, legal registration numbers) and are treated as sensitive data.
• Organisation verification data: to prevent fraud and enforce our one-account-per-organisation policy, we may collect and verify your company email domain, business registration number, and business name. This data is used solely for account verification and deduplication.
• Publicly available business data: LumenWeave collects business contact information from public sources including Companies House, Google Maps, and local authority planning portals. This data includes company names, registered office addresses, director names, publicly listed email addresses, and planning application details. This data is used for business development outreach and to enrich our compliance intelligence corpus. Only data that is already publicly available is collected.

3. How we use it

• To provide the service: flows, portals, chase sequences, vault.
• To send transactional emails (document notifications, expiry alerts, account updates). Transactional only; no marketing to your subcontractors without your instruction.
• To run AI document analysis. Uploaded documents are sent to Google (Gemini Pro on Vertex AI) for classification and issue flagging. Google does not retain that data to train models under our Vertex AI terms.
• To improve the service using aggregated, anonymised usage patterns. We do not use your customer or subcontractor data to train models.
• To run compliance pre-checks against building regulations. Your structured input data is evaluated against our regulatory rule engine. No customer-specific building data, drawings, or compliance results are used to train AI models or shared with other customers. Aggregated, anonymised patterns (such as which regulation checks fail most often in a given jurisdiction) may be used to improve the accuracy and coverage of the service.
• To verify your organisation's identity and prevent duplicate accounts. We match your business email domain and company name against existing organisations on the platform. This is used solely for fraud prevention and to enforce our one-account-per-organisation policy.

4. Legal basis

We process personal data under UK GDPR as amended by the Data (Use and Access) Act 2025 on the following bases:

• Contract performance: delivering paid subscriptions, processing documents, and running chase sequences on your behalf.
• Recognised legitimate interest: for business development outreach using publicly available business contact data (direct marketing to businesses is a recognised legitimate interest under Article 6(1)(ea) UK GDPR as introduced by the Data (Use and Access) Act 2025). We collect business contact information from public registries and send introductory communications about LumenWeave. Recipients can opt out at any time.
• Legitimate interest: for running and improving a B2B service, including aggregated analytics and service improvements.

Where you initiate B2B outreach using LumenWeave to your own contacts, you are the controller and you are responsible for the lawful basis of that outreach.

5. Sub-processors

LumenWeave uses the following sub-processors:

• Supabase — database and storage hosting (AWS EU region).
• Google (Vertex AI) — AI document analysis (Gemini Pro). Documents sent for analysis are not retained by Google for model training under our Vertex AI terms.
• Resend — transactional email.
• Twilio — SMS and WhatsApp messaging.
• Stripe — payment processing.
• Vercel — application hosting.

We will notify customers of any new sub-processor before it is given access to customer data. For more detail on sub-processor obligations, see our DPA.

6. Data retention

• Account data: retained for as long as the account is active.
• Documents: retained until the account owner removes them or deletes the account.
• Usage analytics: retained for up to 2 years in anonymised form.
• Deleted account data: purged from live systems within 30 days of the deletion request. Backup copies are overwritten on the normal backup rotation.
• Compliance check data: structured input data and risk assessment results are retained for as long as the account is active. When a compliance check is deleted or the account is closed, input data and results are purged within 30 days. Uploaded technical drawings follow the same retention rules as other documents.
• Organisation verification data: business name and email domain records used for deduplication are retained for as long as the organisation exists on the platform. Deleted organisations have verification data purged within 30 days.

7. Your rights (GDPR, UK and EU)

This section applies to customers and data subjects located in the United Kingdom, the European Union, and the EEA. Rights under other jurisdictions are summarised in the jurisdiction-specific notices below. Under UK GDPR (as amended by the Data (Use and Access) Act 2025) and EU GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data deleted, subject to our contractual and legal retention obligations.
• Receive your data in a portable format.
• Restrict or object to processing in specific circumstances.
• Lodge a complaint with the Information Commissioner's Office (ICO) if you believe we are mishandling your data.

To exercise any of these rights, email contact@lumenweave.ai. We respond within 30 days.

8. International transfers

Customer data is primarily stored in AWS EU (via Supabase). Some sub-processors (notably Google and Stripe) are based in the United States. Transfers of personal data to these providers are covered by the European Commission's Standard Contractual Clauses (and, for UK data, the UK International Data Transfer Addendum) or an equivalent safeguard recognised by UK law.

By using the service from outside the UK or EU, you consent to your data being transferred to and processed in the United Kingdom and in other countries where our sub-processors operate. We apply equivalent safeguards where no adequacy decision or Standard Contractual Clauses equivalent exists.

For customers in Southeast Asia (Indonesia, Malaysia, Thailand, Singapore, and neighbouring jurisdictions), we comply with applicable cross-border transfer requirements under each country's data protection law. This includes ensuring equivalent data protection standards or obtaining explicit consent where required. Property documentation, land certificates, and technical drawings uploaded by customers in these jurisdictions are stored encrypted and access-controlled to the same standard as all other customer data.

9. Jurisdiction-specific notices

LumenWeave serves customers globally. Where a jurisdiction has local privacy laws that apply to our processing of your personal data, the following notices describe the local rights in addition to the rights set out above.

United Kingdom

LumenWeave Ltd is registered in England and Wales (ICO ICO registration pending). We process personal data in accordance with UK GDPR (the UK General Data Protection Regulation as retained and amended under the Data Protection Act 2018 and the Data (Use and Access) Act 2025). Your rights under UK GDPR are set out in Section 7 above.

Where the compliance pre-check service evaluates building designs against UK building regulations (including Approved Documents B, M, and K, and the Building Safety Act 2022 gateway requirements), the structured input data and risk assessment outputs are processed under the legal basis of contract performance and legitimate interest (improving the accuracy of the regulatory rule engine using anonymised patterns).

Property documentation uploaded for UK projects (such as Land Registry title deeds or planning permission documents) is treated as sensitive data with additional access controls. Compliance pre-check outputs related to the Building Safety Act 2022 are advisory risk assessments. They do not constitute building control approval, fire safety assessments under the Regulatory Reform (Fire Safety) Order 2005, access audits under the Equality Act 2010, or any submission to the Building Safety Regulator.

The Information Commissioner's Office (ICO) is the supervisory authority for UK data subjects. If you believe we are mishandling your data, you may lodge a complaint with the ICO.

Australia

If you are located in Australia, we handle your personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth). You may access and correct your personal information by contacting us. If you believe we have breached the APPs, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). We disclose personal information to overseas recipients as listed in our sub-processors section.

United States

If you are located in the United States, you may have additional rights under state privacy laws including the California Consumer Privacy Act (CCPA/CPRA). California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. LumenWeave does not sell personal information. To exercise your rights, contact contact@lumenweave.ai.

Singapore

If you are located in Singapore, we process your personal data in accordance with the Personal Data Protection Act 2012 (PDPA). You may withdraw consent for the collection, use, or disclosure of your personal data at any time by contacting us. This may affect our ability to provide the service.

New Zealand

If you are located in New Zealand, we handle your personal information in accordance with the Privacy Act 2020. You have the right to access and correct your personal information.

United Arab Emirates

If you are located in the UAE, we process personal data in accordance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.

Indonesia

If you are located in Indonesia, we process personal data in accordance with Law No. 27 of 2022 on Personal Data Protection (PDP Law). You have the right to access, correct, and delete your personal data. We provide clear consent mechanisms before processing your data. In the event of a personal data breach, we will notify you and the relevant authorities within 72 hours as required by the PDP Law. Where you upload property documentation (such as land certificates or building permits), we treat this as sensitive data subject to additional access controls.

Cross-border transfers of Indonesian personal data are conducted in accordance with the PDP Law requirements. We ensure that any country receiving your personal data provides an equivalent level of data protection, or that appropriate safeguards are in place.

Thailand

If you are located in Thailand, we process personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019). You have rights similar to those under GDPR, including access, correction, deletion, and data portability.

Canada

If you are located in Canada, we handle your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access and challenge the accuracy of your personal information.

10. Children

LumenWeave is a B2B service and is not intended for individuals under 18. We do not knowingly collect personal data from children.

11. Security

All data is encrypted at rest with AES-256 and in transit with TLS 1.3. Row-level security scopes each customer's data to their own organisation. Access is logged in an append-only audit trail. We run regular security reviews, restrict production access to a named list, and keep detailed incident response procedures.

12. Artificial intelligence and document analysis

LumenWeave uses artificial intelligence provided by Google (Gemini Pro on Vertex AI) to analyse compliance documents uploaded through the platform. When a document is uploaded via the portal or dashboard, it is sent to Google's Vertex AI API for analysis.

12.1 What the AI analyses

The AI extracts structured data from uploaded documents, including but not limited to: document type classification, expiry dates, policy numbers, cover amounts, named parties, validity status, and specific fields relevant to each document type (such as indemnity limits on insurance certificates or card numbers on CSCS cards).

12.2 How your data is handled

Documents are sent to Google's Vertex AI API over an encrypted connection for analysis. Google processes the document content to return structured analysis results to LumenWeave. Under our Vertex AI terms of service:

• Google does not use your documents or their contents to train AI models when processed through the Vertex AI API.
• Google does not retain document content beyond the time needed to process the request (typically seconds).
• Google does not share your document content with third parties.

The structured analysis results (extracted fields, validity assessments, and confidence scores) are stored in LumenWeave's database and associated with your organisation's account. The original document file is stored in LumenWeave's secure storage, not on Google's systems.

12.3 AI-generated communications

LumenWeave's follow-up engine uses AI to generate message content sent to your subcontractors via email, SMS, or WhatsApp. These messages request compliance documents on your behalf. The AI selects messaging tone and timing based on behavioural data to maximise response rates. All messages are sent from LumenWeave's communication infrastructure, not from Google.

12.4 Automated decision-making

LumenWeave uses AI to make automated assessments about document validity (such as whether an insurance certificate has expired or whether cover amounts meet specified thresholds). These assessments are advisory. LumenWeave does not make legally binding decisions based solely on AI analysis. We recommend that users verify critical compliance decisions with qualified professionals.

12.5 Your rights

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. LumenWeave's AI analysis is advisory, not determinative. If you have concerns about how AI is used to process your documents, contact us at contact@lumenweave.ai.

13. Compliance pre-check service

LumenWeave offers a compliance pre-check service that evaluates building design data against regulatory requirements for a given jurisdiction. This section describes how data is handled specifically within that service.

13.1 What data is processed

The compliance pre-check processes structured building data you enter (site dimensions, floor layouts, room sizes, exit locations, corridor widths, building use classification, number of storeys, and similar data points). You may also upload technical drawings, sketches, or photographs as supporting evidence. If land ownership certificates or building approval documents are uploaded as part of a compliance check, these are treated as sensitive data.

13.2 How compliance data is used

Your structured input data is evaluated against our regulatory rule engine to produce a risk assessment. This evaluation is deterministic (rules-based), not AI-generated. Where AI is used to extract measurements from uploaded drawings, the same protections described in Section 12 apply.

Your compliance data is never shared with other customers, used to train AI models, or made available to any third party. We may use aggregated, anonymised compliance patterns (such as which checks fail most often in a given jurisdiction or building type) to improve the accuracy of the rule engine. This aggregated data cannot be traced back to your organisation, project, or property.

13.3 Compliance outputs are not professional advice

Compliance pre-check results are advisory risk indicators, not professional certifications or regulatory approvals. They do not replace the judgement of a qualified architect, engineer, building surveyor, or licensed submission agent. LumenWeave does not guarantee the outcome of any formal regulatory review for a design that receives a “low risk” assessment. See our Terms of Service for full liability terms.

14. Account verification and fraud prevention

To maintain the integrity of the platform and enforce our one-account-per-organisation policy, LumenWeave collects and processes the following verification data:

• Business email domain: we match the domain of your signup email against existing organisations to prevent duplicate accounts and to associate team members with the correct organisation.
• Company name: we compare the business name you provide during signup against existing organisations to detect duplicates.
• Business registration number (optional): where available, you may provide a business registration number (such as NIB in Indonesia, Companies House number in the UK, or ABN in Australia) for verified account status. This is used solely for identity verification and deduplication.

This data is used solely for fraud prevention and account integrity. It is not shared with other customers or used for marketing. Creating multiple accounts to circumvent usage limits, trial restrictions, or add-on entitlements is a breach of our Terms of Service and may result in account termination.

15. Changes to this policy

We may update this policy. Material changes are notified by email to account admins at least 30 days before they take effect. The current version and last updated date are always visible at the top of this page.

16. Contact

Data protection queries: contact@lumenweave.ai.