Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Personal Account Details: Name, email address, phone number, password, and other registration data.
• Payment Information: Billing details and transaction history; processed by a third-party provider called Stripe. Lumotalk does not store full card details.
• Profile Data (Experts): Professional qualifications, certifications, work experience, bio, profile images, regulatory authorisation numbers (e.g., FCA authorisation for Financial Advisors).
• Communication Data: Messages, queries, support requests, and Session transcripts.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, session duration, and platform interactions.
• Device Data: IP address, browser type, device type, operating system, and network information.
• Cookies and Tracking: For platform performance, analytics, feature optimization, and (with consent) marketing personalization.

1.3 Third-Party Data

• Data from authentication and calendar providers (e.g., Google): If you choose to connect your Google account, Lumotalk will access only the specific data that you grant permission for — such as your Google Calendar availability, free/busy status, list of calendars, and (where strictly necessary) the ability to create, update, or delete events in your selected calendar(s). This allows us to display your availability, manage bookings, and keep your schedule updated. We do not access email content, contacts, or any other Google data outside the permissions you explicitly approve.
• Professional verification or background check data to validate Expert credentials.

2. Lawful Basis for Processing

• We process your personal data under one or more of the following legal bases:
• Performance of a contract: To provide platform services, facilitate bookings, and process payments.
• Legal obligations: Compliance with UK laws, tax, and regulatory requirements (e.g., FCA rules for Financial Advisors).
• Legitimate interests: Platform security, fraud prevention, service improvement, quality assurance and dispute resolution, including the generation and review of Session transcripts.
• Consent: Marketing communications and optional tracking cookies. In limited cases, we may also rely on consent for specific optional features that allow Users to save or share their Session transcripts for their own later use.

3. How We Use Your Information

• Facilitate Expert bookings, payments, and Session management.
• Verify Expert credentials and maintain platform trust and safety.
• Improve platform functionality and user experience through analytics and personalization.
• Respond to support queries, complaints, or disputes.
• Send marketing communications only with explicit consent.
• Fulfill legal obligations, regulatory compliance, and fraud prevention.

4. Sharing Your Information

• We do not sell personal data. Sharing occurs only where necessary:
• Experts: Limited information (name, email, Session details) shared to enable consultations.
• Payment Processors: Securely handle transactions.
• Service Providers: IT, analytics, customer support, or platform improvement services.
• Legal Authorities: To comply with legal obligations, law enforcement, or regulatory requests.
• Other Users: Profile name, rating, and non-sensitive information required for booking.
• Third‑party service providers: We use certain third‑party service providers (data processors) to help us operate Lumotalk. These providers only process personal data on our instructions and are contractually required to protect it. In particular:
  • Clerk – provides authentication and identity management, including handling sign‑ins and session management.
  • Stripe – processes payments and related billing information on our behalf.
  • Google – provides calendar integration and scheduling when you choose to connect your Google account.
• Special Note for Financial Advisors: Regulatory identifiers may be shared with Users to verify professional status.

5. Data Storage, Retention, and Security

5.1 Storage Locations

• Data is stored securely on servers in the UK, and some processing may be carried out by service providers located in other countries (see "International Data Transfers" below).

5.2 Security Measures

• We have implemented appropriate and reasonable technical and organisational measures designed to protect the personal data we process. However, no electronic transmission over the Internet or information storage system can be guaranteed to be 100% secure. Therefore, while we strive to protect your information, we cannot guarantee absolute security or that unauthorized third parties (such as hackers or cybercriminals) will never be able to defeat our safeguards.
• You are responsible for any personal information transmitted to our Services and should only access the platform within a secure environment.
• Access to personal data is strictly limited to authorised personnel who require it to perform their duties — such as customer support, technical operations, platform security, or the investigation of suspected non-compliant activities. All such access is controlled and monitored.

5.3 Retention

• Personal data is retained only as long as necessary for platform services, legal obligations, or legitimate business interests.
• Anonymised or aggregated data may be kept indefinitely for analytics and research purposes.
• Session transcripts are retained only for as long as necessary for quality assurance, safety monitoring and dispute resolution, after which they are deleted or anonymised in line with this Policy.

6. User Rights (UK GDPR)

• Users and Experts have the following rights:
• Access: You have the right to ask us for copies of your personal data and certain other information about how we use it. You can read more about the right of access on the ICO's website: https://ico.org.uk/your-data-protection-rights.
• Correction: You have the right to ask us to correct or complete personal data you think is inaccurate or incomplete. See the ICO guidance on rectification for more detail: https://ico.org.uk/your-data-protection-rights.
• Deletion: You have the right to ask us to delete your personal data in certain circumstances. More information: https://ico.org.uk/your-data-protection-rights.
• Objection: You have the right to object to our processing of your personal data in some situations, including where we rely on legitimate interests. More information: https://ico.org.uk/your-data-protection-rights.
• Restriction: You have the right to ask us to limit how we use your personal data in certain circumstances. More information: https://ico.org.uk/your-data-protection-rights.
• Data Portability: You have the right to ask that we transfer personal data you gave us to another organisation, or to you, in certain circumstances. More information: https://ico.org.uk/your-data-protection-rights.
• Withdraw Consent: Where we rely on consent, you have the right to withdraw that consent at any time. More information: https://ico.org.uk/your-data-protection-rights.

You can read more about your data protection rights and when they apply on the ICO's website at https://ico.org.uk.
To exercise your rights, reach out to us on contact@lumatalk.com.
If you remain unhappy with how we have used your personal data after raising a complaint with us, you can also complain to the ICO.
The ICO's address:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint

7. International Data Transfers

• Some of our service providers are located outside the UK and the European Economic Area (EEA), including in the United States. This means that personal data may be transferred to and processed in countries that do not have the same data protection laws as the UK.
• When we transfer personal data outside the UK, we rely on legally recognised transfer mechanisms such as the UK Addendum to the EU Standard Contractual Clauses, or (where applicable) the EU-U.S. / UK-U.S. Data Privacy Framework. These safeguards ensure that your personal data continues to receive a level of protection essentially equivalent to UK GDPR. You continue to have all of your usual data protection rights.
• Access by third-party providers in other jurisdictions is strictly limited to what is necessary for them to deliver their services to Lumotalk and is governed by contract. We use trusted third-party providers to operate our platform securely, including:
  • Clerk for authentication (primarily US-based)
  • Stripe for payments (primarily US-based)
  • Render for managed Servers (primarily US-based)
  • Google Calendar for scheduling and calendar sync (primarily US-based)
• These providers implement recognised international transfer safeguards and are contractually required to protect your data in line with UK GDPR standards.

8. Cookies and Tracking

• Lumotalk uses cookies and similar technologies only where necessary to operate the platform securely and reliably. We do not use cookies for advertising, cross‑site tracking, or marketing analytics.
• Strictly necessary cookies: These cookies are required for the operation, security and lawful functioning of our platform. They are set by our authentication provider (currently Clerk) to verify user identity, maintain secure sessions, protect accounts and enable access to protected areas of the platform. The use of these cookies is based on our legitimate interests in ensuring the security and integrity of our services, in accordance with Article 6(1)(f) of the UK GDPR. Without these cookies, you will not be able to sign in or use certain essential features.
• Cookie names and purpose: Authentication cookies (such as clerk_session or __session) are used so that our backend can recognise authorised requests and keep you signed in securely. These cookies are typically set with security options such as HttpOnly, Secure and SameSite restrictions.
• Duration: Session cookies expire when you log out or when your session is invalidated. Any persistent cookies used by our authentication provider may remain until their set expiry or until you clear them in your browser.
• Your controls: You can clear or block cookies at any time through your browser settings. However, disabling our strictly necessary authentication cookies will prevent you from signing in or accessing secure areas of the platform.
• For more information about how we process personal data, please also see the other sections of this Privacy Policy.

9. Children's Privacy

• Lumotalk is not intended for anyone under 18.
• We do not knowingly collect data from minors.
• Any data inadvertently collected will be deleted immediately.

10. Marketing Communications

• Only sent with explicit consent.
• Users may unsubscribe or withdraw consent at any time via account settings or email.

11. Expert Data Specifics

• Financial Advisors: FCA authorisation numbers and key professional credentials may be displayed on your Lumotalk profile and in booking flows so that Users can verify your status (for example, by checking the FCA Register).
• Only the minimum necessary personal and professional data is shared for Sessions.
• Sensitive professional data is subject to enhanced security measures.

12. Third-Party Services

• The platform may integrate analytics, marketing, or payment providers.
• Third parties are contractually obliged to comply with GDPR and data protection standards.

13. Breach Notification

• Lumotalk maintains procedures to detect, report, and investigate personal data breaches.
• In case of a breach affecting personal data, the ICO and affected individuals will be notified in accordance with legal timelines.

14. Data Minimisation and Purpose Limitation

• Only data necessary for legitimate purposes is collected.
• Personal data is processed strictly for stated purposes and not kept longer than necessary.

15. Automated Decision-Making and Profiling

• Data may be used for analytics, personalisation and recommendations (for example, to surface relevant Experts or content or to flag potential quality or safety issues).
• We do not make decisions that produce legal or similarly significant effects based solely on automated processing. Any significant actions affecting Users or Experts (such as suspensions or account restrictions) are subject to human review.

16. Legal Obligations and Law Enforcement

• Data may be disclosed to comply with laws, prevent fraud, or respond to lawful requests.
• This includes regulators, courts, and law enforcement agencies.

17. User Responsibilities

• Provide accurate, complete, and up-to-date information.
• Maintain confidentiality of account credentials.
• Report any suspected security breaches.

18. Expert Responsibilities

• Provide accurate professional and regulatory information.
• Financial Advisors must comply with all FCA obligations in relation to any regulated activities they perform outside the Platform and must ensure that their use of Lumotalk is limited to non‑regulated, guidance‑only services.

19. Retention Schedule

Where the applicable retention period has ended, personal data is securely deleted or anonymised so that it can no longer be linked to an identified individual.

20. Policy Updates

• Changes will be posted on this page.
• Material updates communicated via email or platform notifications.
• Continued use of Lumotalk constitutes acceptance of updated policy.

21. Contact Information

• Email: contact@lumatalk.com
• Registered Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
• For questions, complaints, or exercising privacy rights.

22. Supervisory Authority

• UK ICO (Information Commissioner's Office) oversees compliance with UK GDPR.
• ICO Website: https://ico.org.uk