Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Personal Account Details: Name, email address, phone number, password, and other registration data.
• Payment Information: Billing details and transaction history; processed by a third-party provider called Stripe. Lumotalk does not store full card details.
• Profile Data (Experts): Professional qualifications, certifications, work experience, bio, profile images, regulatory authorisation numbers (e.g., FCA authorisation for Financial Advisors).
• Communication Data: Messages, queries, support requests, and Session transcripts.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, session duration, and platform interactions.
• Device Data: IP address, browser type, device type, operating system, and network information.
• Cookies and Tracking: For platform security and authentication (strictly necessary), usage analytics via Google Analytics, and advertising measurement via Reddit Ads. See Section 8 for full details.

1.3 Third-Party Data

• Data from authentication and calendar providers (e.g., Google): If you choose to connect your Google account, Lumotalk will access only the specific data that you grant permission for — such as your Google Calendar availability, free/busy status, list of calendars, and (where strictly necessary) the ability to create, update, or delete events in your selected calendar(s). This allows us to display your availability, manage bookings, and keep your schedule updated. We do not access email content, contacts, or any other Google data outside the permissions you explicitly approve.
• Professional verification or background check data to validate Expert credentials.

2. Lawful Basis for Processing

• We process your personal data under one or more of the following legal bases:
• Performance of a contract: To provide platform services, facilitate bookings, and process payments.
• Legal obligations: Compliance with UK laws, tax, and regulatory requirements (e.g., FCA rules for Financial Advisors).
• Legitimate interests: Platform security, fraud prevention, service improvement, quality assurance and dispute resolution, including the generation and review of Session transcripts.
• Consent: Marketing communications and optional tracking cookies. In limited cases, we may also rely on consent for specific optional features that allow Users to save or share their Session transcripts for their own later use.

3. How We Use Your Information

• Facilitate Expert bookings, payments, and Session management.
• Verify Expert credentials and maintain platform trust and safety.
• Improve platform functionality and user experience through analytics and personalization.
• Respond to support queries, complaints, or disputes.
• Process questions you submit to our AI guidance tool by sending them to Anthropic and OpenAI APIs, which generates responses on our behalf. We store the question and response for service improvement and abuse prevention. Questions are not used to train Anthropic's and OpenAI's models.
• Send marketing communications only with explicit consent.
• Fulfill legal obligations, regulatory compliance, and fraud prevention.

4. Sharing Your Information

• We do not sell personal data. Sharing occurs only where necessary:
• Experts: Limited information (name, email, Session details) shared to enable consultations.
• Payment Processors: Securely handle transactions.
• Service Providers: IT, analytics, customer support, or platform improvement services.
• Legal Authorities: To comply with legal obligations, law enforcement, or regulatory requests.
• Other Users: Profile name, rating, and non-sensitive information required for booking.
• Third‑party service providers: We use certain third‑party service providers (data processors) to help us operate Lumotalk. These providers only process personal data on our instructions and are contractually required to protect it. In particular:
  • Clerk – provides authentication and identity management, including handling sign‑ins and session management.
  • Stripe – processes payments and related billing information on our behalf.
  • Google – provides calendar integration and scheduling when you choose to connect your Google account.
  • Google Analytics (GA4) – collects anonymised usage and behavioural data (pages visited, events triggered, session duration) to help us understand how users interact with the platform and improve our services. Data is processed by Google LLC in the US.
  • Anthropic and OpenAI – processes questions you submit to our AI guidance feature to generate responses via the Claude and OpenAI APIs. Your question text is sent to Anthropic's and OpenAI's servers to produce an answer; it is not used to train Anthropic's and OpenAI's models. Data is processed by Anthropic PBC and OpenAI LLC in the US.
  • Reddit – if you arrive at Lumotalk via a Reddit advertisement, Reddit's pixel may record your visit and actions (such as page views or sign-ups) for ad performance measurement. Data is processed by Reddit Inc. in the US.
• Special Note for Financial Advisors: Regulatory identifiers may be shared with Users to verify professional status.

5. Data Storage, Retention, and Security

5.1 Storage Locations

• Data is stored securely on servers in the UK, and some processing may be carried out by service providers located in other countries (see "International Data Transfers" below).

5.2 Security Measures

• We have implemented appropriate and reasonable technical and organisational measures designed to protect the personal data we process. However, no electronic transmission over the Internet or information storage system can be guaranteed to be 100% secure. Therefore, while we strive to protect your information, we cannot guarantee absolute security or that unauthorized third parties (such as hackers or cybercriminals) will never be able to defeat our safeguards.
• You are responsible for any personal information transmitted to our Services and should only access the platform within a secure environment.
• Access to personal data is strictly limited to authorised personnel who require it to perform their duties — such as customer support, technical operations, platform security, or the investigation of suspected non-compliant activities. All such access is controlled and monitored.

5.3 Retention

• Personal data is retained only as long as necessary for platform services, legal obligations, or legitimate business interests.
• Anonymised or aggregated data may be kept indefinitely for analytics and research purposes.
• Session transcripts are retained only for as long as necessary for quality assurance, safety monitoring and dispute resolution, after which they are deleted or anonymised in line with this Policy.

6. User Rights (UK GDPR)

• Users and Experts have the following rights:
• Access: You have the right to ask us for copies of your personal data and certain other information about how we use it. You can read more about the right of access on the ICO's website: https://ico.org.uk/your-data-protection-rights.
• Correction: You have the right to ask us to correct or complete personal data you think is inaccurate or incomplete. See the ICO guidance on rectification for more detail: https://ico.org.uk/your-data-protection-rights.
• Deletion: You have the right to ask us to delete your personal data in certain circumstances. More information: https://ico.org.uk/your-data-protection-rights.
• Objection: You have the right to object to our processing of your personal data in some situations, including where we rely on legitimate interests. More information: https://ico.org.uk/your-data-protection-rights.
• Restriction: You have the right to ask us to limit how we use your personal data in certain circumstances. More information: https://ico.org.uk/your-data-protection-rights.
• Data Portability: You have the right to ask that we transfer personal data you gave us to another organisation, or to you, in certain circumstances. More information: https://ico.org.uk/your-data-protection-rights.
• Withdraw Consent: Where we rely on consent, you have the right to withdraw that consent at any time. More information: https://ico.org.uk/your-data-protection-rights.

You can read more about your data protection rights and when they apply on the ICO's website at https://ico.org.uk.
To exercise your rights, reach out to us on contact@lumatalk.com.
If you remain unhappy with how we have used your personal data after raising a complaint with us, you can also complain to the ICO.
The ICO's address:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint

7. International Data Transfers

• Some of our service providers are located outside the UK and the European Economic Area (EEA), including in the United States. This means that personal data may be transferred to and processed in countries that do not have the same data protection laws as the UK.
• When we transfer personal data outside the UK, we rely on legally recognised transfer mechanisms such as the UK Addendum to the EU Standard Contractual Clauses, or (where applicable) the EU-U.S. / UK-U.S. Data Privacy Framework. These safeguards ensure that your personal data continues to receive a level of protection essentially equivalent to UK GDPR. You continue to have all of your usual data protection rights.
• Access by third-party providers in other jurisdictions is strictly limited to what is necessary for them to deliver their services to Lumotalk and is governed by contract. We use trusted third-party providers to operate our platform securely, including:
  • Clerk for authentication (primarily US-based)
  • Stripe for payments (primarily US-based)
  • Render for managed Servers (primarily US-based)
  • Google Calendar for scheduling and calendar sync (primarily US-based)
  • Google Analytics for usage analytics (primarily US-based)
  • Anthropic and OpenAI for AI guidance question processing via Claude and OpenAI API (primarily US-based)
  • Reddit for advertising measurement via Reddit Pixel (primarily US-based)
• These providers implement recognised international transfer safeguards and are contractually required to protect your data in line with UK GDPR standards.

8. Cookies and Tracking

Lumotalk uses cookies and similar tracking technologies for three purposes: platform security, usage analytics, and advertising measurement. Details of each category are set out below.

• Strictly necessary cookies: Required for the security and lawful functioning of our platform. Set by our authentication provider (Clerk) to verify your identity, maintain secure sessions, and enable access to protected areas. Based on our legitimate interests under Article 6(1)(f) UK GDPR. Without these cookies you cannot sign in. Authentication cookies (such as __clerk_db_jwt or __session) are set with HttpOnly, Secure, and SameSite restrictions. Session cookies expire on logout; persistent cookies expire at the date set by Clerk or when cleared by you.
• Analytics cookies — Google Analytics (GA4): We use Google Analytics 4 to collect anonymised data about how visitors use our website (pages visited, events triggered, session duration, approximate location derived from IP). This helps us improve the platform. Google Analytics sets cookies such as _ga and _ga_* which persist for up to 2 years. Data is processed by Google LLC in the United States under standard contractual clauses. Google Analytics data is not used to identify you personally. You can opt out by installing the Google Analytics Opt-out Browser Add-on or adjusting your browser cookie settings.
• Advertising measurement — Reddit Pixel: If you arrive at Lumotalk via a Reddit advertisement, Reddit's conversion pixel may record your visit and actions (such as page views or sign-ups) to measure the performance of our ads. Reddit may set cookies or use pixel-based tracking. Data is processed by Reddit Inc. in the United States. This tracking occurs only if you arrived via a Reddit ad and is subject to Reddit's own privacy policy. You can opt out of personalised Reddit advertising through Reddit's privacy settings.
• Your controls: You can clear or block cookies at any time through your browser settings. Blocking strictly necessary cookies will prevent sign-in. Blocking analytics or advertising cookies will not affect your ability to use the platform. You may also use your browser's Do Not Track setting, though not all third-party services honour this signal.

9. Children's Privacy

• Lumotalk is not intended for anyone under 18.
• We do not knowingly collect data from minors.
• Any data inadvertently collected will be deleted immediately.

10. Marketing Communications

• Only sent with explicit consent.
• Users may unsubscribe or withdraw consent at any time via account settings or email.

11. Expert Data Specifics

• Financial Advisors: FCA authorisation numbers and key professional credentials may be displayed on your Lumotalk profile and in booking flows so that Users can verify your status (for example, by checking the FCA Register).
• Only the minimum necessary personal and professional data is shared for Sessions.
• Sensitive professional data is subject to enhanced security measures.

12. Third-Party Services

• The platform may integrate analytics, marketing, or payment providers.
• Third parties are contractually obliged to comply with GDPR and data protection standards.

13. Breach Notification

• Lumotalk maintains procedures to detect, report, and investigate personal data breaches.
• In case of a breach affecting personal data, the ICO and affected individuals will be notified in accordance with legal timelines.

14. Data Minimisation and Purpose Limitation

• Only data necessary for legitimate purposes is collected.
• Personal data is processed strictly for stated purposes and not kept longer than necessary.

15. Automated Decision-Making and Profiling

• Data may be used for analytics, personalisation and recommendations (for example, to surface relevant Experts or content or to flag potential quality or safety issues).
• We do not make decisions that produce legal or similarly significant effects based solely on automated processing. Any significant actions affecting Users or Experts (such as suspensions or account restrictions) are subject to human review.

16. Legal Obligations and Law Enforcement

• Data may be disclosed to comply with laws, prevent fraud, or respond to lawful requests.
• This includes regulators, courts, and law enforcement agencies.

17. User Responsibilities

• Provide accurate, complete, and up-to-date information.
• Maintain confidentiality of account credentials.
• Report any suspected security breaches.

18. Expert Responsibilities

• Provide accurate professional and regulatory information.
• Financial Advisors must comply with all FCA obligations in relation to any regulated activities they perform outside the Platform and must ensure that their use of Lumotalk is limited to non‑regulated, guidance‑only services.

19. Retention Schedule

Where the applicable retention period has ended, personal data is securely deleted or anonymised so that it can no longer be linked to an identified individual.

20. Policy Updates

• Changes will be posted on this page.
• Material updates communicated via email or platform notifications.
• Continued use of Lumotalk constitutes acceptance of updated policy.

21. Contact Information

• Email: contact@lumatalk.com
• Registered Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
• For questions, complaints, or exercising privacy rights.

22. Supervisory Authority

• UK ICO (Information Commissioner's Office) oversees compliance with UK GDPR.
• ICO Website: https://ico.org.uk