Luuma

Version 1.0

Privacy Policy

Effective date: 1 June 2026

This Privacy Policy explains how Luuma processes personal data in connection with the Luuma digital signage, EPOS insights, analytics, reporting, and operational intelligence platform.

Luuma is a business-to-business service sold primarily through EPOS resellers and support providers. In many customer deployments Luuma acts as a processor or sub-processor for merchant data. For our own account administration, support, billing, website, and security operations, Luuma may act as a controller.

Luuma LTD is registered in England and Wales under company number 16763866. Our registered office is 38 Green Close, Renishaw, S21 3WS. You can contact us about privacy matters at data@luuma.cloud.

1. Who this policy applies to

This policy applies to reseller staff, merchant staff, authorised Luuma users, support contacts, prospects, website visitors, and other business contacts who use or interact with Luuma.

Where we process Customer Data on behalf of a reseller, support provider, or merchant, that organisation is normally the controller and is responsible for providing any privacy notice required for its own staff or other data subjects.

2. Data we collect and process

Luuma is designed for EPOS reporting, signage, analytics, and operational intelligence. The platform may process the following categories of data.

  • Account and user data: business email addresses, names where provided, roles, permissions, organisation membership, reseller or client relationship, login metadata, password hashes, and support contact details.
  • EPOS and sales data: sales totals, revenue figures, product sales, receipt data, menu and category performance, tender and payment summaries, till metadata, product catalogues, TouchMenu configuration, and related ICRTouch or EPOS data.
  • Operational personal data: clerk, operator, or staff IDs where present in EPOS exports, reports, receipts, or operational feeds. These IDs should be treated as personal data under UK GDPR where they can identify or be linked to an individual staff member.
  • Signage and media data: uploaded media, playlist configuration, screen groups, display schedules, device pairing data, playback state, and screen or player identifiers.
  • Device and telemetry data: device information, operating system or player version, diagnostic events, heartbeat data, operational telemetry, IP-derived connection data, error logs, and integration status.
  • Commercial and support data: reseller contacts, merchant contacts, subscription records, billing references, support requests, service communications, and implementation notes.
  • Website and cookie data: basic technical information such as IP address, browser type, device type, pages viewed, and cookie preferences where applicable.

3. Data we do not intentionally collect

Luuma does not intentionally collect customer names, customer addresses, customer emails, card numbers, payment credentials, loyalty programme data, or clerk/operator names.

If source EPOS systems, reports, uploads, or integrations contain unexpected personal data, including staff names, it may be processed incidentally as part of providing the Services. Customers and resellers should configure source systems to avoid sending unnecessary personal data to Luuma.

4. Purposes of processing

  • To provide, operate, maintain, and secure the Luuma platform.
  • To ingest, transform, display, and report on EPOS, ICRTouch, signage, and operational data.
  • To create analytics, reports, operational summaries, dashboards, and signage outputs.
  • To manage reseller, support provider, and merchant accounts.
  • To provide customer support, onboarding, diagnostics, maintenance, and troubleshooting.
  • To process subscriptions, billing records, renewals, and commercial administration.
  • To monitor reliability, detect abuse, investigate incidents, and improve the Services.
  • To comply with legal, accounting, tax, security, and regulatory obligations.

5. Legal basis

Where Luuma acts as a controller, we rely on one or more of the following legal bases under UK GDPR.

  • Contract: to provide the Services, manage accounts, authenticate users, and respond to support requests.
  • Legitimate interests: to operate a secure B2B SaaS platform, support customers and resellers, improve reliability, prevent abuse, and communicate with business contacts.
  • Legal obligation: to meet accounting, tax, regulatory, security, and legal record-keeping requirements.
  • Consent: where required for optional cookies, marketing communications, or similar optional activities.
  • Processor activity: where Luuma acts as processor or sub-processor, the controller determines the lawful basis for the underlying Customer Data processing.

6. Cookies

Luuma may use cookies and similar technologies to keep users signed in, remember preferences, support security, and understand basic website usage. Essential cookies are required for the service to work. Optional analytics or marketing cookies, if introduced, should only be used where a valid legal basis has been established.

Luuma does not currently use non-essential analytics or marketing cookies on the core application. If this changes, Luuma will update this policy or provide additional cookie information.

7. Sharing and subprocessors

Luuma may share data with service providers that help us operate the Services. These providers act under contract and are only permitted to process data for authorised purposes.

  • Cloud hosting, database, networking, and infrastructure providers.
  • Object storage and content delivery providers.
  • Email delivery and support communication providers.
  • Payment and subscription processing providers.
  • Media processing providers, including video processing where enabled.
  • Monitoring, logging, diagnostics, and security tooling providers.
  • AI or analytics providers where AI-assisted reporting or content generation features are enabled.
  • Professional advisers, regulators, law enforcement, or courts where legally required.
  • Vercel: application hosting, deployment, edge delivery, and platform logs. Region: global, including United States.
  • MongoDB: database hosting, backup, and managed database operations. Region: the configured database cluster region and MongoDB's service locations.
  • Amazon Web Services: object storage, release storage, media storage, and related infrastructure. Region: AWS S3 is currently configured for eu-north-1.
  • Mux: video upload, processing, hosting, and delivery. Region: global, including United States.
  • Stripe: billing, subscription, payment administration, fraud prevention, and related financial operations. Region: Ireland, United States, and global service locations.
  • Resend: transactional email delivery and related email metadata. Region: United States and global service locations.
  • OpenRouter: AI request routing and AI usage infrastructure for enabled AI features. Region: United States and global provider locations.
  • OpenAI: AI model processing where OpenAI-backed models are enabled through OpenRouter. Region: United States and other OpenAI service locations.

8. International transfers

Some service providers may process data outside the UK. Where personal data is transferred internationally, Luuma aims to use appropriate safeguards such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU standard contractual clauses, or other lawful transfer mechanisms.

Customers should review the DPA and any current subprocessor list for details of international transfer arrangements.

9. Retention

Luuma retains personal data only for as long as reasonably necessary for the purposes described in this policy, to provide the Services, to meet legal or accounting requirements, to resolve disputes, and to enforce agreements.

  • Account and organisation records are normally retained while the account is active and for up to 6 years after closure where needed for legal, accounting, contractual, or dispute-resolution purposes.
  • Billing and payment administration records are normally retained for up to 6 years.
  • EPOS, reporting, receipt, signage, media, and operational data is normally retained for the term of the customer relationship and deleted or anonymised within a reasonable period after termination or a verified deletion request, unless a longer period is required by law or agreement.
  • Security, diagnostic, audit, and access logs are normally retained for up to 12 months, but may be kept for longer where needed to investigate incidents, abuse, disputes, or legal obligations.
  • Backup copies may persist for up to 90 days before being overwritten or deleted according to backup schedules.

10. Security

Luuma implements technical and organisational measures designed to protect personal data, including encryption in transit, password hashing, role-based access controls, environment separation, monitoring, backup practices, and operational access controls.

No online service can guarantee absolute security. Customers and users must protect their credentials, use appropriate access controls, and notify Luuma promptly of suspected misuse.

11. Your rights

Depending on the circumstances, individuals may have rights to access, correct, delete, restrict, object to processing, request portability, withdraw consent, and complain to the Information Commissioner's Office.

Where Luuma acts as processor or sub-processor, requests relating to Customer Data should usually be made to the relevant controller, such as the merchant, reseller, or support provider. Luuma will assist controllers as required by applicable data protection terms.

12. Contact

For privacy questions, contact data@luuma.cloud.

Postal address: Luuma LTD, 38 Green Close, Renishaw, S21 3WS.

If you are in the UK, you also have the right to complain to the Information Commissioner's Office at ico.org.uk.