Lumo

Legal

Privacy Policy

How we collect, use, and protect your data when you create with Lumo.

Last updated: May 25, 2026

1. Who we are

This Privacy Policy describes how Nunu Company ("Lumo", "we", "us"), with offices at Av. Ayrton Senna, 200, sala 605, torre 2, Rio de Janeiro – RJ, Brazil, processes personal data when you use our websites, web app, mobile apps, and APIs (collectively, the "Service"). Lumo is the data controller for the personal data described below and acts as "controlador" under the Brazilian General Data Protection Law (LGPD – Lei 13.709/2018). For privacy questions, contact our Data Protection Officer at privacy@lumo.ai.

2. Data we collect

Account data

When you create an account we collect your email address, a hashed password (or an OAuth identifier if you sign in with Apple or Google), display name, and profile picture if you set one.

Content data

We process the prompts, reference images, audio, and other material you submit ("Inputs"), and the images and videos generated for you ("Outputs"). Inputs and Outputs are stored so you can revisit them in your library and so we can deliver, secure, and improve the Service.

Billing data

Payments are processed by our payment partners (e.g. Stripe, Apple, Google). We receive transaction metadata (amount, currency, status, last four digits, country) — we do not store your full card number.

Device and usage data

We automatically collect technical data such as IP address, device type, operating system, browser, app version, language, timezone, referring URL, and interaction events (pages viewed, features used, generations started/completed, error logs). This data helps us run the Service, fight abuse, and understand how the product is used.

Cookies and similar technologies

We use strictly necessary cookies to keep you signed in and secure the Service. With your consent where required, we also use analytics cookies to understand product usage. You can manage cookies through your browser or our in-product cookie controls.

3. How we use your data

  • Deliver the Service: authenticate you, run generations, store your library, and provide customer support.
  • Billing: process payments, manage subscriptions, send receipts, and handle taxes.
  • Safety & abuse prevention: detect fraud, prevent CSAM and other prohibited content, enforce our Terms, and protect users.
  • Product improvement: analyze usage in aggregate to improve features, reliability, and performance.
  • Communications: send transactional messages (e.g. password reset, receipts) and, with your consent where required, product updates and marketing.
  • Legal compliance: comply with applicable laws and respond to lawful requests.

We do not sell your personal data, and we do not use your Inputs or Outputs to train our own foundation models.

4. AI model providers

When you generate content, your Inputs (and any required metadata) are forwarded to the AI model provider you selected — for example, Google Veo and Gemini, Kling, or OpenAI's GPT-Image. Those providers process the data on our behalf as sub-processors under contractual safeguards and only for the purpose of returning the requested output. Each provider has its own privacy policy that applies to their processing.

5. Legal bases (LGPD, GDPR / UK)

We process personal data based on the following legal grounds, under the Brazilian LGPD (art. 7º and art. 11) and, where applicable, the GDPR (art. 6) and the UK GDPR:

  • Performance of a contract (execução de contrato): to create your account, run generations, and process payments.
  • Legitimate interests (legítimo interesse): to secure the Service, prevent abuse, and improve our product — balanced against your rights and freedoms.
  • Consent (consentimento): for optional analytics cookies and marketing communications. You can withdraw consent at any time.
  • Compliance with a legal or regulatory obligation (obrigação legal ou regulatória): to comply with tax, accounting, and other laws.

6. Sharing your data

We share personal data only with:

  • Service providers that help us run the Service — cloud hosting, storage, email, analytics, payment processing, customer support, and AI model providers — under written data-processing agreements.
  • Authorities and other third parties when required by law, to enforce our Terms, or to protect rights, safety, and security.
  • Acquirers if Lumo is involved in a merger, acquisition, or asset sale — we will notify you and provide choices where required by law.

7. International transfers

Lumo is a global service operated from Brazil. Your data may be processed in countries other than your own, including the United States and the European Union (where some of our AI model providers and cloud infrastructure are hosted). We rely on appropriate safeguards — the European Commission's Standard Contractual Clauses (and the UK addendum where applicable), and the international-transfer requirements of the LGPD (art. 33) — when transferring personal data abroad.

8. Data retention

We keep account data for as long as your account is active. You can delete generations from your library at any time; deleted items are removed from active systems and purged from backups within 30 days. Billing records and abuse-prevention logs are kept for the periods required by applicable law (typically up to 7 years for accounting records). When you delete your account, we delete or anonymize your personal data unless a longer retention is required by law.

9. Security

We use industry-standard safeguards — encryption in transit, encrypted storage, access controls, least-privilege roles, and regular reviews — to protect your data. No method of transmission or storage is 100% secure; please notify us immediately at security@lumo.ai if you suspect a security issue.

10. Your rights

Under the LGPD (art. 18), Brazilian residents have the right to: confirm the existence of processing; access their data; correct incomplete, inaccurate, or outdated data; anonymize, block, or delete unnecessary or excessive data; request portability; delete data processed based on consent; obtain information about public and private entities with which we share data; be informed about the consequences of refusing consent; and revoke consent at any time.

Residents of the EEA and UK have equivalent rights under the GDPR, including the right to lodge a complaint with their local data-protection authority. Residents of California, Colorado, Connecticut, Virginia, and other US states with comprehensive privacy laws also have access, deletion, correction, and opt-out rights, including the right not to be discriminated against for exercising them. Brazilian residents may also file a complaint with the ANPD (Autoridade Nacional de Proteção de Dados). You can exercise your rights by writing to privacy@lumo.ai.

11. Children

The Service is not intended for children under 13 (or the minimum digital-consent age in your country, whichever is higher). If you believe a child has provided us personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the new version on this page and update the "Last updated" date above. If changes are material, we will notify you through the Service or by email before they take effect.

13. Contact

Nunu Company — Data Protection Officer
Av. Ayrton Senna, 200, sala 605, torre 2
Rio de Janeiro – RJ, Brazil
For any privacy question or to exercise your rights, write to privacy@lumo.ai. See also our Terms of Use.