Lumi

Data Processing Agreement

Last updated: March 2026

DRAFT — This document is under review and not yet finalised.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Lumi("Processor") — the provider of the Lumi platform, responsible for processing personal data on behalf of the Controller.
  • The Grooming Business("Controller") — the business entity that subscribes to Lumi and determines the purposes and means of processing personal data.

This DPA forms part of the Platform Agreement between Lumi and the Controller and governs the processing of personal data in accordance with the New Zealand Privacy Act 2020.

2. Definitions

  • Personal Data — any information about an identifiable individual, as defined by the Privacy Act 2020.
  • Processing — any operation performed on personal data, including collection, storage, use, disclosure, modification, and deletion.
  • Data Subject— the individuals whose personal data is processed, primarily the Controller's customers and their pet owners.
  • Controller — the grooming business that determines the purposes and means of processing personal data through the Lumi platform.
  • Processor — Lumi, which processes personal data on behalf of the Controller in accordance with this DPA.

3. Scope & Purpose

Lumi processes personal data solely to provide the platform services as described in the Platform Agreement. This includes:

  • Booking and appointment management
  • Customer communications via SMS and email (confirmations, reminders, marketing)
  • Payment facilitation and invoicing
  • Business analytics and reporting
  • AI-powered features (smart scheduling, automated communications)
  • Customer relationship management

Lumi will not process personal data for any purpose other than providing the services, unless required by law or with the Controller's explicit written consent.

4. Types of Personal Data Processed

The following categories of personal data may be processed through the platform:

  • Customer names and contact details (email, phone number, address)
  • Pet information (names, breeds, health notes, grooming preferences)
  • Booking history and appointment records
  • Payment status and transaction references
  • Communication logs (SMS and email records)
  • Intake form responses and customer notes
  • Waiver and consent signatures
  • Staff member details (names, contact information, work schedules)

5. Processor Obligations

Lumi, as Processor, undertakes to:

  • Process personal data only on the Controller's documented instructions, unless required by law.
  • Ensure that all personnel with access to personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures to protect personal data.
  • Assist the Controller in responding to data subject requests (access, correction, deletion).
  • Notify the Controller of any data breach within 72 hours of becoming aware of it.
  • Delete or return all personal data within 60 days of termination of the Platform Agreement, unless retention is required by law.
  • Make available information necessary to demonstrate compliance with this DPA.

6. Sub-Processors

The Controller authorises Lumi to engage the following sub-processors in the delivery of the platform services:

  • Stripe — payment processing and billing
  • TNZ (The New Zealand SMS Gateway) — SMS delivery
  • Resend — transactional and marketing email delivery
  • Clerk — user authentication and identity management
  • Convex — database hosting and backend infrastructure
  • Sentry — error monitoring and application performance (may include anonymised usage data)
  • Xero — accounting integration (when connected by the Controller)
  • Mailchimp — marketing email integration (when connected by the Controller)

Lumi will provide at least 30 days' written notice before engaging any new sub-processor. The Controller may object to a new sub-processor within that notice period. If the objection cannot be reasonably resolved, the Controller may terminate the affected services.

7. Data Security Measures

Lumi implements appropriate technical and organisational measures to protect personal data, including:

  • TLS encryption for all data in transit
  • Encryption at rest for stored personal data
  • Role-based access controls limiting data access to authorised personnel
  • Secure authentication via Clerk (including multi-factor authentication support)
  • Regular security reviews and updates
  • Automatic session management and secure token handling

8. Data Subject Rights

Under the NZ Privacy Act 2020, data subjects have the right to access and request correction of their personal information. The Controller is responsible for responding to such requests.

Lumi will assist the Controller in fulfilling data subject requests by providing tools to access, export, correct, and delete customer data within the platform. The Controller must respond to data subject requests within 20 working days, as required by the Privacy Act.

9. Data Breach Notification

In the event of a data breach affecting personal data processed under this DPA, Lumi will:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
  • Provide details of the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences.
  • Describe the measures taken or proposed to address the breach and mitigate its effects.
  • Assist the Controller with any notification to the Office of the Privacy Commissioner, if the breach is deemed a notifiable privacy breach under the Privacy Act 2020.

10. International Data Transfers

Personal data may be processed and stored outside of New Zealand through our cloud infrastructure providers and sub-processors. Where data is transferred internationally, Lumi ensures that appropriate safeguards are in place, including:

  • Engaging only sub-processors with robust data protection practices and security certifications.
  • Ensuring that transferred data receives a comparable level of protection to that required under the NZ Privacy Act 2020.
  • Maintaining contractual obligations with sub-processors that include data protection requirements.

11. Audit Rights

The Controller may request information about Lumi's data processing activities to verify compliance with this DPA. Lumi will provide reasonable cooperation, including:

  • Responding to written requests for information about processing activities and security measures.
  • Providing summaries of third-party security assessments or certifications, where available.
  • Allowing reasonable audit requests with at least 30 days' advance notice, during normal business hours.

12. Term & Termination

This DPA is effective for the duration of the Controller's subscription to the Lumi platform. Upon termination of the Platform Agreement:

  • The Controller has a 30-day window to export their data using the platform's export tools.
  • Lumi will delete all personal data within 60 days of termination, unless retention is required by law or a legitimate legal obligation.
  • Upon request, Lumi will provide written confirmation that deletion has been completed.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Platform Agreement (Terms of Service). Nothing in this DPA limits either party's liability for breaches of the NZ Privacy Act 2020 to the extent such liability cannot be lawfully excluded.

14. Contact

For questions about this Data Processing Agreement or to exercise any rights described herein, contact us at hello@lumiplatform.co.nz.