Lumi

Privacy Policy

Last updated: March 2026

DRAFT — This policy should be reviewed by a qualified legal professional before use.

1. Who We Are

Lumi is a cloud-based business management platform designed for dog grooming businesses in New Zealand. Lumi is operated from New Zealand. This privacy policy explains how we collect, use, store, and protect personal information in accordance with the New Zealand Privacy Act 2020.

This policy covers two relationships: our direct relationship with grooming businesses that subscribe to Lumi (our "Business Subscribers"), and the personal information of their customers ("End Customers") that flows through the platform on behalf of those businesses.

If you have any questions about this policy, you can contact us at hello@lumiplatform.co.nz.

2. Information We Collect

We collect different categories of information depending on how you interact with Lumi.

2.1 Business Subscriber Data

When a grooming business signs up for Lumi, we collect:

  • Business owner name and contact details
  • Email address and phone number
  • Business name and physical address
  • Payment information (processed securely through Stripe — we do not store full card numbers)
  • Staff member names, roles, and contact details

2.2 End Customer Data

When businesses use Lumi to manage their customers, the following customer information may be stored in the platform:

  • Customer name
  • Email address and phone number
  • Physical address
  • Communication preferences

2.3 Pet Data

Businesses may record information about their customers' pets, including:

  • Pet name, breed, and size
  • Coat type and condition notes
  • Medical notes and behavioural information
  • Vaccination records and dates
  • Photos of pets

2.4 Booking and Transaction Data

  • Appointment dates, times, and durations
  • Services booked and pricing
  • Payment status and transaction history
  • Cancellation and rescheduling records

2.5 Communications Data

When businesses send SMS or email communications through Lumi, we retain:

  • Message content and delivery status
  • Recipient details
  • Timestamps of sent communications

2.6 Usage Data

We automatically collect certain technical and usage information, including:

  • Pages viewed and features used
  • Browser type and device information
  • IP address and approximate location
  • Referring website and session duration

2.7 AI Interaction Data

If you use Lumi's AI-powered features (such as the chatbot or AI assistant), we collect:

  • Queries and conversations with AI features
  • Responses generated by the AI on your behalf

AI interaction data is used to provide the feature and may be used in anonymised, aggregated form to improve the service.

3. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Lumi platform and its features
  • Process bookings, payments, and related transactions
  • Send SMS and email communications on behalf of businesses (such as appointment reminders, booking confirmations, and follow-ups)
  • Provide customer support and respond to enquiries
  • Generate business reports and analytics for Business Subscribers
  • Improve and develop the platform based on anonymised usage patterns
  • Detect and prevent fraud, abuse, or security issues
  • Comply with legal obligations under New Zealand law

We do not use End Customer data for our own marketing purposes. Communications are only sent on behalf of and as directed by the Business Subscriber.

4. Legal Basis for Processing

Under the NZ Privacy Act 2020, we collect and process personal information based on the following grounds:

  • Contract performance: Processing Business Subscriber data is necessary to provide the services you have subscribed to.
  • Legitimate interest: We use anonymised and aggregated data to improve our platform, monitor security, and understand usage patterns.
  • Consent: Where we send marketing communications about Lumi (such as product updates or new features), we do so with your consent. You can opt out at any time.
  • On behalf of businesses: We process End Customer data as a data processor acting on behalf of Business Subscribers, who are responsible for ensuring they have the appropriate legal basis to collect and use that data.

5. Data Sharing

We share personal information only with trusted third-party service providers who help us operate the platform. We share only the minimum data necessary for each provider to perform their function.

  • Stripe, PayPal, Square — for processing payments securely
  • TNZ (The New Zealand SMS Provider) — for delivering text message notifications on behalf of businesses
  • Resend — for delivering transactional and notification emails
  • Xero — for accounting integration, only when connected and authorised by the Business Subscriber
  • Mailchimp — for marketing email integration, only when connected and authorised by the Business Subscriber
  • Clerk — for secure user authentication and login
  • Sentry — for error tracking and platform stability monitoring (limited to technical data, not customer personal information)

We do not sell, rent, or trade personal information to any third party.

6. Data Processing on Behalf of Businesses

Lumi acts as a data processor when handling End Customer data. The Business Subscriber is the data controllerand determines the purposes and means of processing their customers' personal information.

This means:

  • The Business Subscriber is responsible for obtaining appropriate consent from their customers before entering their data into Lumi.
  • The Business Subscriber is responsible for informing their customers about how their data will be used, including that it will be processed through Lumi.
  • Lumi processes End Customer data only as instructed by the Business Subscriber and in accordance with this policy.
  • We do not use End Customer data for any purpose other than providing the service to the Business Subscriber.

7. Data Retention

We retain personal information according to the following schedule:

  • Active accounts: Data is retained for as long as your subscription is active and the account is in use.
  • Post-termination: After a subscription is cancelled or terminated, Business Subscribers have a 30-day window to export their data. After this period, data will be permanently deleted within 60 days.
  • SMS and email logs: Communication logs are retained for 12 months for compliance and dispute resolution purposes, after which they are automatically deleted.
  • Usage and analytics data: Anonymised usage data may be retained indefinitely for statistical purposes.

If you require earlier deletion, please contact us at hello@lumiplatform.co.nz.

8. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • Encryption of data in transit using TLS (Transport Layer Security)
  • Hosted on managed cloud infrastructure (Convex) with built-in security controls
  • Role-based access controls to limit data access to authorised personnel
  • Secure authentication through Clerk with support for multi-factor authentication
  • Regular review of security practices and procedures

While we take all reasonable steps to protect your information, no method of electronic transmission or storage is 100% secure. If you become aware of any security issue, please contact us immediately.

9. Your Rights Under the NZ Privacy Act 2020

If you are a Business Subscriber, you have the following rights under the New Zealand Privacy Act 2020:

  • Right of access: You can request a copy of the personal information we hold about you (Information Privacy Principle 6).
  • Right of correction: You can ask us to correct any personal information that is inaccurate or incomplete (Information Privacy Principle 7).
  • Right of deletion: You can request that we delete your personal information, subject to any legal obligations that require us to retain it.
  • Right to complain: If you believe we have breached the Privacy Act 2020, you have the right to lodge a complaint with the Office of the Privacy Commissioner.

To exercise any of these rights, contact us at hello@lumiplatform.co.nz. We will respond to your request within 20 working days, as required by the Privacy Act.

10. Rights for Customers of Businesses Using Lumi

If you are a customer of a grooming business that uses Lumi, your personal information is managed by that business. Lumi processes your data on their behalf.

To exercise your privacy rights (such as accessing, correcting, or deleting your information), please contact the grooming business directly. They are the data controller and are responsible for responding to your requests.

If you are unable to resolve a concern with the business, you may contact us at hello@lumiplatform.co.nz and we will assist where we can.

11. Cookies and Analytics

Lumi uses cookies and similar technologies to:

  • Essential cookies: Keep you signed in, remember your preferences, and ensure the platform functions correctly. These are strictly necessary and cannot be disabled.
  • Analytics (Google Analytics GA4): We use Google Analytics to understand how visitors use our marketing website. This collects anonymised data such as pages visited, session duration, and general location. No personally identifiable information is sent to Google Analytics.

We do not use advertising cookies, retargeting pixels, or any third-party tracking for advertising purposes.

12. International Data Transfers

Lumi is a New Zealand-based service, but some of our third-party providers operate infrastructure outside of New Zealand (including in the United States and other jurisdictions). This means your data may be transferred to, stored, or processed in countries outside New Zealand.

In accordance with Information Privacy Principle 12 of the Privacy Act 2020, we ensure that any overseas recipients of personal information are subject to comparable privacy protections. We use providers who maintain strong security practices and, where applicable, are certified under recognised data protection frameworks.

13. Children's Privacy

Lumi is a business management platform and is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify Business Subscribers by email before the changes take effect.

We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

15. Contact

If you have any questions, concerns, or requests regarding this privacy policy or how we handle personal information, please contact us:

Email: hello@lumiplatform.co.nz

You may also contact the Office of the Privacy Commissioner if you have concerns about how your personal information has been handled: www.privacy.org.nz