← Back to lumenii.io

Privacy Policy

Last updated: May 2026

1. Who we are

Lumenii is a trading name of ForrTech Ltd, registered in England and Wales (company number: pending registration). Our registered office is at London, UK. References to "Lumenii", "we", "us", or "our" in this policy refer to ForrTech Ltd trading as Lumenii.

We can be contacted at: tom@lumenii.io

2. What this policy covers

This Privacy Policy explains how we collect, use, store, and protect personal data when you use the Lumenii platform at lumenii.io, and when you connect your Microsoft 365 or Google Workspace tenant to our service.

This policy applies to:

  • Visitors to lumenii.io
  • Customers and trial users of the Lumenii platform
  • Employees of organisations whose workspaces are connected to Lumenii

3. What data we collect and why

3a. Data you provide to us directly

When you sign up, contact us, or subscribe, we collect: your name, email address, company name, and billing information. We use this to provide the service, process payments, and communicate with you about your account. The legal basis is performance of a contract (UK GDPR Article 6(1)(b)).

3b. Data from Microsoft 365 and Google Workspace connections

When you connect your Microsoft 365 or Google Workspace tenant, Lumenii reads the following data via read-only API access:

  • Names and email addresses of employees in your organisation
  • Third-party applications that have been granted OAuth access to work accounts
  • The permissions (OAuth scopes) those applications have been granted
  • Sign-in activity logs showing which applications were accessed and when
  • For Microsoft Intune-managed devices: names of applications installed on managed devices

We do not read: email content, document content, calendar entries, messages, files, or any personal communications.

The legal basis for this processing is performance of a contract (UK GDPR Article 6(1)(b)) — this data is necessary to provide the AI governance monitoring service you have contracted us to provide.

3c. Data we collect automatically

When you visit lumenii.io, we collect standard server logs including IP addresses, browser type, pages visited, and timestamps. We use this for security monitoring and to improve the service. The legal basis is legitimate interests (UK GDPR Article 6(1)(f)).

4. How long we keep your data

Account data is retained for the duration of your subscription and for 12 months after cancellation, to allow for reactivation and to comply with our legal obligations.

Workspace scan data (the list of AI tools detected in your organisation) is retained for 90 days of rolling history. Older scan data is automatically deleted.

Server log data is retained for 30 days.

5. Who we share data with

We use the following sub-processors who may process personal data on our behalf:

  • Supabase (database hosting) — data stored on EU/UK servers
  • Vercel (website hosting) — servers located in the EU
  • Stripe (payment processing) — for billing and subscription management
  • Microsoft Azure and Google Cloud — for OAuth authentication only

We do not sell personal data to third parties. We do not share personal data with any party other than those listed above without your explicit consent, except where required by law.

6. International data transfers

All personal data is processed and stored within the United Kingdom and European Economic Area. Where any sub-processor operates outside the UK/EEA, we ensure appropriate safeguards are in place under UK GDPR Chapter V, including Standard Contractual Clauses where applicable.

7. Your rights

Under UK GDPR you have the right to: access your personal data, correct inaccurate data, request deletion of your data, object to processing, request restriction of processing, and data portability. To exercise any of these rights, contact tom@lumenii.io. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

All data in transit is encrypted using TLS 1.3. All data at rest is encrypted using AES-256. Access to production systems is restricted to authorised personnel only. We conduct regular security reviews of our infrastructure.

9. Cookies

Lumenii uses essential cookies for authentication and session management. These are strictly necessary for the service to function and cannot be disabled. We do not use advertising cookies or third-party tracking cookies.

10. Children

Lumenii is a business-to-business service intended for use by organisations and their employees. We do not knowingly collect personal data from individuals under the age of 18.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to registered users by email at least 14 days before they take effect. The date at the top of this page always reflects when the policy was last updated.

12. Contact

For any privacy-related questions:

tom@lumenii.io

ForrTech Ltd t/a Lumenii

London, UK

Lumenii is a trading name of ForrTech Ltd. Registered in England and Wales.