Privacy Policy

Lumina Workforce, Inc. (“Lumina Workforce,” “we,” “us,” or “our”) operates the Lumina Workforce platform — a cloud-based workforce management solution. Our principal place of business is in the United States.

In the context of data protection law, Lumina Workforce acts as a data processor on behalf of our business customers (who are the data controllers for their employees' personal data) and as a data controller for information we collect for our own business purposes, such as account management and marketing.

We collect information in the following categories:

Account and Contact Information

When you register, we collect your name, email address, organization name, billing address, and payment information (processed and stored by Stripe, Inc. — we do not store full payment card details).

Employee Profile Data

Business customers provide us with employee names, email addresses, job titles, employee IDs, and worksite assignments. This data is entered by account administrators and used to operate the platform.

Attendance and Time Data

The Service records clock-in and clock-out events, including timestamps, device identifiers, and GPS coordinates at the time of each event. This data is captured at the direction of the business customer and is used to generate timecards and attendance records.

Device and Technical Data

We collect information about the devices used to access the Service, including IP address, browser type and version, operating system, device model, mobile network carrier, and diagnostic data. This information is used to maintain Service security and performance.

Usage Data

We collect data about how you interact with the Service, including pages visited, features used, clicks, session duration, and error reports. This data is used in aggregate to improve the Service.

Communications

If you contact our support team or send us email, we retain the contents of that communication to assist you and improve our services.

We use the information we collect to:

• –Provision, operate, maintain, and improve the Service
• –Process subscription payments and manage billing
• –Authenticate users and prevent unauthorized access
• –Generate attendance records, timecards, and workforce analytics on behalf of business customers
• –Send transactional communications, including account confirmations, invoices, and security alerts
• –Provide customer support and respond to inquiries
• –Detect and investigate fraud, abuse, or violations of our Terms of Service
• –Comply with legal obligations and regulatory requirements
• –Send product updates, feature announcements, and marketing communications to account administrators (you may opt out at any time)
• –Conduct internal research and analytics to improve our product

We process personal data only on a lawful basis. Depending on your jurisdiction and the nature of the processing, our legal basis may include performance of a contract, legitimate interests, compliance with legal obligations, or your consent.

We do not sell your personal data. We share information only in the following circumstances:

Service Providers

We share information with trusted third-party service providers who assist us in operating the Service, including:

• –Supabase, Inc. — cloud database and authentication infrastructure
• –Stripe, Inc. — payment processing
• –Amazon Web Services — cloud infrastructure and data storage
• –Resend / SendGrid — transactional email delivery
• –Sentry — error monitoring and application diagnostics
• –Vercel, Inc. — application hosting and delivery

These providers are contractually obligated to use your data only to perform services on our behalf and to maintain appropriate security standards.

Business Customers

Employee data entered into the Service by a business customer's administrator is accessible to that customer's managers and administrators. We provide this data to the business customer on whose behalf we are processing it.

Legal Requirements

We may disclose information if we are legally required to do so, such as in response to a court order, subpoena, or government investigation. Where permitted by law, we will attempt to notify you before disclosing your information.

Business Transfers

If Lumina Workforce is acquired, merges with another company, or transfers substantially all of its assets, your information may be transferred as part of that transaction. We will notify you in advance and your data will remain protected under this Privacy Policy or a successor policy.

With Your Consent

We may share information with third parties when you have explicitly consented to such sharing.

The Lumina Workforce mobile application captures GPS coordinates when an employee initiates a clock-in or clock-out event. Location data is collected only at the moment of the clock event — not continuously or in the background between events.

GPS coordinates are used to verify that the employee is within the designated geofence radius of their assigned worksite. Captured coordinates are stored in the attendance record and accessible to the business customer's managers and administrators.

Business customers are solely responsible for disclosing to their employees that GPS coordinates are captured during clock events, and for complying with all applicable labor laws, employment agreements, and privacy regulations governing location data collection in the relevant jurisdictions.

Employees may decline to grant location permissions on their device, in which case clock events may be flagged for manual review depending on the business customer's configuration.

We retain personal data for as long as necessary to provide the Service and comply with our legal obligations:

• –Active account data is retained for the duration of the subscription
• –Attendance records and timecard history are retained for 7 years from the date of creation to support audit and compliance requirements
• –Billing records are retained for 7 years to comply with financial record-keeping obligations
• –Account data for terminated accounts is retained for 30 days post-termination to allow data export, then deleted
• –Anonymized and aggregated usage analytics may be retained indefinitely
• –Backup copies may persist for up to 90 days after deletion

You may request deletion of your data at any time. See “Your Privacy Rights” below for how to make such a request.

We implement industry-standard technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. Our security practices include:

• –Encryption of data in transit using TLS 1.2 or higher
• –Encryption of data at rest using AES-256
• –Role-based access controls limiting employee access to data on a need-to-know basis
• –Row-level security enforced at the database layer
• –Multi-factor authentication support for account administrators
• –Regular security assessments and penetration testing
• –Incident response procedures with notification obligations to affected customers

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

For All Users

• –Right to Access — request a copy of the personal data we hold about you
• –Right to Rectification — request correction of inaccurate or incomplete data
• –Right to Erasure — request deletion of your personal data, subject to legal retention obligations
• –Right to Data Portability — receive your data in a structured, machine-readable format
• –Right to Opt Out of Marketing — unsubscribe from promotional communications at any time

For EU/EEA and UK Residents (GDPR)

• –Right to Restriction of Processing — request that we limit how we use your data
• –Right to Object — object to processing based on legitimate interests
• –Right to withdraw consent at any time where processing is based on consent
• –Right to lodge a complaint with your supervisory authority

For California Residents (CCPA/CPRA)

• –Right to Know — request disclosure of categories and specific pieces of personal information collected
• –Right to Delete — request deletion of personal information
• –Right to Opt Out of Sale — we do not sell personal information
• –Right to Non-Discrimination — exercising privacy rights will not result in denial of services

To exercise any of these rights, contact us at privacy@luminaworkforce.com. We will respond within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before processing certain requests.

Note: For requests regarding employee data processed on behalf of a business customer, we will direct you to the relevant business customer as the data controller for that data.

Lumina Workforce is operated from the United States. If you access the Service from outside the United States, your data will be transferred to, stored, and processed in the United States where our servers are located and our central database is operated.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms, as applicable. Enterprise customers subject to cross-border transfer requirements may contact us to discuss appropriate transfer mechanisms.

We use cookies and similar tracking technologies to operate the Service, remember your preferences, and understand how you use our platform. For detailed information about the cookies we use, your choices, and how to manage cookie preferences, please read our Cookie Policy.

The Service is not directed to children under 16 years of age, and we do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected personal data from a child under 16, please contact us at privacy@luminaworkforce.com and we will promptly delete that data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last Updated” date at the top of this policy and, for significant changes, provide additional notice by email to account administrators or by displaying a prominent notice in the Service.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• –By email: privacy@luminaworkforce.com
• –For data subject requests: dsar@luminaworkforce.com
• –For security concerns: security@luminaworkforce.com

We will respond to all inquiries within the timeframe required by applicable law.