Privacy policy.

The data controller of your personal data is:

• Nikita Titov, acting as a private individual (sole operator of the Service);
• Contact e-mail: hello@lumi.estate;
• Trading name of the Service: Lumi (an AI calendar & CRM mobile app for real-estate agents).

The Service is currently operated by the controller in an individual capacity; there is no corporate legal entity yet. Should a company be incorporated, this Policy will be updated and waitlist subscribers will be notified.

We keep collection to the minimum necessary. On this website we collect:

• Waitlist data you submit: e-mail address, and optionally a name, role, country and a short free-text note.
• Technical data automatically generated when you request pages: IP address (temporarily, for rate-limiting and security), HTTP user-agent, referrer and approximate timestamp.
• Cookie & analytics data as described in our Cookie Policy. We aim to use cookie-less, privacy-first analytics.

In the future mobile application, additional categories will be processed (calendar events, voice input transcripts, contact/CRM entries you enter). Those will be covered by an in-app privacy notice before the app is launched.

• Run the waitlist and contact you when the product is ready. Legal basis: your consent (GDPR art. 6(1)(a); LGPD art. 7(I); LFPDPPP art. 8; Ley 25.326 art. 5) given when you submit the form.
• Prevent abuse of the form and keep the site secure. Legal basis: legitimate interest (GDPR art. 6(1)(f); LGPD art. 7(IX)).
• Comply with our legal obligations (for example, respond to valid requests from supervisory authorities). Legal basis: legal obligation (GDPR art. 6(1)(c); LGPD art. 7(II)).
• Aggregated, non-identifying analytics to understand which pages are useful. Legal basis: legitimate interest, or consent where required (see Cookie Policy).

We will not use your data for automated decision-making with legal or similarly significant effects, and we will not sell your data.

• Waitlist entries: until you ask us to delete them, or for a maximum of 24 months from your last interaction.
• Security/rate-limit logs containing IP: up to 30 days.
• Aggregated analytics: indefinitely, but in a form that cannot identify you.

We use a small number of carefully selected processors:

• Hosting / CDN: Vercel Inc. (USA), with EU edge regions.
• Domain registrar: Dynadot LLC (USA).
• Transactional e-mail (when launched): Resend (USA/EU).
• Database (when launched): Supabase, EU (Frankfurt) region.

Each processor is bound by a Data Processing Agreement (where required) and by Standard Contractual Clauses for international transfers outside the EEA / UK. We do not sell or rent personal data to third parties and we do not disclose it to public authorities unless legally compelled to do so.

Your data may be processed in the European Union, in the United States and in other countries where our service providers operate. When data leaves the EEA / UK we rely on: (a) adequacy decisions of the European Commission where available, or (b) Standard Contractual Clauses (2021) combined with supplementary technical and contractual measures (encryption in transit and at rest, access controls, audit logs).

For transfers out of Brazil we rely on the mechanisms set out in LGPD arts. 33–36; out of Mexico — arts. 36–37 LFPDPPP; out of Argentina — Disposition 60-E/2016 of the AAIP.

Subject to applicable law, you have the right to:

• Access the personal data we hold about you and obtain a copy.
• Rectify inaccurate or incomplete data.
• Erase your data (“right to be forgotten”) where the legal grounds no longer apply.
• Restrict or object to processing based on legitimate interest.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time, with no effect on processing carried out before withdrawal.
• Lodge a complaint with your supervisory authority.
• Under LGPD: right to information about public and private entities we shared your data with, and to review automated decisions.
• Under LFPDPPP: so-called ARCO rights (Access, Rectification, Cancellation, Opposition) and revocation of consent.
• Under Ley 25.326: right to update, rectify and suppress data; to be informed of the purpose of processing.

To exercise any of these rights, e-mail hello@lumi.estate. We will respond within 30 calendar days (15 business days under LGPD for requests concerning data confirmation and access).

If you believe we are processing your data unlawfully, you may contact:

• EU / EEA: the data protection authority of your country of residence (list: edpb.europa.eu).
• United Kingdom: Information Commissioner’s Office (ico.org.uk).
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD).
• Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).
• Argentina: Agencia de Acceso a la Información Pública (AAIP).
• Chile: Consejo para la Transparencia (until the new Personal Data Protection Agency is in operation).
• Colombia: Superintendencia de Industria y Comercio (SIC).

The Service is not directed to children. We do not knowingly collect personal data from children under 16 (EU), under 13 (UK/US), or under 18 where the local definition of a child is broader. If you believe a child has submitted data, contact us and we will delete it.

We apply reasonable technical and organisational measures (encryption in transit via TLS 1.2+, principle of least privilege, regular patching, incident logging). No system is perfectly secure: if we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours and, if the risk is high, notify you directly.

If we change this Policy in a way that materially affects you, we will e-mail everyone on the waitlist at least 15 days before the change takes effect and update the “last updated” date at the top of this page.

Nikita Titov — hello@lumi.estate.