Privacy Policy

Last updated: April 9, 2026

1. Introduction

Lumobot LLC ("Lumobot," "we," "us," or "our") operates the Lumobot platform at lumobot.io and associated services. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform, whether as a business customer ("Customer") or as a visitor interacting with a Lumobot-powered chatbot on a Customer's website ("Visitor").

By using our services, you consent to the practices described in this policy. If you do not agree, please discontinue use of the platform.

2. Information We Collect

2.1 Information from Customers

When you create an account and configure your chatbot, we collect:

  • Account information: Full name, email address, password (hashed), and business name
  • Business information: Practice name, address, phone number, website URL, office hours, services offered, and insurance accepted
  • Billing information: Payment details are processed and stored by Stripe — we do not store credit card numbers
  • Configuration data: Chatbot settings, greeting messages, custom FAQs, branding preferences, and integration credentials
  • Team member information: Names and email addresses of team members you invite

2.2 Information from Visitors

When a visitor interacts with a Lumobot chatbot, we may collect:

  • Contact information: Name, email, and phone number — only if voluntarily provided by the visitor
  • Conversation content: Messages exchanged between the visitor and the AI chatbot
  • Service interest: What service or appointment type the visitor is interested in
  • Technical data: Page URL where the chat occurred, browser type, device type, IP address (for rate limiting only), and an anonymous visitor identifier stored in the browser

2.3 Automatically Collected Information

  • Usage data: Pages visited on lumobot.io, feature usage within the dashboard, and interaction patterns
  • Log data: Server logs including IP addresses, request timestamps, and error reports
  • Analytics: Aggregated, anonymized usage statistics via Google Analytics (GA4)

3. How We Use Your Information

We use collected information for the following purposes:

  • Providing the service: Operating the chatbot, processing conversations through AI, capturing leads, and delivering notifications
  • AI processing: Sending conversation messages to our AI provider (Anthropic) to generate chatbot responses. Anthropic does not use this data for model training
  • Communications: Sending transactional emails (contact alerts when website visitors share their info, billing confirmations, account updates), product updates, and support responses
  • Analytics and improvement: Understanding how the platform is used to improve features and performance
  • Security: Detecting and preventing fraud, abuse, and unauthorized access. Maintaining audit logs of data access
  • Legal compliance: Complying with applicable laws, regulations, and legal processes

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

  • Service providers: We share data with third-party providers that help us operate the platform (see Section 7). Each provider only receives the minimum data necessary for their function
  • Customer access: Business Customers can access conversations and lead data collected through their chatbot. Visitors should be aware that the business whose website they are chatting on will see their messages and contact information
  • Legal requirements: We may disclose information if required by law, subpoena, court order, or governmental request
  • Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction. We will notify affected users before data is subject to a different privacy policy
  • With your consent: We may share information for other purposes when you provide explicit consent

SMS data exclusion: All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

5. Data Security

We implement robust technical and organizational safeguards to protect your data:

  • Encryption in transit: All data transmitted over HTTPS with TLS 1.2 or higher
  • Encryption at rest: Database encrypted with AES-256 via Supabase
  • Application-layer encryption: Sensitive credentials (API keys, OAuth tokens) encrypted with AES-256-GCM
  • Access controls: Row-Level Security (RLS) ensuring each business can only access their own data
  • Role-based permissions: Team members assigned Owner, Admin, or Viewer roles
  • Audit logging: Immutable logs recording all access to conversations, leads, exports, and authentication events
  • PHI-free notifications: Email and SMS notifications contain no visitor personal data — only secure dashboard links
  • Secure authentication: Passwords hashed with bcrypt, sessions managed with cryptographically signed JWT tokens

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

6. Chatbot Conversations & AI

Conversations between Visitors and Lumobot chatbots are processed through Anthropic's Claude AI. Important details:

  • Conversation data is sent to Anthropic solely to generate AI responses
  • Anthropic does not use customer conversation data to train their models
  • Conversations are stored in our database and accessible only to the business Customer who owns the chatbot
  • We do not use one Customer's data to train or improve another Customer's chatbot
  • The AI is instructed not to collect or discuss health information, diagnoses, or medical history
  • AI responses may occasionally be inaccurate — Customers are responsible for reviewing chatbot behavior

6a. SMS Communications

When you provide your phone number through our website, chatbot, /trydemo, or in your account dashboard's notification settings, you consent to receive SMS messages from Lumobot. Message types include: new chatbot conversation alerts on your account, account and billing notifications, verification codes for account setup, demo and appointment confirmation messages, and replies to inquiries you submitted via our chat assistant. Message frequency varies; typical frequency is 1–5 messages per active business day per Lumobot account, or per inquiry for prospective customers. Message and data rates may apply.

You may opt out at any time by replying STOP to any message. For help, reply HELP. We do not share phone numbers with third parties for marketing purposes. Phone numbers collected through our chatbot are used solely for the purposes of responding to the inquiry, providing the requested demo, and follow-up communications related to that inquiry.

Mobile carriers are not liable for delayed or undelivered messages.

For questions about SMS communications, contact mike@lumobot.io.

7. Third-Party Service Providers

We use the following third-party services to operate the platform:

ProviderPurposeData Shared
SupabaseDatabase & authenticationAll account and conversation data
AnthropicAI language modelConversation messages (for generating responses)
VercelApplication hostingApplication logs, request data
StripePayment processingBilling information (PCI DSS Level 1)
ResendEmail deliveryRecipient email addresses (no visitor data in body)
TelnyxSMS delivery on toll-free + hosted numbersRecipient phone numbers (no visitor data in body)
Google AnalyticsWebsite analyticsAnonymized usage data, no personal information
Google Calendar APIOptional booking integration (Customer-initiated)Calendar event titles, times, and attendees the Customer's chatbot creates on their behalf. Only when the Customer explicitly connects their Google account in Settings → Integrations.
SentryError monitoringError reports (sensitive data scrubbed)

Each provider is contractually obligated to protect your data and only use it for the purposes described above.

7a. Google API Services User Data Policy

Lumobot's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When a Customer chooses to connect their Google account in Settings → Integrations, Lumobot requests a single, narrow OAuth scope:

  • https://www.googleapis.com/auth/calendar.events — read and write calendar events on the Customer's behalf

We do not request access to Gmail, Drive, Contacts, Calendar settings, or any other Google service.

What we do with Calendar data:

  • Read events: to check the Customer's availability before the chatbot offers an appointment slot to a visitor (prevents double-booking)
  • Create events: when a visitor confirms an appointment through the chatbot, we create a calendar event on the Customer's connected calendar with the visitor's name, contact, and requested service
  • Update / delete events: only events Lumobot itself created — the Customer can ask the chatbot to reschedule or cancel an appointment, and we modify the corresponding event we previously created

What we do NOT do:

  • We do not read events created by the Customer or anyone else outside Lumobot
  • We do not transfer Calendar data to any third party
  • We do not use Calendar data to train machine learning models
  • We do not show ads based on Calendar data (we run no ad network)
  • We do not allow humans to read Calendar data except (a) with the Customer's explicit consent, (b) for security/abuse investigations, or (c) to comply with legal process

Storage and retention:

  • OAuth refresh and access tokens are stored encrypted at rest in our database, scoped to the Customer's organization
  • Tokens are retained until the Customer disconnects the integration (Settings → Integrations → Disconnect) or deletes their account
  • We do not cache or duplicate Calendar event content — every chatbot interaction queries the Calendar API live

How to revoke:

  • From inside Lumobot: Settings → Integrations → Disconnect Google Calendar. We immediately delete the stored tokens.
  • From your Google account: visit myaccount.google.com/permissions and revoke access to Lumobot. Google immediately invalidates our tokens, and we automatically remove the broken connection on next use.

8. Cookies & Tracking

  • Authentication cookies: Used to maintain your login session on lumobot.io. Strictly necessary for the service to function
  • Visitor identifier: The chatbot widget stores an anonymous identifier in localStorage to maintain conversation continuity. This is not a tracking cookie and contains no personal information
  • Analytics cookies: Google Analytics may set cookies for anonymized usage tracking on lumobot.io. These are not used on Customer websites
  • We do not use advertising cookies or sell data to advertisers

9. Data Retention

  • Account data: Retained for the duration of your subscription. Deleted within 90 days of account closure
  • Conversation data: Retained for the duration of your subscription. You can export your data at any time from the dashboard
  • Audit logs: Retained for a minimum of 6 years for compliance purposes
  • Billing records: Retained as required by tax and financial regulations
  • Deleted accounts: When you delete your account, all associated data (conversations, leads, configurations, team members) is permanently deleted. Audit logs are retained per the retention period above

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data (you can also delete your account directly from Settings → Account)
  • Export: Download your conversation and lead data as CSV from the dashboard
  • Objection: Object to processing of your personal data for certain purposes
  • Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at privacy@lumobot.io. We will respond within 30 days.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the CCPA:

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to opt out of the sale of personal information — we do not sell personal information
  • The right to non-discrimination for exercising your privacy rights

12. Health Information

Lumobot is designed as a scheduling and lead capture tool, not a health intake platform. Our chatbot is instructed not to ask about or collect symptoms, diagnoses, medical history, or other Protected Health Information (PHI). If a visitor voluntarily shares health details, the chatbot will acknowledge briefly and redirect them to the business's team directly. For more information, see our Compliance page.

13. Children's Privacy

Lumobot is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it promptly. If you believe we have collected information from a child under 13, please contact us at privacy@lumobot.io.

14. International Data Transfers

Our services are hosted in the United States. If you access our services from outside the United States, your information will be transferred to and processed in the United States. By using our services, you consent to this transfer.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you by email. Your continued use of the platform after changes constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related questions, data requests, or concerns:

Lumobot LLC

Email: privacy@lumobot.io

General: mike@lumobot.io