Contact Us

API Privacy Policy

Privacy Policy for Lumination API

Effective Date: February 18, 2026

Last Updated: February 18, 2026

This Privacy Policy explains how Lumination AI Limited (“Lumination,” “we,” “us,” or “our”) processes data when you or your end users interact with the Lumination API (the “Service”). Lumination AI Limited is a company registered in England and Wales, with its registered office in London, United Kingdom.

1. Our Role as Data Processor

When you integrate the Lumination API into your application, website, or service, you (the API customer) act as the Data Controller, and Lumination acts as the Data Processor. This means:

  • You determine what data is sent to the API and for what purpose.
  • You are responsible for obtaining any necessary consent from your end users.
  • You are responsible for informing your end users about how their data is processed.
  • We process data strictly on your behalf and in accordance with your instructions.

2. Data We Process

The Lumination API may process the following types of data, depending on which features you use:

  • Text input: Questions, problems, or messages submitted by end users.
  • Images: Photographs or screenshots submitted for analysis (e.g., homework problems).
  • PDF documents: Documents submitted for text extraction and analysis.
  • Conversation history: Prior messages sent by the client application for context in follow-up interactions.

We do not collect or process:

  • End user names, email addresses, or account credentials.
  • IP addresses of end users (only the IP of the calling server is visible to our infrastructure).
  • Payment or billing information of end users.
  • Any personal data beyond what is explicitly included in the API request payload.

3. How Data Is Processed

When a request is made to the Lumination API:

  1. Your application sends data (text, images, or documents) to our servers via an encrypted HTTPS connection.
  2. Our servers forward the relevant content to Microsoft Azure OpenAI for AI processing.
  3. The AI-generated response is returned to your application.
  4. By default, no submitted data is stored after the response is returned. Processing is stateless and real-time.

4. Data Storage and Retention

Default behaviour (stateless processing): When using the API without persistence enabled, submitted data is processed in real-time and is not stored on our servers after the response is delivered. No copies of inputs or outputs are retained.

Optional storage features: Certain API features (such as knowledge base collections, document storage, or persistent sessions) allow you to opt in to data storage. When storage is enabled:

  • Data is stored on encrypted servers within the European Economic Area (EEA).
  • Data is retained for as long as you maintain the stored resource (collection, document, or session).
  • You may delete stored data at any time via the API.
  • Upon termination of your API account, all stored data is deleted within 30 days.

Logging: We may retain minimal server logs (request timestamps, API key identifiers, response status codes, and token usage counts) for operational monitoring, billing, and abuse prevention. These logs do not contain the content of requests or responses and are retained for a maximum of 90 days.

5. Sub-processors

We use the following third-party sub-processor to deliver the Service:

Sub-processorPurposeLocation
Microsoft Azure OpenAI ServiceAI model inference (text generation, image analysis)West Europe (Netherlands)

Microsoft Azure OpenAI operates under commercial licensing terms that guarantee:

  • Your data is not used to train, retrain, or improve any AI models.
  • Your data is not available to other customers or to Microsoft.
  • Prompts and completions are not stored by Azure OpenAI beyond the duration of the API call, unless you have explicitly opted in to Azure’s abuse monitoring (which we have not enabled).

6. Data Security

We implement appropriate technical and organisational measures to protect the data processed through the API, including:

  • Encryption in transit: All API communications are encrypted using TLS 1.2 or higher (HTTPS).
  • Encryption at rest: Any optionally stored data is encrypted at rest using AES-256 encryption.
  • Authentication: All API requests require a unique API key. Keys can be revoked at any time.
  • Access controls: Access to production systems is restricted to authorised personnel only.
  • Infrastructure: Our services are hosted on Microsoft Azure within the European Economic Area (EEA).

7. International Data Transfers

All data processing occurs within the European Economic Area (EEA), specifically in the Azure West Europe region (Netherlands). We do not transfer data outside the EEA for processing purposes.

If you are accessing the API from outside the EEA, please be aware that your data will be transmitted to and processed in the EEA. By using the API, you consent to this transfer.

8. Your Rights and Obligations as Data Controller

As the Data Controller, you are responsible for:

  • Having a lawful basis for processing personal data through the API.
  • Providing appropriate privacy notices to your end users.
  • Responding to data subject access requests (DSARs) from your end users.

We will assist you in fulfilling your obligations under applicable data protection laws, including the UK GDPR and the EU General Data Protection Regulation. To exercise any data-related requests, please contact us at the address below.

9. Children’s Privacy

The Lumination API is a business-to-business service and is not directed at children. However, we recognise that our API customers may build educational products used by minors. If your application is used by children under the age of 16, you are responsible for ensuring compliance with applicable child data protection laws (including COPPA and UK Age Appropriate Design Code) and for obtaining any required parental consent.

We do not knowingly collect personal data from children through the API. Since we act as a Data Processor and do not store request content by default, no personal data of children is retained.

10. Data Processing Agreement

If you require a formal Data Processing Agreement (DPA) for compliance with GDPR or other data protection regulations, please contact us at the email address below. We are happy to enter into a DPA with API customers upon request.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify API customers of material changes by email or through our API documentation. The “Last Updated” date at the top of this page indicates when the policy was last revised.

12. Contact Us

If you have any questions about this Privacy Policy or our data processing practices, please contact us: