Privacy Policy

Effective: 4 March 2026 · Last updated: 6 March 2026 · Applies to panluma.ai & all apps

1. Who We Are

PanLuma Inc (a Delaware company, “PanLuma”, “we”, “our”, “us”) operates panluma.ai, an AI-native business suite designed for small and medium-sized businesses. Our platform provides modules for task management, CRM, accounting, recruiting, AI agents, support ticketing, website hosting, and shipping — the full company in a box.

PanLuma acts as the data controller for information you provide directly to us when creating an account or using our services. Where you upload your customers’ or suppliers’ data to the platform, PanLuma acts as a data processor on your behalf, and your own privacy obligations apply to that data.

2. Scope & Platforms

This Privacy Policy applies to all versions and distribution channels of PanLuma: iOS App, Android App, Desktop App, and Web (panluma.ai).

This policy also covers our marketing website, email communications, and any integrations or APIs provided by PanLuma. It does not cover third-party services you choose to connect to PanLuma — those services have their own privacy policies.

Free Plan Users: This policy applies equally to users on our free tier. Providing a free service does not mean selling your data. We do not monetize your personal data through advertising or data brokerage.

3. Information We Collect

A. Account & Profile Information

  • Name, email address, and password (hashed)
  • Business name, address, and phone number
  • Job title and profile photo (optional)
  • Billing information (processed by our payment provider; we store only a payment token and last-four digits)

B. Business Data You Enter

PanLuma stores the data you and your team enter across modules — customers, contacts, invoices, tasks, job postings, support tickets, and so on. This is your data. We process it only to provide the service to you.

C. Usage & Technical Data

  • Log data: IP address, browser type, pages visited, timestamps
  • Device identifiers (mobile: advertising ID, can be reset at any time)
  • App version, operating system, and crash reports
  • Feature usage telemetry (anonymised aggregates used to improve the product)

D. Communications

  • Support tickets and chat messages you send us
  • Survey responses and community feedback
  • Email correspondence with our team

E. Information from Third Parties

  • If you sign in with Google or a third-party SSO provider, we receive basic profile information (name, email, avatar) from that provider
  • Payment processors confirm transaction status
  • Integrations you authorise (e.g. accounting software, shipping carriers) may exchange data with PanLuma at your direction

4. How We Use Information

Core Service Delivery

  • Authenticate users and maintain account security
  • Operate, maintain, and improve all platform modules
  • Process and fulfil transactions (billing, invoicing)
  • Power AI agents and automations you configure
  • Enable network effects between connected customer and supplier businesses on the platform

Communication

  • Send transactional emails (receipts, password resets, security alerts)
  • Provide customer support and respond to enquiries
  • Notify you of product updates and new features (opt-out available)

Product Improvement

  • Analyse aggregated, anonymised usage patterns to prioritise features
  • Debug errors and improve reliability
  • Train and improve our AI models — using only anonymised or synthetic data; your identifiable business data is never used for AI training without your explicit consent

Legal & Safety

  • Comply with applicable laws and regulatory requirements
  • Detect, investigate, and prevent fraud, abuse, and security incidents
  • Enforce our Terms of Service

No Advertising: We do not use your data for behavioural advertising, and we do not sell or rent your personal information to third-party marketers — on any plan, free or paid.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal data are:

  • Contract performance — processing needed to provide the PanLuma service you have signed up for
  • Legitimate interests — security, fraud prevention, and product improvement, balanced against your interests and rights
  • Legal obligation — compliance with applicable laws (e.g. tax records, regulatory requirements)
  • Consent — where we explicitly ask for it (e.g. optional marketing emails, optional AI-training participation). You may withdraw consent at any time without affecting prior processing

For international data transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) or an adequacy decision where applicable. See Section 6A for more detail.

6. Sharing & Disclosure

PanLuma does not sell your personal data. We share information only in these circumstances:

Service Providers

We engage trusted sub-processors under data processing agreements that restrict them to processing data only on our behalf and only for the purposes we specify. Our current categories of sub-processors include:

  • Cloud infrastructure & hosting: Amazon Web Services (US)
  • Payment processing: Stripe (US)
  • Email delivery: SendGrid / Twilio (US)
  • AI model providers: Anthropic (US) — used to power AI features you interact with; your data is not used by these providers for model training
  • Analytics: Plausible Analytics (EU) — privacy-first, cookieless, no personal data collected
  • Error monitoring & observability: AWS CloudWatch (US)
  • Domain & CDN: Amazon CloudFront (global edge locations)

A full list of sub-processors with their locations is available on request by emailing privacy@panluma.ai. We will notify you of material changes to our sub-processor list at least 30 days in advance.

Network Partners (Platform Feature)

PanLuma’s network model allows connected businesses (e.g. a supplier you invite) to exchange relevant transactional data. You control which businesses you connect with and what data is shared. We will always make it clear when a feature involves sharing your data with another business on the platform.

We may disclose your information if required by law, court order, or a regulatory body with jurisdiction over PanLuma, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of PanLuma, our users, or the public.

Business Transfers

If PanLuma is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the platform before your data is subject to a different privacy policy.

We share information with third parties when you explicitly direct us to do so, such as authorising an integration with a third-party application.

6A. International Data Transfers

PanLuma is based in the United States. Our primary infrastructure is hosted on Amazon Web Services in the US. If you access PanLuma from the EEA, UK, Switzerland, or another jurisdiction with data transfer restrictions, your personal data will be transferred to and processed in the United States.

We protect international transfers using the following safeguards:

  • Standard Contractual Clauses (SCCs): We enter into EU-approved SCCs with sub-processors located outside the EEA/UK that do not benefit from an adequacy decision
  • Data Processing Agreements: All sub-processors are bound by DPAs that include obligations equivalent to those in this policy
  • Technical safeguards: Encryption in transit and at rest, access controls, and audit logging apply regardless of where data is processed
  • Transfer Impact Assessments: We assess the legal framework of each sub-processor’s country to ensure your data receives adequate protection

You may request a copy of the SCCs or DPAs we have in place by contacting privacy@panluma.ai.

7. Data Retention

Data CategoryRetention Period
Account & profile dataFor the life of your account, plus 90 days after deletion request
Business data you enter (contacts, invoices, tickets, etc.)For the life of your account, plus 90 days after deletion request
Financial & tax records7 years after creation, as required by applicable tax law
Server logs (IP, request metadata)90 days
Support correspondenceFor the life of your account, plus 1 year after account deletion for service improvement
Marketing consent records3 years after last interaction or consent withdrawal
Encrypted backupsUp to 90 days after data is deleted from live systems
Anonymised analyticsRetained indefinitely (cannot be linked back to you)
  • After deletion: When you delete your account, we permanently delete your personal data within 90 days, except where we are required to retain it by law (see table above)
  • Backups: Data may persist in encrypted backups for up to 90 days after the deletion deadline before being purged from backup systems

Export Before You Leave: You can export all your business data in standard formats (CSV, JSON) from your account settings at any time — before or after requesting deletion.

8. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Ask us to correct inaccurate or incomplete data
  • Deletion: Request erasure of your personal data (“right to be forgotten”), subject to legal retention requirements
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Ask us to restrict processing of your data in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@panluma.ai. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before acting on your request.

If you are in the EEA or UK and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority.

Mobile App Permissions

  • Camera & Photos: Used only when you choose to upload images (e.g. receipts, profile photos). Never accessed in the background.
  • Contacts: Accessed only if you explicitly choose to import contacts into PanLuma’s CRM. Not synced automatically.
  • Notifications: Used for task reminders and alerts. You can disable in device settings at any time.
  • Location: Not requested or used by PanLuma.

You can manage all app permissions in your device’s Settings app at any time.

Marketing Communications

You can unsubscribe from marketing emails at any time using the unsubscribe link in any email, or by updating your preferences in account settings. Transactional emails (receipts, security alerts) cannot be opted out of while your account is active.

9. Cookies & Tracking

Our web application uses cookies and similar technologies. The mobile and desktop apps use equivalent local storage mechanisms rather than browser cookies.

Essential

Required for the service to function. These include session authentication tokens and security cookies. They cannot be disabled without breaking the service.

Functional

Remember your preferences (language, timezone, interface settings). Disabling these means you will need to re-enter preferences each session.

Analytics

Aggregate, anonymised data about how features are used. We use privacy-respecting analytics tools configured to anonymise IP addresses and avoid cross-site tracking. You can opt out via your account privacy settings.

What We Don’t Use

  • Third-party advertising cookies or tracking pixels
  • Social media tracking pixels
  • Cross-site behavioural tracking

10. Security

We take security seriously and implement industry-standard measures to protect your information:

  • Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Password storage using strong adaptive hashing (bcrypt/Argon2)
  • Role-based access control within the platform and internally
  • Regular security reviews and vulnerability assessments
  • Incident response procedures with breach notification as required by applicable law (including within 72 hours to the relevant supervisory authority under GDPR where applicable, and to affected users without undue delay)

Report a Vulnerability: If you discover a security issue, please report it responsibly to security@panluma.ai. We appreciate responsible disclosure and will investigate all reports promptly.

No system is completely secure. While we work hard to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a high risk to your rights, we will notify you promptly and take all steps required by applicable law.

11. Children

PanLuma is a business software platform intended for use by individuals who are at least 16 years of age (or older where required by applicable law). We do not knowingly collect personal data from children under 16.

If you believe a child under 16 has provided us with personal information without appropriate consent, please contact us at privacy@panluma.ai and we will take steps to delete that information promptly.

12. Changes & Contact

Policy Updates

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Display an in-app notification for at least 14 days
  • Send an email to the primary account email address for significant changes

Your continued use of PanLuma after changes take effect constitutes your acceptance of the updated policy. If you do not agree, you may close your account at any time.

Data Protection Contact

For any privacy-related questions, requests, or concerns, please reach out to our Data Protection Lead:

  • Email: privacy@panluma.ai
  • Post: PanLuma Inc, Attn: Data Protection Lead, 1209 Orange Street, Wilmington, DE 19801, USA
  • Website: panluma.ai
  • Response time: within 30 calendar days

If you are located in the EEA or UK and PanLuma is required to appoint a representative under Article 27 GDPR or UK GDPR, details of our appointed representative will be published here and made available on request.