Privacy Policy

LUMO PLATFORM LIMITED
Last updated: March 2026
Contact: privacy@lumoplatform.ai

1. Who We Are

LUMO PLATFORM LIMITED (“Lumo”, “we”, “us”, “our”) is a B2B SaaS platform that helps e-commerce brands manage their TikTok Shop. We connect brands with TikTok creators through TikTok's official Shop Partner API.

LUMO PLATFORM LIMITED was incorporated in 2025 and the application is launching in April 2026.

Note: All data accessed through TikTok Shop APIs is used exclusively within the scope of the TikTok Partner Programme. No data scraping, unofficial APIs, or third-party data brokers are used.

Lumo currently processes personal data exclusively in the context of UK-based operations and does not specifically target EU residents. Should this change, we will appoint an EU representative in accordance with Article 27 GDPR.

1.1 Our Role Under Data Protection Law

Depending on how data is used, Lumo may act as either:

  • Data Controller — when processing information about platform users and creator data used to power the Lumo platform.
  • Data Processor — when processing data on behalf of brand users who use the platform to run creator campaigns.

2. Who This Policy Applies To

This Privacy Policy applies to:

  • Brand users — individuals who register and use LUMO PLATFORM LIMITED on behalf of an e-commerce brand or organisation.
  • TikTok creators — individuals whose publicly available TikTok profile and performance data is processed through the TikTok Shop API in the context of affiliate campaign matching.
  • Visitors to our website and platform.

3. What Data We Collect and Why

3.1 Brand Users (Our Direct Customers)

When you create a Lumo account, we collect:

DataPurposeLegal Basis
Name, email addressAccount creation and authenticationContract
Organisation name and billing addressSubscription managementContract
TikTok Shop OAuth credentials (encrypted)Connecting your TikTok Shop to LumoContract
Payment informationProcessed by Stripe — we do not store card detailsContract
Campaign activity, messages sent, CRM interactionsProviding the Lumo serviceContract
Login and usage logsSecurity, fraud prevention, and debuggingLegitimate interest

3.2 TikTok Creators

We process publicly available creator data made available through TikTok's official Shop Partner and Creator Marketplace APIs. This includes:

DataSourcePurpose
TikTok username and display nameTikTok Shop APICreator identification
Profile bio and avatarTikTok Shop APICreator search and matching
Follower count, engagement rate, average video viewsTikTok Shop APIPerformance-based campaign matching
GMV (gross merchandise value) metricsTikTok Shop APIEligibility validation per TikTok rules
Category and content nicheTikTok Shop APIRelevance matching for brands

We do not collect:creator email addresses, phone numbers, payment details, private messages, or any data not publicly available through TikTok's official API.

Legal basis for processing creator data:Legitimate interest — facilitating genuine business opportunities between TikTok creators and brands through TikTok's official affiliate commerce programme. We have conducted a Legitimate Interest Assessment (LIA) and determined that this processing does not override creators' fundamental rights and freedoms.

3.3 Automated Decision-Making and Profiling (FitScore)

Lumo uses an automated scoring system called FitScore to help brands assess the suitability of TikTok creators for their affiliate campaigns. FitScore analyses publicly available creator data including follower count, engagement rate, content category, historical campaign performance, and GMV metrics.

FitScore influences outreach recommendations made to brands but does not produce decisions with legally significant or similarly significant effects on creators. Creators are not hired, rejected, or contractually bound based solely on automated output.

Brands using Lumo retain full discretion over which creators they contact. FitScore is a decision-support tool, not a decision-making one.

If you are a TikTok creator and wish to understand how your FitScore has been calculated, or to request a human review of that assessment, please contact privacy@lumoplatform.ai.

This disclosure is made in accordance with UK GDPR Articles 13 and 14.

4. How We Use Data

We use the data we collect exclusively to:

  • Provide and operate the Lumo platform for brand users.
  • Match creators to affiliate campaigns based on performance and relevance.
  • Send collaboration invitations and direct messages to creators on behalf of brands, strictly via TikTok's official API and in compliance with TikTok's messaging rules.
  • Process payments and manage subscriptions.
  • Monitor platform security, detect fraud, and maintain system integrity.
  • Comply with our legal obligations under UK GDPR and TikTok's Partner Programme requirements.

We do not:sell data to third parties, use data for advertising, share data outside the Lumo platform without legal basis, or contact creators through any channel other than TikTok's official API.

5. Data Sharing and Third-Party Processors

We share data only with trusted sub-processors necessary to operate the platform. All sub-processors are contractually bound to process data only on our instructions and in compliance with UK GDPR.

Sub-processorRoleLocationCertification
VercelApplication hostingEU (UK/Frankfurt)SOC2 Type 2, ISO27001
SupabaseDatabase (PostgreSQL)EU-West-1, LondonSOC2 Type 2, ISO27001
ClerkAuthentication and user managementEU regionSOC2 Type 2, GDPR
UpstashCaching and session managementEU-West-1, FrankfurtSOC2 Type 2, ISO27001
StripePayment processingEUPCI-DSS, SOC2
ResendTransactional email deliveryEUSOC2
SentryError monitoringEUSOC2
AxiomOperational loggingEUSOC2
TikTok (via official API)Creator retrieval and outreachPer TikTok DPA

Personal data is stored within UK regions. Data may be transmitted to TikTok via their official APIs as required to provide the service, in accordance with TikTok's platform and data policies.

Where any of our service providers process data outside the United Kingdom, such transfers are protected by appropriate safeguards, including Standard Contractual Clauses approved by the UK Information Commissioner's Office.

6. Data Retention

We retain data only for as long as necessary for the purpose it was collected.

Data TypeRetention Period
Brand account data3 years after inactivity
Campaign and message history3 years after campaign completion
Creator performance metrics2 years from last data refresh
TikTok OAuth tokensDeleted immediately upon expiry or disconnection
Audit and security logs2 years
Error logs90 days
Billing records7 years (UK legal requirement)

Automated deletion jobs run weekly. Upon contract termination, all customer data is deleted within 48 hours upon request.

7. Data Security

Lumo implements industry-standard security controls to protect your data:

  • Encryption at rest: AES-256 encryption on all databases (Supabase, Redis, Clerk).
  • Encryption in transit: TLS 1.3 enforced across all connections, with HSTS enabled.
  • OAuth token security: TikTok access tokens are encrypted at the application level using AES-256-GCM before storage.
  • Access control:PostgreSQL Row-Level Security (RLS) policies enforce strict multi-tenant isolation — no organisation can access another's data.
  • Authentication: Multi-factor authentication (MFA) is mandatory for all production users.
  • Infrastructure: All data is stored and processed within EU/UK regions. No data is transferred to US or Asia regions.

8. Your Rights Under UK GDPR

If you are a brand user or a TikTok creator whose data we process, you have the following rights:

Right to AccessYou may request a copy of all personal data we hold about you. We will respond within 30 days in a portable JSON format.
Right to RectificationIf your data is inaccurate, you may request a correction. We will implement changes within 72 hours.
Right to Erasure ("Right to be Forgotten")You may request deletion of all your personal data. We will confirm deletion within 72 hours. Note: some data may be retained for legal compliance (e.g., billing records).
Right to RestrictionYou may request that we pause processing your data while a dispute is under review.
Right to Data PortabilityYou may request your data in a machine-readable format.
Right to ObjectYou may object to processing based on legitimate interest. We will review and respond within 30 days.
Right to Human ReviewWhere Lumo processes your data through automated profiling systems (including FitScore), you have the right to request human review of any assessment or recommendation generated about you. To exercise this right, contact privacy@lumoplatform.ai.
To exercise any of these rights, contact: privacy@lumoplatform.ai
We will respond to all requests within the statutory timeframes required under UK GDPR (normally within 30 days).

9. Creator Opt-Out

If you are a TikTok creator and do not wish to be contacted via Lumo, or wish to have your data removed from our platform, please email privacy@lumoplatform.ai with the subject line “Creator Opt-Out” and your TikTok username. We will:

  1. Remove your profile from our creator database.
  2. Add you to our suppression list so brands cannot contact you through Lumo.
  3. Confirm completion within 48 hours.

10. Cookies

Lumo uses strictly necessary cookies required for authentication, session management, and platform security. These cookies are essential for the operation of the platform and cannot be disabled. We do not use tracking cookies, advertising cookies, or third-party analytics cookies that collect personal data.

The following cookies may be set when you use the Lumo platform:

CookieSet byPurposeDuration
__sessionClerkAuthentication session tokenSession
__client_uatClerkTracks signed-in status across browser tabsPersistent (1 year)
__clerk_db_jwtClerkSecure user identity tokenSession
__stripe_midStripeFraud prevention and payment session1 year
__stripe_sidStripeActive payment session management30 minutes
csrf-tokenLumoCross-site request forgery protectionSession
_vercel_jwtVercelDeployment access (staging environments only)Session

All cookies listed above are strictly necessary for the platform to function. They cannot be disabled without preventing login or payment processing.

A note on error monitoring:Lumo uses Sentry for error monitoring. If Sentry's browser SDK is active on your session, it may store session identifiers in browser storage to correlate error events. This data is used solely for diagnosing technical faults and is not used for advertising, profiling, or analytics.

No consent banner is required under UK PECR for strictly necessary cookies. If Lumo adds any non-essential cookies in future, this policy will be updated and users notified at least 14 days in advance.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The “Last updated” date at the top of this page will always reflect the most recent version.

12. Age Restriction

Lumo Platform is intended for use by businesses and individuals aged 18 or over. We do not knowingly collect personal data from children.

If we become aware that we have inadvertently collected personal data from a child under 18, we will delete that data promptly and without undue delay. If you believe a child has submitted data through our platform, please contact us at privacy@lumoplatform.ai.

13. Governing Law

This Privacy Policy is governed by the laws of England and Wales. Any disputes arising from or relating to this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.

14. Contact and Complaints

If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Lumo Platform Limited · privacy@lumoplatform.ai · March 2026