Privacy Policy

LUMO PLATFORM LIMITED

Last updated: March 2026

1. Who We Are

LUMO PLATFORM LIMITED (“Lumo”, “we”, “us”, “our”) is a B2B SaaS platform that helps e-commerce brands manage their TikTok Shop. We connect brands with TikTok creators through TikTok's official Shop Partner API.

LUMO PLATFORM LIMITED was incorporated in 2025 and the application is launching in April 2026.

Note: All data accessed through TikTok Shop APIs is used exclusively within the scope of the TikTok Partner Programme. No data scraping, unofficial APIs, or third-party data brokers are used.

Company legal name: LUMO PLATFORM LIMITED
Registered address: 120 Holborn, London, England, EC1N 2TD
Privacy enquiries: privacy@lumoplatform.ai
Data protection contact: security@lumoplatform.ai

Lumo currently processes personal data exclusively in the context of UK-based operations and does not specifically target EU residents. Should this change, we will appoint an EU representative in accordance with Article 27 GDPR.

1.1 Our Role Under Data Protection Law

Depending on how data is used, Lumo may act as either:

Data Controller — when processing information about platform users and creator data used to power the Lumo platform.
Data Processor — when processing data on behalf of brand users who use the platform to run creator campaigns.

2. Who This Policy Applies To

This Privacy Policy applies to:

Brand users — individuals who register and use LUMO PLATFORM LIMITED on behalf of an e-commerce brand or organisation.
TikTok creators — individuals whose publicly available TikTok profile and performance data is processed through the TikTok Shop API in the context of affiliate campaign matching.
Visitors to our website and platform.

3. What Data We Collect and Why

3.1 Brand Users (Our Direct Customers)

When you create a Lumo account, we collect:

Data	Purpose	Legal Basis
Name, email address	Account creation and authentication	Contract
Organisation name and billing address	Subscription management	Contract
TikTok Shop OAuth credentials (encrypted)	Connecting your TikTok Shop to Lumo	Contract
Payment information	Processed by Stripe — we do not store card details	Contract
Campaign activity, messages sent, CRM interactions	Providing the Lumo service	Contract
Login and usage logs	Security, fraud prevention, and debugging	Legitimate interest

3.2 TikTok Creators

We process publicly available creator data made available through TikTok's official Shop Partner and Creator Marketplace APIs. This includes:

Data	Source	Purpose
TikTok username and display name	TikTok Shop API	Creator identification
Profile bio and avatar	TikTok Shop API	Creator search and matching
Follower count, engagement rate, average video views	TikTok Shop API	Performance-based campaign matching
GMV (gross merchandise value) metrics	TikTok Shop API	Eligibility validation per TikTok rules
Category and content niche	TikTok Shop API	Relevance matching for brands

We do not collect:creator email addresses, phone numbers, payment details, private messages, or any data not publicly available through TikTok's official API.

Legal basis for processing creator data:Legitimate interest — facilitating genuine business opportunities between TikTok creators and brands through TikTok's official affiliate commerce programme.

3.3 Automated Decision-Making and Profiling (FitScore)

Lumo uses an automated scoring system called FitScore to help brands assess the suitability of TikTok creators for their affiliate campaigns. FitScore analyses publicly available creator data including follower count, engagement rate, content category, historical campaign performance, and GMV metrics.

FitScore influences outreach recommendations made to brands but does not produce decisions with legally significant or similarly significant effects on creators.

If you are a TikTok creator and wish to understand how your FitScore has been calculated, or to request a human review, contact privacy@lumoplatform.ai.

4. How We Use Data

Provide and operate the Lumo platform for brand users.
Match creators to affiliate campaigns based on performance and relevance.
Send collaboration invitations and direct messages to creators on behalf of brands, strictly via TikTok's official API.
Process payments and manage subscriptions.
Monitor platform security, detect fraud, and maintain system integrity.
Comply with our legal obligations under UK GDPR and TikTok's Partner Programme requirements.

We do not: sell data to third parties, use data for advertising, or share data outside the Lumo platform without legal basis.

5. Data Sharing and Third-Party Processors

We share data only with trusted sub-processors necessary to operate the platform. All sub-processors are contractually bound to process data only on our instructions and in compliance with UK GDPR.

Sub-processor	Role	Location	Certification
Vercel	Application hosting	EU (UK/Frankfurt)	SOC2 Type 2, ISO27001
Supabase	Database (PostgreSQL)	EU-West-1, London	SOC2 Type 2, ISO27001
Clerk	Authentication and user management	EU region	SOC2 Type 2, GDPR
Upstash	Caching and session management	EU-West-1, Frankfurt	SOC2 Type 2, ISO27001
Stripe	Payment processing	EU	PCI-DSS, SOC2
Resend	Transactional email delivery	EU	SOC2
Sentry	Error monitoring	EU	SOC2
Axiom	Operational logging	EU	SOC2
TikTok (via official API)	Creator retrieval and outreach	Per TikTok DPA

6. Data Retention

Data Type	Retention Period
Brand account data	3 years after inactivity
Campaign and message history	3 years after campaign completion
Creator performance metrics	2 years from last data refresh
TikTok OAuth tokens	Deleted immediately upon expiry or disconnection
Audit and security logs	2 years
Error logs	90 days
Billing records	7 years (UK legal requirement)

7. Data Security

Encryption at rest: AES-256 encryption on all databases.
Encryption in transit: TLS 1.3 enforced across all connections, with HSTS enabled.
OAuth token security: TikTok access tokens are encrypted at the application level using AES-256-GCM before storage.
Access control: PostgreSQL Row-Level Security (RLS) policies enforce strict multi-tenant isolation.
Authentication: Multi-factor authentication (MFA) is mandatory for all production users.
Infrastructure: All data is stored and processed within EU/UK regions.

8. Your Rights Under UK GDPR

Right to Access — You may request a copy of all personal data we hold about you. We will respond within 30 days in a portable JSON format.

Right to Rectification — If your data is inaccurate, you may request a correction. We will implement changes within 72 hours.

Right to Erasure ("Right to be Forgotten") — You may request deletion of all your personal data. We will confirm deletion within 72 hours.

Right to Restriction — You may request that we pause processing your data while a dispute is under review.

Right to Data Portability — You may request your data in a machine-readable format.

Right to Object — You may object to processing based on legitimate interest. We will review and respond within 30 days.

Right to Human Review — Where Lumo processes your data through automated profiling systems (including FitScore), you have the right to request human review of any assessment.

To exercise any of these rights, contact privacy@lumoplatform.ai. We will respond within 30 days as required under UK GDPR.

9. Creator Opt-Out

If you are a TikTok creator and do not wish to be contacted via Lumo, email privacy@lumoplatform.ai with subject line “Creator Opt-Out” and your TikTok username.

Remove your profile from our creator database.
Add you to our suppression list so brands cannot contact you through Lumo.
Confirm completion within 48 hours.

10. Cookies

Lumo uses strictly necessary cookies required for authentication, session management, and platform security. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Cookie	Set by	Purpose	Duration
__session	Clerk	Authentication session token	Session
__client_uat	Clerk	Tracks signed-in status across browser tabs	Persistent (1 year)
__clerk_db_jwt	Clerk	Secure user identity token	Session
__stripe_mid	Stripe	Fraud prevention and payment session	1 year
__stripe_sid	Stripe	Active payment session management	30 minutes
csrf-token	Lumo	Cross-site request forgery protection	Session
_vercel_jwt	Vercel	Deployment access (staging environments only)	Session

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect.

12. Age Restriction

Lumo Platform is intended for use by businesses and individuals aged 18 or over. We do not knowingly collect personal data from children. Contact privacy@lumoplatform.ai if you believe a child has submitted data.

13. Governing Law

This Privacy Policy is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

14. Contact and Complaints

Privacy enquiries: privacy@lumoplatform.ai
Data protection contact: security@lumoplatform.ai

If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113

Lumo Platform Limited · privacy@lumoplatform.ai · March 2026