Privacy Policy

1. Who we are and scope

Luminik is a B2B SaaS event pipeline platform operated by DataRavel Inc., a Delaware C-corporation. This policy covers personal data processed through our website (luminik.io), web application, mobile application, and APIs. For personal data processed on behalf of our customers (for example, attendee records ingested via integrations), Luminik acts as a data processor and the customer is the controller. For account registration and website analytics, Luminik acts as a data controller.

2. Information we collect

a. Account information. Name, work email, job title, company, and authentication provider (Google, Microsoft, LinkedIn, or SSO) when you sign up or log in.

b. Customer-supplied data. When a customer connects Luminik to its CRM, event tools, enrichment vendors, or sequencer, we process the records the customer directs us to (for example, event attendee names, titles, companies, email addresses, meeting outcomes, and associated CRM fields).

c. Enriched data. We augment customer records with data from third-party enrichment providers and public professional sources. This may include firmographic data, job titles, LinkedIn profile URLs, and public company information.

d. Usage and device data. Logs, IP address, browser and device metadata, and feature-usage events generated when you use the Services.

e. Website analytics and cookies. When you visit luminik.io, we use Google Analytics 4 and PostHog to measure traffic and product interest. These load only after you accept analytics cookies through our consent banner (luminik-consent-v1 in local storage). See our cookie notice in the footer.

f. Support and communications. Content of support tickets, emails, and chat conversations you initiate with us.

3. How we use personal data

We use personal data to:

• provide, operate, and secure the Services;
• deliver enriched attendee records tailored to the customer's defined ICP;
• authenticate users and enforce access controls;
• monitor performance, detect abuse, and improve product quality;
• respond to support inquiries and communicate service updates;
• comply with legal, tax, and accounting obligations.

We do not use personal data to train third-party large language models. We do not sell personal data.

4. Legal bases (EU/EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, our legal bases under the GDPR / UK GDPR are:

• Contract: to provide the Services you or your employer subscribed to.
• Legitimate interests: to secure the platform, prevent fraud, run product analytics, and conduct B2B marketing to professional contacts.
• Consent: for non-essential cookies and any direct-marketing email to individuals where consent is required.
• Legal obligation: where processing is required by law.

5. Your rights (GDPR)

Subject to applicable law, you have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate or incomplete data;
• Erase your data ("right to be forgotten"), subject to our legal and contractual retention obligations;
• Restrict processing in certain circumstances;
• Object to processing based on legitimate interests, including direct marketing;
• Data portability: receive your data in a structured, machine-readable format;
• Withdraw consent at any time where processing is based on consent;
• Lodge a complaint with your local supervisory authority.

If Luminik processes your data on behalf of a customer (for example, your employer uses Luminik and you are an event attendee), please direct requests to that customer first; we will assist them as a processor.

To exercise rights directly against Luminik, email privacy@luminik.io. We respond within 30 days.

6. Your rights (California, CCPA/CPRA)

California residents have the right to:

• Know the categories and specific pieces of personal information we collect, use, and disclose;
• Delete personal information we hold;
• Correct inaccurate personal information;
• Opt out of sale or sharing of personal information for cross-context behavioral advertising;
• Limit the use of sensitive personal information;
• Non-discrimination for exercising these rights.

Luminik does not sell personal information and does not share it for cross-context behavioral advertising. To submit a request, email privacy@luminik.io. We verify requests using information already associated with your account.

7. How we share data

We share personal data with:

• Sub-processors that operate on our behalf under written contracts (see section 8);
• Customer-authorized integrations you or your administrator connect (for example, your Salesforce or HubSpot instance);
• Professional advisors (auditors, counsel) under confidentiality;
• Authorities where required by valid legal process;
• Successors in a merger, acquisition, or sale of assets, with notice as required by law.

We do not sell personal data and do not share it for advertising purposes.

8. Sub-processors

We use the following categories of sub-processors to deliver the Services. A current named sub-processor list with vendor, purpose, data category, and region is made available to customers and prospects under NDA or as part of the Data Processing Addendum (DPA) during contract review. Request via privacy@luminik.io.

• Hosting and infrastructure: hardened cloud infrastructure provider (US regions by default, EU regions available on request).
• CRM and sales tooling integrations (customer-authorized): Salesforce, HubSpot.
• Enrichment providers (customer-authorized, BYOV): Apollo, ZoomInfo, and other vendors the customer elects to connect.
• Sequencers and outreach (customer-authorized): Outreach, Salesloft, Apollo sequences.
• Collaboration: Slack (for customer notifications the customer configures).
• Product analytics and marketing site analytics: PostHog (EU host), Google Analytics 4.
• Support and communications: email delivery and help-desk providers.
• Identity and authentication: managed identity provider for SSO.

Sub-processors are bound by written agreements that require confidentiality and data protection commitments at least as protective as those in this policy.

9. International data transfers

Luminik is headquartered in the United States, and our primary infrastructure is in the US. When we transfer personal data out of the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplementary measures including encryption in transit and at rest. A copy of the SCCs is available on request.

10. Data retention

We retain personal data for as long as needed to provide the Services and to meet legal, tax, and accounting obligations. Default retention periods:

• Account records: for the life of the subscription, plus 30 days to allow export after termination.
• Customer-supplied attendee and CRM data: for the duration of the subscription. On termination, exported on request and deleted within 30 days, subject to backup cycles.
• Enriched records: for the duration of the subscription. Re-enrichment cycles overwrite older values.
• Meeting logs and attribution events: 24 months rolling, to support year-over-year event attribution reporting. Longer retention available on Enterprise order forms.
• Usage and security logs: up to 13 months.
• Support communications: up to 36 months.
• Financial and tax records: 7 years, per US requirements.
• Backups: up to 90 days, after which they are rotated out.

Customers can request earlier deletion at privacy@luminik.io, subject to legal holds.

11. Security

We apply administrative, technical, and physical safeguards appropriate to the sensitivity of the data we process. Core measures include:

• encryption in transit (TLS 1.2+) and at rest;
• secrets and customer-supplied credentials stored in a managed secrets vault;
• role-based access control and SSO for internal systems;
• logging, monitoring, and anomaly detection;
• vendor risk review before onboarding sub-processors;
• regular backups and tested recovery procedures.

Luminik's SOC 2 Type II audit is in progress. The observation window is currently open and is scheduled to close in Q4 2026, with the independent auditor report to follow. The security posture described above is in effect today and is the basis of the audit. Customers and prospects under NDA can request the current bridge letter and observation-window summary from privacy@luminik.io. No system is perfectly secure; we encourage customers to apply strong authentication and principle-of-least-privilege access to their own tenants.

12. Cookies and tracking

We use cookies and similar technologies on luminik.io. Essential cookies (session, consent state) are always on. Analytics cookies (Google Analytics 4, PostHog) load only after you accept them through our consent banner. Consent state is stored in the luminik-consent-v1 key in your browser's local storage. You can reopen the consent panel any time via the "Cookie settings" link in the footer.

13. Children's privacy

Luminik is a B2B product intended for professionals aged 18 and above. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact privacy@luminik.io.

14. Automated decision-making

We do not use personal data for automated decision-making that produces legal or similarly significant effects on individuals. Enrichment and ICP scoring produce recommendations that customers review and act on; they do not themselves determine employment, credit, housing, or similar outcomes.

15. Third-party links

The Services may link to third-party websites or tools. Those sites have their own privacy practices; we are not responsible for them. Review their notices before providing personal data.

16. Do Not Track

We do not respond to browser Do Not Track signals because there is no industry consensus on how to interpret them. Our consent banner provides a more reliable way to control analytics.

17. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by updating the "last updated" date and, for paid subscribers, by email or in-product notice. Continued use of the Services after the effective date constitutes acceptance.

18. Contact us

Questions, privacy requests, or DPA copies: privacy@luminik.io. General legal inquiries: legal@luminik.io.

DataRavel Inc., Delaware, United States.