Privacy Policy

1. Introduction & Scope

1.1 Who This Applies To. This Privacy Policy applies to:

• Customers who register an account on lumistate.ai
• Visitors to our website who interact with our forms, tools, or content
• End users of our Service (e.g., property sellers receiving share links from agents)
• Individuals whose personal data appears in photos uploaded by Customers

1.2 What It Covers. This Privacy Policy covers personal data we process in connection with:

• Account registration and management
• Photo uploads and AI processing
• Communications and support
• Marketing and analytics
• Compliance with legal obligations

1.3 What It Does Not Cover. This Privacy Policy does not cover:

• Third-party websites linked from our Service (review their policies)
• Data processed outside our Service (e.g., your CRM, your MLS systems)
• Personal data in photos for which you serve as the data controller (where Lumistate acts as a data processor under your direction)

1.4 Plain Language Promise. We've written this in clear English. If anything is unclear, contact us at jakub@amaia-estate.com — we'll explain.

2. Definitions

For the purposes of this Privacy Policy:

• "Personal Data" has the meaning given in GDPR Article 4: any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, modification, and deletion.
• "Data Controller" means the entity that determines the purposes and means of Processing.
• "Data Processor" means an entity that processes Personal Data on behalf of a Controller.
• "Sub-processor" means a third party engaged by Lumistate to process Personal Data.
• "Customer" means a person or organization who has registered for the Service.
• "Customer Content" means photos, descriptions, and other materials uploaded to the Service.

3. Who We Are (Data Controller)

3.1 Data Controller. For most Personal Data we collect (account information, billing, communications), Ecomerco – Jakub Janus is the Data Controller:

• Legal name: Ecomerco – Jakub Janus
• Registration: Sole proprietorship registered in Poland
• NIP (Tax ID): 6951531852
• REGON: 384997270
• Registered address: ul. Stefana Czarnieckiego 3/5, 59-400 Jawor, Poland
• Email: jakub@amaia-estate.com
• Phone: +48 500 453 588

3.2 Data Processor for Customer Content. When Customers upload photos and other Content, the Customer is typically the Data Controller for any Personal Data within that Content (e.g., faces, license plates, identifiable property interiors). Lumistate acts as a Data Processor and processes such data only as instructed by the Customer in accordance with our Terms of Service and any executed Data Processing Agreement (DPA).

3.3 Data Protection Contact. For privacy questions, requests, or complaints:

• Email: jakub@amaia-estate.com
• Subject line: Privacy Request

We will respond within the timeframes required by applicable law (typically 30 days under GDPR, 45 days under CCPA).

3.4 No DPO Required. Under GDPR Article 37, Lumistate is not currently required to appoint a Data Protection Officer based on the nature, scope, and volume of Processing. We will reassess as the business grows. The contact above functions as the privacy point-of-contact in the meantime.

4. Data We Collect

We collect Personal Data in the following categories:

4.1 Account & Identity Data

• Name and business name
• Email address
• Phone number (optional)
• Brokerage or company affiliation
• Job role / profession
• Country and region (for currency, jurisdiction, language)
• Account credentials (passwords are stored as cryptographic hashes, never in plaintext)

4.2 Billing & Transaction Data

• Billing address
• Tax identification numbers (where required)
• Payment method information (processed by Stripe; we receive payment confirmations and last-4 of card, but not full card numbers)
• Transaction history
• Subscription tier and billing cycle

4.3 Customer Content

• Photos uploaded to the Service (which may incidentally contain Personal Data: faces, license plates, identifiable interiors)
• Property descriptions and metadata
• Generated Output (enhanced photos, AI-generated descriptions)
• Listing information (address, price, property details)

4.4 Usage & Technical Data

• IP address (used for security, geo-detection, fraud prevention)
• Device type, browser, operating system
• Referrer URLs
• Pages viewed, features used, session duration
• Performance and error logs
• Photo processing metadata (file size, processing time, features used)

4.5 Communications Data

• Support tickets and email correspondence
• Form submissions (contact form, partnership inquiries, demo requests)
• Feedback and feature requests
• Survey responses

4.6 Marketing Data (Optional)

• Newsletter subscriptions
• Marketing campaign engagement
• Webinar attendance (where applicable)

4.7 Data We Do Not Collect

• Government-issued ID numbers (except as required by tax law)
• Health data
• Genetic or biometric data (we do not perform facial recognition; auto-blur uses face detection without storing biometric templates)
• Children's data (the Service is not intended for individuals under 18)

5. How We Use Your Data (Lawful Bases)

Under GDPR Article 6, we Process Personal Data only when we have a lawful basis. The table below identifies our purposes and corresponding lawful bases.

5.1 Legitimate Interests Assessment. Where we rely on legitimate interests, we have conducted a balancing test. You may request a copy of the relevant assessment by contacting us.

5.2 Right to Object. You may object to Processing based on legitimate interests at any time. We will stop unless we demonstrate compelling legitimate grounds that override your interests.

5.3 Withdrawal of Consent. Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of Processing before withdrawal.

6. AI Processing of Photos & Content

This Section addresses how artificial intelligence processes your data — a critical disclosure under the EU AI Act and a key concern for enterprise buyers.

6.1 What AI Processing Occurs. When you upload photos and content to the Service, the following AI Processing may occur:

• Photo enhancement (HDR tone mapping, sky replacement, virtual staging) — performed by Lumistate's proprietary processing pipeline and integrated third-party models
• Object detection (face detection, license plate detection for auto-blur) — performed by computer vision models
• AI text generation (listing descriptions) — performed by Google Gemini API
• AI video generation — performed by Google Veo API (only when Customer purchases video credits)
• Quality scoring — performed by Lumistate's internal models

6.2 No Training on Your Content. We do not use Customer Content to train artificial intelligence models. This includes:

• Your photos are not used to improve our models
• Your generated descriptions are not used to fine-tune language models
• Your processing patterns are not used as training signal

This commitment applies to both Lumistate's proprietary models and third-party models accessed via API. Third-party providers (Google Gemini, Google Veo) operate under their enterprise API terms which contractually exclude training on customer inputs.

6.3 Sub-Processors for AI. Specific sub-processors involved in AI Processing:

6.4 AI Output Limitations. AI-generated outputs are probabilistic and may contain errors. You should review all AI-generated content before publishing. Lumistate is not responsible for inaccuracies in AI outputs that you publish without review.

6.5 EU AI Act Compliance. The Service includes features that fall within the scope of the EU AI Act. Where applicable:

• Generative AI outputs are marked as AI-generated upon export
• Disclosure tooling is provided for jurisdictions requiring it (California AB 723, EU AI Act)
• Records of AI Processing are maintained as required

6.6 Right to Human Review. For material decisions affecting your business based on AI output (e.g., compliance flags, content moderation), you may request human review by contacting jakub@amaia-estate.com.

7. Data Sharing & Sub-Processors

7.1 We Do Not Sell Personal Data. We do not sell, rent, or trade Personal Data. This is true under all applicable definitions, including the broad CCPA definition of "sale."

7.2 Sub-Processors. We engage sub-processors to provide the Service. Each sub-processor is bound by data protection terms equivalent to or stricter than those in this Privacy Policy. Current sub-processors:

A current list is maintained at lumistate.ai/legal/sub-processors and updated with at least 30 days' advance notice for material additions.

7.3 Other Third Parties. We may share Personal Data:

• With your consent — when you explicitly authorize sharing (e.g., share links to property sellers)
• For legal reasons — to comply with court orders, subpoenas, or government requests, or to protect our legal rights
• In business transfers — in connection with merger, acquisition, or sale of assets, with notice to affected individuals
• With professional advisors — lawyers, accountants, auditors, under confidentiality obligations

7.4 Aggregated Data. We may share aggregated, de-identified data (e.g., "average processing time across all customers") that cannot reasonably be used to identify any individual.

8. International Data Transfers

8.1 Where Your Data Goes. Personal Data may be transferred to and processed in countries other than your country of residence, including:

• Poland (where Lumistate is headquartered)
• Other EU/EEA countries (Supabase EU, Google Cloud EU)
• The United States (Google Cloud US, Stripe US, Cloudflare global)

8.2 Safeguards for Transfers Outside EU/EEA. For transfers from the EU/EEA to countries without an adequacy decision (including the US), we rely on:

• EU Standard Contractual Clauses (SCCs) as approved by the European Commission
• Supplementary measures including encryption in transit and at rest, access controls, and audit rights
• Transfer Impact Assessments conducted in line with EDPB guidance

8.3 Adequacy Decisions. Where the European Commission has issued an adequacy decision for a destination country, transfers proceed under that decision.

8.4 Right to Information. You may request a copy of relevant transfer mechanisms (e.g., SCCs, Transfer Impact Assessments) by contacting us.

8.5 UK Transfers. For UK transfers, we use the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs.

9. Data Retention

We retain Personal Data only as long as necessary for the purposes for which it was collected.

9.1 Account Data. Retained for the duration of the active account plus up to 24 months after closure for legal claims, tax records, and regulatory compliance.

9.2 Customer Content (Photos). Retained per the active subscription tier:

• Free tier: 7 days from upload
• Pro tier: 90 days
• Volume Pro tier: 180 days
• Business and partnership tiers: configurable, with default 365 days
• AB 723 compliance retention: 7 years from listing date for Content marked as AB 723–compliant

9.3 Billing Data. Retained for 5 years (Polish tax law minimum) plus statute-of-limitations buffer where applicable.

9.4 Communications. Retained for 3 years from last communication, except where ongoing matter requires longer retention.

9.5 Marketing Data. Retained until consent withdrawal or 3 years of inactivity, whichever is sooner.

9.6 Usage and Technical Data. Aggregated/de-identified after 90 days; raw logs retained for 13 months for security and fraud prevention.

9.7 Backups. Disaster-recovery backups may persist for up to 30 days beyond active deletion, after which they are purged.

9.8 Legal Hold. When required by litigation, regulatory inquiry, or legal obligation, retention may be extended for the duration of the relevant matter.

10. Your Rights

Under GDPR (and equivalent laws in other jurisdictions), you have the following rights regarding Personal Data we hold about you:

10.1 Right of Access. Request a copy of your Personal Data and information about how we Process it.

10.2 Right to Rectification. Correct inaccurate or incomplete Personal Data.

10.3 Right to Erasure ("Right to Be Forgotten"). Request deletion of your Personal Data, subject to legal exceptions (e.g., we cannot delete data we are required to retain by law).

10.4 Right to Restrict Processing. Limit how we Process your data in specific circumstances (e.g., while accuracy is being verified).

10.5 Right to Data Portability. Receive your Personal Data in a structured, commonly used, machine-readable format, and transmit it to another controller.

10.6 Right to Object. Object to Processing based on legitimate interests, including profiling.

10.7 Right to Withdraw Consent. Where Processing is based on consent, withdraw it at any time without affecting prior lawful Processing.

10.8 Right Not to Be Subject to Automated Decisions. You have the right not to be subject to decisions based solely on automated Processing (including profiling) that produce legal or similarly significant effects. The Service does not currently make such decisions.

10.9 Right to Lodge a Complaint. You may lodge a complaint with a supervisory authority. The lead authority for Lumistate is the Polish Personal Data Protection Office (UODO):

• Address: ul. Stawki 2, 00-193 Warsaw, Poland
• Website: uodo.gov.pl
• Phone: +48 22 531 03 00

You may also lodge a complaint with the supervisory authority in your country of residence.

10.10 How to Exercise Your Rights. Contact us at jakub@amaia-estate.com with the subject line "Privacy Request" and specify which right you are exercising. We will:

• Verify your identity (we may request additional information)
• Respond within 30 days (extendable to 60 days for complex requests, with notice)
• Provide the response in the same form as the request, where reasonable

10.11 No Charge. Exercising your rights is free. For manifestly unfounded or excessive requests (particularly repetitive ones), we may charge a reasonable fee or refuse to act.

11. Cookies & Tracking Technologies

11.1 What Cookies We Use. Cookies are small text files stored on your device. We use:

11.2 Cookie Consent. For visitors in the EU/EEA/UK, we implement a cookie consent banner that allows you to:

• Accept all cookies
• Reject non-essential cookies
• Customize preferences by category

11.3 Browser Controls. You can manage cookies through your browser settings. Disabling strictly necessary cookies may impair Service functionality.

11.4 Do Not Track. We honor "Do Not Track" signals where technically feasible. Currently, no industry-wide standard for DNT exists.

11.5 Other Tracking Technologies. We may use related technologies including:

• Local storage (for client-side preferences)
• Pixels (for email open tracking, where consent applies)
• Server logs (for security and debugging)

12. Marketing Communications

12.1 Opt-In Required. We send marketing communications (newsletters, product updates, promotional offers) only with explicit consent.

12.2 How to Opt In. You can opt in:

• During account registration (clearly indicated, never pre-checked)
• Through marketing preference settings in your account
• By subscribing to specific lists from forms on our website

12.3 How to Opt Out. You can withdraw consent at any time:

• Click "unsubscribe" in any marketing email
• Update preferences in your account settings
• Email jakub@amaia-estate.com

12.4 Service-Related Communications. Even if you opt out of marketing, we will send essential service communications (account notifications, security alerts, billing notices, legal updates). These are not subject to marketing consent.

12.5 No Sale to Third Parties. We do not share your contact information with third parties for their independent marketing purposes.

13. Children's Privacy

The Service is intended for business use by individuals 18 years of age and older. We do not knowingly collect Personal Data from children under 18.

If we become aware that we have collected Personal Data from a child under 18, we will delete it promptly. If you believe a child has provided us with Personal Data, contact jakub@amaia-estate.com.

14. Security Measures

14.1 Technical Measures. We implement industry-standard technical safeguards:

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Hashed and salted passwords (bcrypt/argon2)
• Role-based access controls
• Network isolation and firewalls
• Vulnerability scanning and patch management
• Logging and monitoring of access to Personal Data

14.2 Organizational Measures. We implement organizational safeguards:

• Confidentiality obligations for personnel and contractors
• Privacy and security training
• Access on a need-to-know basis
• Background checks for personnel with access to Personal Data
• Incident response procedures

14.3 Third-Party Audits. Annual third-party security assessments are conducted. We are working toward SOC 2 Type II certification (in progress, expected completion Q3 2026).

14.4 Limitations. No security measures are perfect. We cannot guarantee absolute security. We commit to continuous improvement and rapid response to incidents (Section 15).

14.5 Your Responsibilities. You should:

• Use a strong, unique password
• Enable two-factor authentication where available
• Keep your login credentials confidential
• Report suspected security incidents to jakub@amaia-estate.com immediately

15. Data Breach Notification

15.1 Our Commitment. In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

• Notify the relevant supervisory authority (UODO) within 72 hours of becoming aware, where required by GDPR Article 33
• Notify affected individuals without undue delay where the breach is likely to result in a high risk (GDPR Article 34)
• Document the breach, its effects, and remedial actions taken

15.2 What We Communicate. Breach notifications will include:

• Nature of the breach (categories and approximate number of affected records)
• Likely consequences
• Measures taken or proposed to address the breach
• Contact point for further information
• Recommended actions for affected individuals

15.3 Customer Cooperation. Where Lumistate acts as a Data Processor (e.g., for Customer Content), we will notify the Customer (acting as Controller) without undue delay so they can fulfill their notification obligations.

16. California Privacy Rights (CCPA/CPRA)

This Section applies to California residents and provides additional disclosures under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

16.1 Categories of Personal Information. In the past 12 months, we have collected the following categories of "personal information" (as defined under CCPA):

• Identifiers (name, email, IP address)
• Customer records (billing address, payment information)
• Commercial information (subscription history, transactions)
• Internet activity (browsing, usage data)
• Geolocation data (general, IP-derived)
• Professional information (job role, brokerage)
• Audio/visual data (uploaded photos)
• Inferences (drawn from above categories for service improvement)

16.2 Sources. We collect this information from:

• Directly from you (when you register, upload content, contact us)
• Automatically (through your use of the Service)
• From third parties (payment processors, analytics providers)

16.3 Business Purposes. We use this information for the purposes described in Section 5.

16.4 No Sale of Personal Information. Lumistate does not sell personal information as defined under CCPA. We do not engage in "sharing" for cross-context behavioral advertising as defined under CPRA.

16.5 California Resident Rights. California residents have the right to:

• Know what personal information we collect, use, share, and retain
• Delete personal information we have collected (with exceptions)
• Correct inaccurate personal information
• Opt out of sale or sharing (not applicable, as we do neither)
• Limit use of sensitive personal information (we do not use sensitive PI for purposes requiring this right)
• Non-discrimination for exercising any right

16.6 How to Exercise California Rights. Contact jakub@amaia-estate.com with the subject line "California Privacy Request." Include:

• Your full name and email associated with your account
• Description of the right you are exercising
• Verification information (we will request)

We will respond within 45 days (extendable to 90 days with notice).

16.7 Authorized Agents. California residents may designate an authorized agent to exercise rights on their behalf. The agent must provide written authorization and proof of identity.

16.8 California "Shine the Light" Law. California Civil Code Section 1798.83 entitles California residents to request information regarding our disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

17. EU & UK Specific Provisions

17.1 Lead Supervisory Authority. The Polish Personal Data Protection Office (UODO) is our lead supervisory authority within the EU.

17.2 EU Representative. As Lumistate is established in the EU (Poland), we are not required to designate a separate EU representative under GDPR Article 27.

17.3 UK Representative. Where we Process Personal Data of UK residents and trigger UK GDPR territorial scope (Article 3), we will designate a UK representative as required. Currently, our UK Processing volumes do not require this. We will publish UK representative details if and when this changes.

17.4 UK Data Protection. UK Personal Data is Processed in accordance with the UK GDPR and the Data Protection Act 2018. UK residents may lodge complaints with the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

17.5 Swiss Data Protection. Swiss Personal Data is Processed in accordance with the Swiss Federal Act on Data Protection (FADP). Swiss residents may lodge complaints with the Federal Data Protection and Information Commissioner (FDPIC).

17.6 Data Processing Agreements. B2B Customers in the EU/UK may request a Data Processing Agreement (DPA) for Lumistate's role as Data Processor in respect of Customer Content. Contact jakub@amaia-estate.com with subject line "DPA Request."

18. Changes to This Policy & Contact

18.1 Updates. We may update this Privacy Policy. Material changes will be communicated via:

• Email notification to active Customers (at least 14 days before effect)
• In-app notification on next login
• Banner on lumistate.ai/privacy
• Update of the "Last updated" date at the top of this document

18.2 Non-Material Changes. Non-material changes (typos, formatting, clarifications) take effect upon posting.

18.3 Continued Use. Continued use of the Service after material changes take effect constitutes acceptance.

18.4 Version History. We maintain a version history at lumistate.ai/legal/privacy-history (or available on request).

18.5 Contact. For privacy questions, requests, or complaints:

• Email: jakub@amaia-estate.com
• Subject line: Privacy Request
• Postal: Ecomerco – Jakub Janus, ul. Stefana Czarnieckiego 3/5, 59-400 Jawor, Poland
• Phone: +48 500 453 588

For complaints to a supervisory authority:

• EU: Polish Personal Data Protection Office (UODO) — uodo.gov.pl
• UK: Information Commissioner's Office (ICO) — ico.org.uk
• California: California Privacy Protection Agency — cppa.ca.gov
• Or your country's local data protection authority