Skip to main content
LumoGrade← Back to Home
Legal

Privacy Policy

Effective 2026-06-07  ·  Lumo Solutions LLC  ·  Delaware LLC

1. Who We Are and What This Policy Covers

1.1 This Privacy Policy explains how Lumo Solutions LLC (“we,” “us,” “our”) collects, uses, discloses, and protects personal data when you use the LumoGrade platform, websites, applications, and APIs (the “Service”).

1.2 This Policy applies to self-serve users (educators and education professionals). It is incorporated into, and should be read with, our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.

1.3 The Service is not intended for direct sign-up by students or children (see ToS §2.1 and §9 below).

2. A Note on the Two Kinds of Data We Handle

The Service handles two categories of personal data, and our role differs for each. This distinction is the most important thing to understand:

Category A — Account Holder Data

Your name, email, role, login, billing, and how you use the Service. For this data, we act as the controller and this Policy describes our practices.

Category B — Content You Upload (incl. Student Data)

Student work, identifiers, and other material you submit for grading or query. For this data, you (and/or your institution) are the controller and we act as a processor acting on your instructions. You remain responsible for the lawful basis, notices, and consents for what you upload.

3. Roles (Controller / Processor)

3.1 Where we are the controller: account, billing, usage, support, and marketing data (category A).

3.2 Where we are a processor: Content and Student Data you submit (category B). We process it only to provide the Service to you and on your instructions, consistent with ToS §6 and §7.

4. Personal Data We Collect

4.1 Information you provide:

  • Account data: name, work email, role, institution name (if given), password (hashed).
  • Billing data: plan, transaction records. Card details are processed by Stripe; we do not store full card numbers.
  • Content: rubrics, course materials, assignments, and student work you upload — which may include Student Data per ToS §3 and §6.
  • Communications: messages you send to support.

4.2 Information collected automatically:

  • Usage and log data: queries, timestamps, interaction records, IP address, device/browser information, and error/diagnostic data.
  • Cookies and similar technologies: see §12.

4.3 Data minimization. Where Student Data is not needed, the Service lets you use anonymous references instead of student names (see ToS §6.2(b)). We encourage anonymized upload wherever institutional authorization is not in place.

5. How We Use Personal Data

We use personal data to: (a) provide, operate, secure, and support the Service; (b) generate Output (grades, feedback, analytics, query responses) at your instruction; (c) process payments and manage subscriptions; (d) communicate about the Service, including service and security notices; (e) maintain audit logs and prevent abuse, fraud, and security incidents; (f) improve and develop the Service (subject to §6 — not by training AI models on your Content); and (g) comply with legal obligations and enforce our Terms.

6. AI Processing and How Your Content Is Used

6.1 AI Subprocessor. To generate grading, feedback, and query Output, relevant Content is transmitted to our third-party AI Subprocessor (Anthropic, PBC — Claude API) for processing.

6.2 No training on your Content. We do not use your Content to train, fine-tune, or develop generally available AI/ML models, and we contractually require our AI Subprocessor not to do so (ToS §7.4). Content is subject to a short retention window (and, where configured, zero data retention).

6.3 Calibration. “Calibration” adjusts the instructions given to the AI to match your grading standard. It does not train or alter any underlying AI model, and sample work is not persisted beyond what is needed to produce a calibration profile.

6.4 No sale; no advertising. We do not sell, rent, or trade personal data, and we do not use Content for advertising or to build advertising profiles (ToS §7.3).

7. How We Disclose Personal Data

We disclose personal data only:

  • To subprocessors who process data on our behalf (AI processing, cloud hosting, payment processing, email, error monitoring), under contracts requiring protections consistent with this Policy and the ToS;
  • At your direction, including to any LMS or system you connect (ToS §10);
  • For legal reasons, where required by law or to protect rights, safety, or the security of the Service, giving notice where lawful and practicable;
  • In a business transfer (merger, acquisition, or sale of assets), subject to this Policy continuing to apply to the transferred data.

A current list of subprocessors is available at LumoGrade.app/subprocessors.

8. Data Location and International Transfers

8.1 The Service is hosted in the United States. If you are located outside the United States, your data will be transferred to and processed there.

8.2 Cross-border transfers of personal data are made only on a lawful basis under applicable law.

9. Children's Data

9.1 The self-serve Service is intended for educators, not for direct use by children, and is not designed to collect personal information directly from children.

9.2 Where the Service is used to process data about students under the applicable minimum age, this occurs only as Content you upload, for which you are responsible for obtaining the consents and authorizations required by COPPA and other applicable US law (ToS §6.5). We act as a processor for such Content.

10. Data Retention and Deletion

10.1 We retain personal data for as long as your account is active and as needed to provide the Service.

10.2 On your request, or after termination, we delete or return Content within 30 days, except where retention is required by law (ToS §11.4).

10.3 We use encryption-key-based deletion (“crypto-shredding”) so that deletion renders data unreadable across live and backup copies within our backup-rotation cycle.

10.4 You can export your data through the Service before deletion.

11. Security

11.1 We implement administrative, technical, and physical safeguards including: encryption in transit and at rest; role-based access controls; logical separation so users cannot access others' submissions, rubrics, or non-designated content; audit logging; vulnerability management; and confidentiality obligations on personnel and subprocessors.

11.2 No system is perfectly secure, and we do not guarantee absolute security (ToS §11.3).

11.3 We will notify affected users of confirmed security incidents affecting their personal data without undue delay and, where applicable, within the timeframe required by law or contract (ToS §11.5).

12. Cookies and Similar Technologies

12.1 We use cookies and similar technologies that are strictly necessary for the Service (e.g., authentication via httpOnly session cookies). We do not use cookies for advertising, and we do not currently set non-essential analytics or performance cookies.

12.2 Because we currently set only strictly necessary cookies, there is no separate cookie banner; you can manage or clear cookies through your browser settings.

13. Your Privacy Rights

13.1 General

Depending on your location and role, you may have rights to access, correct, delete, restrict, or object to processing of personal data about you, to data portability, and to withdraw consent. To exercise rights, contact us at privacy@lumo-solutions.com. We may need to verify your identity.

13.2 United States

  • FERPA: FERPA rights belong to parents and eligible students and are exercised through the educational institution, not directly through us. Where we hold Content on your or your institution's behalf, we will provide access or copies to enable the institution to respond to such requests.
  • State privacy laws: Depending on your state, you may have rights under laws such as the CCPA/CPRA, including the right to know, delete, correct, and opt out of “sale”/“sharing.” We do not sell personal data.

14. Changes to This Policy

We may update this Policy. For material changes we will provide reasonable notice (e.g., by email or in-product) and update the effective date. Continued use after the effective date constitutes acceptance, except where applicable law requires affirmative consent (consistent with ToS §18).

15. Contact Us

Lumo Solutions LLC

Privacy inquiries: privacy@lumo-solutions.com

Postal address: c/o Harvard Business Services, Inc., 16192 Coastal Highway, Lewes, Delaware 19958

LumoGrade — Privacy Policy — Effective 2026-06-07