Privacy Policy

This Privacy Policy describes how LumixSys, Inc. (collectively, 'LumixSys', 'we', 'us') handles personal information when you visit our website, attend an event we host, communicate with our team, or use the SpectraShield platform.

We operate as a data processor for personal information that flows through our platform on behalf of our enterprise customers ('Customer Data'). We operate as a data controller for personal information collected directly through our website, marketing, sales, hiring, and support interactions ('Lumix Data'). This policy primarily addresses Lumix Data; Customer Data is governed by the Data Processing Addendum signed with each customer.

We collect only what we need. We do not buy or rent personal information.

• Identity & contact data: full name, work email, business address, business telephone, role.
• Account data: authentication credentials, API tokens, customer-defined administrator permissions.
• Usage data: pages visited, features used, errors encountered, performance metrics. Collected with strict pseudonymization.
• Communications: email correspondence, support tickets, scheduled call notes, recorded webinars (with consent).
• Recruitment: CVs, application responses, interview notes, references. Processed on the legal basis of legitimate interest and your consent.

We use personal information for specific and limited purposes: (i) delivering and improving the SpectraShield platform, (ii) responding to inquiries, (iii) administering accounts and security, (iv) marketing relevant content with consent, (v) complying with legal obligations.

We do not engage in automated decision-making with legal or similarly significant effects under GDPR Article 22. ARIA decisions occur on Customer Data and are governed by your DPA.

• Contract — to deliver the platform and account services.
• Legitimate interests — to secure our website, prevent fraud, improve our product, and engage you about content relevant to your role.
• Consent — for optional marketing emails, analytics cookies, and certain recruitment processing.
• Legal obligation — for retention of business records, financial audits, and law-enforcement responses.

We share personal information with the sub-processors listed in our Trust Center, and with our parent and affiliate entities. We do not sell personal information. We do not share personal information with advertising networks.

We will disclose information to law enforcement only when legally compelled by valid process, and we publish a transparency report each calendar year.

Personal information may be processed in the United States, the European Union, the United Kingdom, and Singapore. EEA/UK transfers rely on the European Commission Standard Contractual Clauses and the UK International Data Transfer Addendum. Where possible, we keep personal data in your jurisdiction.

• Marketing and contact data: until you withdraw consent or 24 months after last activity.
• Account data: for the term of the contract and 90 days after termination.
• Recruitment data: 12 months after a decision, unless you opt to be retained longer.
• Audit & financial records: 7 years (US) / 10 years (EU) per applicable law.

Depending on your jurisdiction, you may have the right to access, rectify, erase, port, restrict, or object to the processing of your personal information.

You can exercise any of these rights by emailing privacy@lumixsys.com. We respond within 30 days. We never charge for routine requests.

We secure personal information using hybrid Kyber-1024 mTLS, hardware-attested workloads, continuous policy enforcement, and signed audit trails. Our internal controls are evidenced under SOC 2 Type II and ISO 27001:2022.

If you believe a vulnerability affects our service, please report it via the responsible disclosure process at /security.

The SpectraShield platform and our website are intended for business use. We do not knowingly collect personal information from anyone under 16.

We will publish material changes 30 days before they take effect. We will not retroactively alter your prior consent without your express agreement.

Email privacy@lumixsys.com. Postal mail: LumixSys, Inc., 75 State Street, Floor 24, Boston, MA 02109. EU representative: LumixSys EU, 11 Old Jewry, London EC2R 8DU.