Privacy Policy

Qaipa Privacy Policy

Effective Date: 1 January 2026

---

Introduction

This Privacy Policy explains how Lumman Ltd ("Lumman," "we," "us," or "our") collects, uses, shares, and protects personal data when you use Qaipa, our AI-powered telephone calling service.

We are committed to protecting your privacy and processing personal data in accordance with:

• The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
• The EU General Data Protection Regulation (EU GDPR)
• The California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA)
• Other applicable US state privacy laws
• Other applicable data protection laws worldwide

Please read this Privacy Policy carefully. By using Qaipa, you acknowledge that you have read and understood this Policy.

Regional Terms: Depending on your location, additional terms in Section 13 (United States), Section 14 (European Union), or Section 15 (United Kingdom) may apply. In case of conflict, regional terms prevail for users in that region.

---

1. Data Controller and Representatives

1.1 Data Controller

The data controller responsible for your personal data is:

Lumman Ltd
Company Registration Number: 15425759
Registered Office: 86-90 Paul Street, London, Greater London, England, EC2A 4NE, United Kingdom
Email: in@lumman.ai

1.2 EU Representative (Article 27 GDPR)

If you are located in the European Union or European Economic Area and require contact with an EU-based representative, please contact us at in@lumman.ai. We will provide EU representative details upon request or when we establish formal EU operations.

1.3 UK Representative

Lumman Ltd is established in the United Kingdom and serves as the primary contact for UK data protection matters.

Email: in@lumman.ai

1.4 Data Protection Officer

For data protection enquiries, contact our Data Protection team:

Email: in@lumman.ai
Post: Data Protection, Lumman Ltd, 86-90 Paul Street, London, Greater London, England, EC2A 4NE, United Kingdom

---

2. Personal Data We Collect

We collect personal data in several ways when you use Qaipa.

2.1 Information You Provide Directly

2.2 Information Generated Through the Service

2.3 Information Collected Automatically

2.4 Special Category Data

Voice Data: Call recordings contain voice data. While voice data can constitute biometric data in certain contexts, we do not process voice recordings to uniquely identify individuals through voice recognition. We process voice data solely to provide the Service (transcription, summaries) and for quality assurance purposes.

Sensitive Information in Calls: You control what information is discussed during calls made on your behalf. We advise caution when instructing our AI to discuss or obtain special category data (health information, religious beliefs, political opinions, etc.) and recommend you do so only when strictly necessary for your calling task.

2.5 Call Recipient Data (Third-Party Data)

---

3. How We Use Your Personal Data

We process your personal data for the following purposes and legal bases:

3.1 Contract Performance (Article 6(1)(b) UK/EU GDPR)

3.2 Legitimate Interests (Article 6(1)(f) UK/EU GDPR)

Balancing Test: We conduct legitimate interest assessments for each purpose and have determined that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting in@lumman.ai.

Right to Object: You have the right to object to processing based on legitimate interests. See Section 8 (Your Rights).

3.3 Legal Obligations (Article 6(1)(c) UK/EU GDPR)

3.4 Consent (Article 6(1)(a) UK/EU GDPR)

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. See Section 8 (Your Rights).

3.5 Legal Bases for US Users

For users in the United States, we process personal information as necessary to:

• Provide the services you requested (contractual necessity)
• Comply with legal obligations
• Protect legitimate business interests
• With your consent where required

See Section 13 for additional US-specific information.

---

4. Data Sharing and Disclosure

4.1 Overview

We share personal data only as described in this Privacy Policy. We do not sell your personal data. We do not share personal data for third-party marketing purposes.

4.2 Categories of Recipients

4.3 Legal Disclosures

We may disclose personal data when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, or legal process
• Respond to lawful requests from public authorities (including law enforcement and national security)
• Protect the rights, property, or safety of Lumman Ltd, our users, or the public
• Enforce our Terms of Service
• Detect, prevent, or address fraud, security, or technical issues

Where legally permitted, we will notify you of such requests.

4.4 Business Transfers

If Lumman Ltd is involved in a merger, acquisition, reorganisation, bankruptcy, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership and your choices regarding your personal data.

---

5. Our Data Processors (Sub-Processors)

We use carefully selected third-party service providers who process personal data on our behalf. These processors are contractually bound to process data only on our instructions and in compliance with applicable data protection laws.

5.1 Voice AI and Telephony

5.2 AI Language Processing

5.3 Data Storage and Infrastructure

5.4 Payment Processing

5.5 Communications

5.6 AI Training (Optional)

Default Setting: We do not use your call recordings, transcriptions, or personal data to train AI models.

Optional Contribution: You may choose to allow anonymised, aggregated insights from your calls to be used for improving our AI systems. This is:

• Entirely optional (explicit opt-in required)
• Configurable in your account privacy settings
• Reversible at any time (for future data)
• Subject to robust anonymisation before any use

If you opt in:

• We implement technical measures to remove or mask personally identifiable information
• Anonymised data may be retained for up to 3 years for training purposes
• You can withdraw consent at any time; we will cease using your data for training prospectively

5.7 Data Flow Overview

When you use Qaipa, your data flows through the following stages:

1. Your Input → Qaipa You provide task descriptions, phone numbers, and instructions to Qaipa.

2. Qaipa (Data Controller) Lumman Ltd, based in the United Kingdom, acts as the Data Controller and processes your request.

3. Qaipa → Sub-Processors To deliver the Service, we share specific data with our sub-processors:

4. Transfer Safeguards All international data transfers are protected by:

• EU Standard Contractual Clauses (SCCs)
• UK International Data Transfer Addendum (IDTA)
• Supplementary security measures
• Completed Transfer Impact Assessments

5.8 Sub-Processor Changes

We will update this Privacy Policy when we add or change sub-processors. For material changes (new categories of data processing or new geographic locations), we will provide notice as described in Section 16.

---

6. International Data Transfers

6.1 Transfer Locations

Your personal data may be transferred to, stored, and processed in countries outside your country of residence, primarily:

• United States — where our key service providers (AI, telephony, infrastructure) are located
• European Union — where we may host data for EU users
• United Kingdom — where Lumman Ltd is established

6.2 Transfer Safeguards

When we transfer personal data outside the UK or EEA to countries not deemed to provide adequate protection, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs):

• For EU transfers: EU Commission SCCs (Decision 2021/914)
• For UK transfers: UK International Data Transfer Addendum (IDTA) to the EU SCCs

Supplementary Measures: In addition to SCCs/IDTA, we implement:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Pseudonymisation where feasible
• Strict access controls and authentication
• Contractual restrictions on sub-processor data use
• Security certifications requirements (SOC 2, ISO 27001)
• Data minimisation practices

Transfer Impact Assessments (TIAs): We have conducted TIAs for transfers to the United States, assessing:

• The specific data categories transferred
• The legal framework in the destination country (including FISA 702, EO 12333)
• The contractual, technical, and organisational safeguards in place
• The practical likelihood of government access
• The supplementary measures that mitigate identified risks

Our TIAs conclude that, with the safeguards in place, the transfers provide essentially equivalent protection to that guaranteed within the UK/EEA.

6.3 US Data Privacy Framework

Some of our US-based processors may be certified under the EU-US Data Privacy Framework and/or UK Extension. Where applicable, this provides an additional basis for transfers.

6.4 Your Transfer Rights

You have the right to:

• Request information about international transfers and safeguards
• Obtain a copy of the SCCs/IDTA upon request
• Lodge a complaint with your supervisory authority regarding transfers

---

7. Data Retention

7.1 Retention Periods

We retain personal data only as long as necessary for the purposes collected:

7.2 Call Recipient Data Retention

Data relating to call recipients (third parties) is retained as follows:

• Call Recordings: 90 days
• Transcriptions: Duration of User's account + 1 year
• Call Metadata: Duration of User's account + 6 years

Users (as Data Controllers for recipient data) may request earlier deletion subject to our legal retention obligations.

7.3 Criteria for Retention

Where specific periods are not listed, we determine retention based on:

• The purpose for which data was collected
• Legal, regulatory, and contractual requirements
• Limitation periods for potential claims
• Industry standards and best practices

7.4 Deletion and Anonymisation

When retention periods expire or upon valid deletion request:

• Personal data is deleted or irreversibly anonymised within 30 days
• We instruct sub-processors to delete their copies
• Data required for legal compliance may be archived with restricted access
• Backup copies may persist up to 30 additional days due to technical backup cycles

---

8. Your Rights

You have rights regarding your personal data under applicable data protection laws. The specific rights and how to exercise them depend on your location.

8.1 Rights Under UK and EU GDPR

If you are in the UK, EU, or EEA, you have the following rights:

Right of Access (Article 15) You can request a copy of your personal data and information about how we process it.

Right to Rectification (Article 16) You can request correction of inaccurate data or completion of incomplete data.

Right to Erasure / "Right to Be Forgotten" (Article 17) You can request deletion of your data in certain circumstances:

• Data is no longer necessary for its original purpose
• You withdraw consent (where consent was the legal basis)
• You object and there are no overriding legitimate grounds
• Data was unlawfully processed
• Deletion is required by law

Right to Restriction (Article 18) You can request we restrict processing while:

• We verify accuracy of contested data
• You need data for legal claims but don't want it deleted
• You have objected, pending verification of our legitimate grounds

Right to Data Portability (Article 20) You can request your data in a structured, commonly used, machine-readable format (JSON, CSV) and have it transmitted to another controller where:

• Processing is based on consent or contract, and
• Processing is automated

Right to Object (Article 21)

• Legitimate Interests: You can object to processing based on legitimate interests; we will stop unless we demonstrate compelling grounds
• Direct Marketing: You can object to marketing at any time; we will stop immediately

Rights Related to Automated Decision-Making (Article 22) You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not make such decisions—our AI assists with calls, but you control objectives and review outcomes.

Right to Withdraw Consent Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

8.2 Rights Under US State Privacy Laws

If you are a US resident, you may have additional rights depending on your state. See Section 13 for details on rights under CCPA/CPRA and other state laws.

8.3 How to Exercise Your Rights

Self-Service:

• Access and export data: Account Settings → Privacy → Download My Data
• Delete account: Account Settings → Delete Account
• Marketing preferences: Account Settings → Communication Preferences, or unsubscribe links in emails

Contact Us:

• Email: in@lumman.ai
• Subject Line: Include "Data Subject Request" and the right you wish to exercise
• Information Needed: Your name, account email, specific request, and any details to help locate your data

8.4 Response Timeline

• UK/EU: We will respond within one month. For complex or numerous requests, we may extend by up to two additional months (we will inform you).
• US (California): We will respond within 45 days, with possible 45-day extension for complex requests.

8.5 Verification

We may need to verify your identity before fulfilling requests to protect your data from unauthorised access. We may request additional information to confirm your identity.

8.6 Fees

Requests are generally free. We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests, or requests for additional copies.

8.7 Complaints

If you are unsatisfied with our response:

UK: Information Commissioner's Office (ICO)
Website: https://ico.org.uk | Helpline: 0303 123 1113

EU: Your local data protection supervisory authority. Find yours at:
https://edpb.europa.eu/about-edpb/about-edpb/members_en

US: See Section 13 for state-specific complaint procedures.

---

9. Data Security

9.1 Technical Measures

We implement appropriate technical measures to protect your personal data:

9.2 Organisational Measures

9.3 Certifications and Compliance

• Our primary infrastructure provider (Supabase) maintains SOC 2 Type II certification
• Our payment processor (Stripe) is PCI DSS Level 1 certified
• We conduct regular security assessments and penetration testing

9.4 Breach Notification

In the event of a personal data breach posing a risk to your rights:

We maintain breach documentation and remediation records.

9.5 Your Security Responsibilities

You are responsible for:

• Maintaining confidentiality of your account credentials
• Using strong, unique passwords
• Enabling two-factor authentication
• Keeping your email address current
• Notifying us immediately of suspected unauthorised access
• Ensuring security of devices used to access Qaipa

---

10. Cookies and Similar Technologies

10.1 What We Use

We use cookies and similar technologies (local storage, pixels) to operate our Service, remember preferences, and understand usage.

10.2 Types of Cookies

10.3 Specific Cookies

10.4 Your Cookie Choices

• Cookie Banner: On first visit, you can accept all, reject non-essential, or customise preferences
• Cookie Settings: Access anytime via footer link "Cookie Settings"
• Browser Settings: Configure your browser to block or delete cookies (may affect functionality)
• Do Not Track: We honour Do Not Track browser signals for analytics cookies

10.5 More Information

For detailed information, see our [Cookie Policy] (link).

---

11. Children's Privacy

Qaipa is not intended for use by anyone under 18 years of age (or the age of majority in their jurisdiction if higher). We do not knowingly collect personal data from children.

If we learn we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly.

If you believe we have collected data from a child, please contact us at in@lumman.ai.

---

12. Third-Party Links and Services

Our Service may contain links to third-party websites, applications, or services not operated by us. We are not responsible for the privacy practices of these third parties.

We encourage you to review the privacy policies of any third-party services before providing personal data.

Links to third parties do not imply endorsement.

---

13. Additional Information for United States Residents

This Section 13 applies if you are a resident of the United States. It supplements the information in this Privacy Policy and provides additional disclosures required by US state privacy laws.

13.1 Categories of Personal Information

Under US state privacy laws, here are the categories of personal information we collect:

13.2 Sources of Personal Information

We collect personal information from:

• You directly (registration, call tasks, communications)
• Automatically (cookies, logs, device information)
• Service providers (payment confirmation, fraud signals)

13.3 Purposes for Collection and Use

We collect and use personal information for the business purposes described in Section 3, including:

• Providing the Service
• Processing transactions
• Customer support
• Security and fraud prevention
• Analytics and improvement
• Legal compliance
• Marketing (with consent)

13.4 Sale and Sharing of Personal Information

We do not sell your personal information as defined by CCPA/CPRA and other state laws.

We do not share your personal information for cross-context behavioural advertising.

13.5 Retention

We retain personal information as described in Section 7. We do not retain information longer than reasonably necessary for the disclosed purposes.

13.6 Your Rights Under US State Privacy Laws

Depending on your state of residence, you may have the following rights:

Legend: CA = California, VA = Virginia, CO = Colorado, CT = Connecticut, UT = Utah

13.7 How to Exercise Your Rights (US)

Submit a Request:

• Email: in@lumman.ai (subject: "US Privacy Rights Request")
• Online: Account Settings → Privacy → Submit Rights Request

What to Include:

• Your state of residence
• The right(s) you wish to exercise
• Information to verify your identity (name, email, account information)

Authorised Agents: You may designate an authorised agent to submit requests on your behalf. We may require:

• Signed authorisation from you
• Verification of the agent's identity
• Direct verification of your identity

13.8 Verification

We will verify your identity before fulfilling requests by matching information you provide against information we have on file. For access to specific pieces of information, we may require additional verification.

13.9 Response Timing

• California: 45 days (may extend by additional 45 days)
• Other States: Generally 45 days (varies by state)

We will inform you if we need additional time.

13.10 Non-Discrimination

We will not discriminate against you for exercising your privacy rights. We will not:

• Deny goods or services
• Charge different prices
• Provide different quality of service
• Suggest you will receive different treatment

13.11 Appeals (Virginia, Colorado, Connecticut)

If we deny your request, you may appeal by:

• Email: in@lumman.ai (subject: "Privacy Rights Appeal")
• Include your original request and the reason for appeal

We will respond to appeals within 60 days. If we deny your appeal, we will provide information on how to contact your state attorney general.

13.12 California-Specific Disclosures

Shine the Light (California Civil Code § 1798.83): We do not disclose personal information to third parties for their direct marketing purposes.

Do Not Track: We honour Do Not Track browser signals.

Financial Incentives: We do not offer financial incentives for the collection of personal information.

Sensitive Personal Information: We collect account credentials (a category of sensitive personal information under CPRA) solely to provide the Service. We do not use sensitive personal information for purposes other than those permitted by CPRA.

13.13 Contact for US Privacy Matters

Email: in@lumman.ai
Post: Lumman Ltd, ATTN: US Privacy, 86-90 Paul Street, London, Greater London, England, EC2A 4NE, United Kingdom

---

14. Additional Information for European Union Residents

This Section 14 applies if you are located in the European Union or European Economic Area.

14.1 Legal Bases Summary (EU)

14.2 Your EU GDPR Rights

You have all rights described in Section 8.1, including access, rectification, erasure, restriction, portability, objection, and rights regarding automated decision-making.

14.3 EU Representative

For GDPR-related enquiries from EU/EEA users, please contact us at in@lumman.ai. Formal EU representative arrangements will be communicated as our EU operations develop.

14.4 Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority. Find your authority:
https://edpb.europa.eu/about-edpb/about-edpb/members_en

14.5 Cross-Border Processing

We primarily process data in the United Kingdom. For cross-border processing involving EU residents, the UK Information Commissioner's Office (ICO) acts as lead supervisory authority under the UK-EU data sharing arrangements.

---

15. Additional Information for United Kingdom Residents

This Section 15 applies if you are located in the United Kingdom.

15.1 UK GDPR and Data Protection Act 2018

Your personal data is processed in accordance with the UK GDPR and Data Protection Act 2018. The legal bases for processing are as described in Section 3 and summarised in Section 14.1.

15.2 Your UK GDPR Rights

You have all rights described in Section 8.1. These are your statutory rights under UK data protection law.

15.3 Contact

For UK data protection matters:

Lumman Ltd
86-90 Paul Street, London, Greater London, England, EC2A 4NE, United Kingdom
Email: in@lumman.ai

15.4 Information Commissioner's Office (ICO)

You have the right to lodge a complaint with the ICO:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom

Website: https://ico.org.uk
Helpline: 0303 123 1113

15.5 ICO Registration

Lumman Ltd is registered with the ICO. Registration details will be published upon completion of registration.

---

16. Changes to This Privacy Policy

16.1 Updates

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors.

16.2 Notification of Changes

Material Changes: We will notify you by:

• Email to your registered address (at least 30 days before the effective date)
• Prominent notice within the Service
• Posting the updated policy with a new "Last Updated" date

Non-Material Changes: Updated policy posted on our website.

16.3 Effective Date

Material changes take effect 30 days after notice unless:

• A longer period is required by law
• Immediate implementation is required for legal compliance or security

16.4 Your Choices

If you disagree with changes, you may delete your account before the changes take effect. Continued use after the effective date constitutes acknowledgment of the updated policy.

---

17. Contact Us

17.1 General Privacy Enquiries

Email: in@lumman.ai
Post: Data Protection, Lumman Ltd, 86-90 Paul Street, London, Greater London, England, EC2A 4NE, United Kingdom

17.2 Regional Contacts

17.3 Response Time

We aim to respond to all enquiries within 5 business days. Formal data subject requests are handled per the timelines in Section 8.4.

---

Appendix: Sub-Processor List

Current as of: 1 January 2026

We maintain Data Processing Agreements (DPAs) with all sub-processors.

---

This Privacy Policy is effective as of 1 January 2026.

© 2026 Lumman Ltd. All rights reserved.