Privacy, Data Protection, Security & Compliance Policy

← Back to ARIA

Document Title	ARIA: Privacy, Data Protection, Security & Compliance Policy
Data Controller	Luminant Works Global Limited
UK Registered Office	College House, 17 King Edwards Rd., Ruislip, London HA4 7AE, United Kingdom
India Operations	A-Block, 4th Floor, Prince Info Park, Chennai 600058, India
Privacy Contact	privacy@luminantglobal.com
ARIA URL	aria.luminantglobal.com
Effective Date	1 March 2026
Version	2.0
Companion Document	ARIA: Terms & Conditions of Use v2.0

Our Commitment to You: Luminant Works Global Limited takes your privacy and data security seriously. We are a small, specialist consultancy. We do not have the scale of a large enterprise, but we are equally bound by UK and EU GDPR, US state privacy laws, and applicable cybersecurity regulations; and we hold ourselves to those standards honestly and completely. This Policy explains what data we collect, why we collect it, how we protect it, your rights over it, and how we comply with our legal obligations. We will always tell you the truth about what we can and cannot do.

1. Who We Are and Scope of This Policy

This Privacy, Data Protection, Security & Compliance Policy ('Policy') explains how Luminant Works Global Limited ('Luminant', 'we', 'us', 'our') collects, uses, protects, and shares personal data in connection with ARIA, our AI-powered assistant.

This Policy applies to:

All users who access ARIA directly, whether on a free or paid plan;
Enterprise customers whose staff or clients use ARIA under a business subscription;
Visitors to our associated websites and portals; and
Any individual whose personal data is processed through ARIA in connection with its operation.

For individual users who sign up directly: Luminant is the data controller for account, session, and analytics data. For enterprise customers using ARIA for their staff or client data: Luminant typically acts as a data processor, processing personal data on the customer's documented instructions. In this case, the customer's own privacy policy will primarily govern their end users' rights, supplemented by the terms of our Data Processing Addendum.

Data Protection Officer (DPO): Luminant Works Global Limited has not appointed a Data Protection Officer as we do not meet the mandatory threshold under UK GDPR Article 37. We are neither a public authority nor an organisation that carries out large-scale systematic monitoring of individuals or large-scale processing of special-category data as a core activity. Our designated Privacy Contact (privacy@luminantglobal.com) handles equivalent data protection responsibilities, including responding to regulatory queries, managing data subject rights requests, overseeing our compliance programme, and acting as the point of contact for the ICO. We will keep this position under review and appoint a DPO if our processing activities change to meet the mandatory threshold.

2. Data We Collect

2.1 Data You Provide Directly

When you use ARIA, you may provide:

Account data: your name and work email address;
Conversation data: the prompts, questions, instructions, and text you enter into ARIA during a session;
Uploaded content: documents or text you voluntarily upload to inform a query; and
Feedback data: ratings, comments, or support queries you submit about ARIA responses.

2.2 Data Collected Automatically

When you use ARIA, we automatically collect:

Session data: your IP address, browser type, device type, operating system, timestamps, and session duration;
Usage data: features accessed, query volumes, feature interaction patterns, and error logs, used solely for service operation and improvement; and
Cookies and similar technologies: as described in Section 9.

2.3 Data We Intentionally Do Not Collect

We do not:

Request or store payment card details (these are handled by third-party payment processors where applicable);
Intentionally collect special-category or sensitive personal data, including health data, biometric identifiers, precise location data, political opinions, religious beliefs, sexual orientation, or criminal records;
Intentionally collect personal data from children under 16;
Harvest data from your Salesforce org, CRM, or connected systems without your explicit action;
Track your activity outside ARIA for advertising or profiling purposes; or
Sell your personal data to any third party.

Your Responsibility: You should not submit third-party personally identifiable information, special-category data, or confidential client data into ARIA unless you have explicit authority, a lawful basis, and appropriate consents from those individuals. Luminant cannot be responsible for data you submit without appropriate authority.

3. Purposes and Legal Bases for Processing

We process personal data only for the following purposes, each supported by a lawful basis under UK/EU GDPR:

Purpose	Lawful Basis	Details
Providing the ARIA service	Contract necessity	Processing your prompts, generating AI responses, managing your session, authenticating your account.
Account management & support	Contract necessity	Creating and managing your account, responding to support queries, troubleshooting technical issues.
Service improvement & analytics	Legitimate interests	Analysing anonymised or aggregated usage patterns to improve ARIA performance, reliability, and features. We balance this against your interests and rights.
Security & fraud prevention	Legitimate interests / Legal obligation	Monitoring for abuse, security incidents, misuse, and suspicious activity. Implementing security controls.
Legal compliance	Legal obligation	Fulfilling our obligations under GDPR, applicable US state privacy laws, and other regulations. Responding to lawful requests from authorities.
Optional marketing	Consent	Sending product updates, newsletters, or event invitations, only where you have opted in. You can withdraw consent at any time.

We do not use your prompts, uploaded content, or conversation data to train our AI models.

4. AI Architecture and Third-Party Model Processing

4.1 Core Data Protection Principles in ARIA's AI Design

ARIA's AI architecture has been designed with data minimisation and user privacy as foundational requirements:

Zero training on your data: your prompts and outputs are not used to train our AI models;
Data minimisation: only the data you actively input is processed to deliver the service; and
Prompt and data isolation: conversations and data are isolated per user; no cross-user data contamination.

4.2 Third-Party AI Sub-Processors

ARIA uses one or more third-party large language model (LLM) providers as sub-processors to generate AI responses. These providers are selected with care and bound by contractual obligations to:

Use your data solely to provide the service to Luminant, and for no other purpose;
Not use your prompts, inputs, or outputs to train or fine-tune our AI models;
Delete or minimise retention of personal data after generating responses;
Apply appropriate encryption in transit and at rest;
Support GDPR-compliant international transfer mechanisms (for example, Standard Contractual Clauses, Data Privacy Framework); and
Notify Luminant promptly of any personal data breach involving data processed on our behalf.

A current list of AI and infrastructure sub-processors is published on our website and also available on request at privacy@luminantglobal.com. For enterprise customers it is additionally available via our Data Processing Addendum or trust documentation. We update the published list whenever a sub-processor is added or removed.

4.3 Automated Decision-Making

ARIA does not make autonomous decisions about individuals that produce legal or similarly significant effects. All consequential decisions remain with the human user. ARIA is explicitly advisory in nature; it provides information, analysis, and recommendations that must be subject to human review before being acted upon.

Where ARIA's features evolve to include any form of automated profiling or decision-making that could have significant effects, we will update this Policy, implement appropriate safeguards, and provide users with the right to contest such decisions and request human review.

4.4 Responsible AI Principles

Luminant is committed to responsible AI development and deployment. Our principles include:

Human oversight: all consequential decisions remain with the user; ARIA never operates autonomously on matters of significance.
Accuracy and honesty: we do not warrant outputs as factually correct and actively encourage verification; ARIA will acknowledge uncertainty.
Non-manipulation: ARIA will not use dark patterns, psychological manipulation, or deceptive design to influence user behaviour; and
AI ethics monitoring: we monitor ARIA's outputs for bias, harm, and compliance with applicable AI regulations.

5. Data Retention

We apply specific retention periods to each category of data, balancing operational necessity, legal obligation, and data minimisation. You may request deletion of your personal data at any time (see Section 6).

Data Category	Retention Period	Basis / Notes
Account data (name, email, profile)	Account life + up to 12 months^†	Retained to manage your account and handle post-closure queries. Then deleted or anonymised unless law requires longer retention.
Conversation & session data	Up to 30 days from session end^†	Retained for support, troubleshooting, and abuse detection. Not used for AI training. Deleted after 30 days.
Uploaded content	Deleted at session end	Unless explicitly saved to a workspace or project feature by you. Not retained beyond session.
Usage & analytics data	Anonymised within 90 days^†	Aggregated, anonymised statistics retained for up to 3 years for service planning and improvement.
Security & audit logs	Up to 12 months^†	Retained to investigate security incidents and support regulatory compliance. Restricted access.
Marketing consent records	Consent withdrawal + 1 year	Retained as evidence of consent to comply with GDPR accountability obligations.
Backups	Rolling 30-day encrypted backups^†	After 30 days, backup data is purged. Backups are encrypted at AES-256 equivalent.
Enterprise customer data (as processor)	Per agreed DPA terms	Aligned to the customer's documented retention instructions. Deleted or returned on contract termination.

Transparency: Data Lifecycle Roadmap
Items marked † in the table above describe retention commitments that are currently managed through manual operational processes. Automated enforcement, including scheduled purge jobs, anonymisation pipelines, and backup rotation verification, is planned for our next release cycle. Until automation is live, Luminant's data team reviews and applies these retention periods on a periodic basis. We believe in being honest about where we are. If you have questions about how your data is retained today, please contact privacy@luminantglobal.com.

6. Your Rights Under UK/EU GDPR

If you are in the United Kingdom or European Economic Area, you have the following rights under applicable data protection law. We will respond to verified rights requests within one calendar month of receipt (extendable by up to two months for complex requests, with notification).

Right	What It Means for You
Right of Access (Subject Access)	Request a copy of the personal data we hold about you, together with information about how we use it.
Right to Rectification	Request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure ('Right to be Forgotten')	Request deletion of your personal data where we no longer have a legal basis for processing it, subject to applicable legal retention obligations.
Right to Restriction of Processing	Request that we pause or restrict our processing of your data in certain circumstances; for example, while accuracy is contested.
Right to Data Portability	Receive account-related personal data in a structured, commonly used, machine-readable format (for example, CSV or JSON) where processing is based on consent or contract and carried out by automated means.
Right to Object	Object to processing of your personal data based on our legitimate interests, including profiling for direct marketing purposes.
Right to Withdraw Consent	Where processing is based on your consent (for example, marketing), withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
Rights Related to Automated Decision-Making	Not to be subject to solely automated decisions that produce legal or similarly significant effects. As noted above, ARIA does not currently make such decisions.
Right to Lodge a Complaint	Lodge a complaint with the UK Information Commissioner's Office (ICO) or your local supervisory authority if you believe we have mishandled your data.

To exercise any of these rights, contact: privacy@luminantglobal.com. We may need to verify your identity before processing a request. We will not charge a fee for reasonable requests.

7. US State Data Privacy Compliance

7.1 Our Approach to US Privacy

As of March 2026, over twenty US states have enacted comprehensive consumer privacy laws. Luminant Works Global operates as a small business and may fall below the formal thresholds of some state laws. Regardless, we voluntarily honour a consistent set of privacy rights for all US users, reflecting the spirit of these laws.

7.2 Rights We Honour for US Residents

Right	What It Means for You
Right to Know / Access	Request details of what personal data we hold about you, how we collected it, and how we use it.
Right to Delete	Request deletion of your personal data, subject to legal exceptions (for example, fraud prevention, legal compliance).
Right to Correct	Request correction of inaccurate personal data we hold about you.
Right to Data Portability	Receive a portable copy of your personal data in a commonly used format.
Right to Opt Out of Sale	We do not sell personal data. No opt-out action is required, but the right exists.
Right to Opt Out of Sharing for Targeted Advertising	We do not share personal data for cross-context behavioural advertising. No opt-out action is required.
Right to Opt Out of Profiling	ARIA does not perform automated profiling that produces legal or similarly significant effects. We do not use your data to build advertising profiles.
Right to Non-Discrimination	You will not receive worse service, higher prices, or reduced functionality for exercising your privacy rights.
Global Privacy Control (GPC)	We honour supported browser-based GPC signals as an opt-out of data sharing for advertising where technically applicable and legally required.

7.3 California-Specific Provisions (CCPA / CPRA)

California residents have the most comprehensive US privacy protections under CCPA and CPRA. Key California-specific provisions:

Do Not Sell or Share: We do not sell or share personal information for targeted advertising. No opt-out action is required.
Sensitive Personal Information: We do not collect California-defined sensitive personal information (government IDs, precise geolocation, financial account credentials, communications content, racial/ethnic origin, religious beliefs, sexual orientation, or biometric data) in the ordinary course of providing ARIA.
Automated Decision-Making Technology (ADMT): ARIA's outputs are advisory. We will comply with CPRA ADMT requirements (including opt-out rights) should any ADMT deployment meet the regulatory threshold.
Annual Cybersecurity Audit: California's CPRA regulations require annual cybersecurity audits for covered businesses. While Luminant may currently fall below the formal threshold, we conduct regular internal security reviews and are building towards formal audit compliance.
Shine the Light: California residents may request information about third-party direct marketing disclosures. We make no such disclosures.
Minors: We do not knowingly sell or share personal data of minors.

7.4 Texas, Virginia, Colorado, and Other State Laws

The Texas Data Privacy and Security Act (TDPSA, effective July 2024), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and laws in Connecticut, Oregon, Montana, and other states follow a similar structure. Luminant applies the rights listed in Section 7.2 to all US residents, regardless of which specific state law technically applies. We monitor state law developments and will update this Policy as our scale and obligations evolve.

7.5 How to Submit a US Privacy Rights Request

Email: privacy@luminantglobal.com with the subject line 'US Privacy Rights Request'. Please include your full name, email address, state of residence, and the specific right you wish to exercise. We will respond within the applicable statutory timeframe (typically 45 to 60 days, with one 45-day extension where permitted).

8. International Data Transfers

Luminant operates across the United Kingdom, India, the United States, Malaysia, and Singapore. ARIA's infrastructure involves processing in multiple jurisdictions. Where we transfer personal data outside the UK or EEA, we use appropriate legal safeguards, including:

EU Standard Contractual Clauses (SCCs): the standard contractual mechanisms approved by the European Commission for transfers to third countries;
UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs: for transfers from the UK under the UK GDPR regime;
Adequacy decisions: including the EU-US Data Privacy Framework (DPF) and its UK extension, where applicable; and
Transfer risk assessments (TRAs / Transfer Impact Assessments): conducted for higher-risk international flows, particularly transfers to India and countries without an adequacy decision.

8.1 India Operations and DPDPA Compliance

India Operations: Our Chennai operations team handles certain support and operational functions. Transfers from the UK/EEA to India are governed by EU Standard Contractual Clauses and our internal data transfer policies. We do not transfer personal data to India beyond what is operationally necessary.

India's Digital Personal Data Protection Act 2023 (DPDPA): India's DPDPA received Presidential assent in August 2023. Implementing rules are being finalised by the Government of India as of the effective date of this Policy. Our Chennai operations are subject to DPDPA obligations as they come into force. We already align with the Act's core principles: processing personal data only for lawful purposes with appropriate consent or a recognised legitimate use; implementing reasonable security safeguards proportionate to the risk; providing clear notice about the purposes for which data is collected; honouring data principal rights (access, correction, erasure, and grievance redressal); and notifying the Data Protection Board of India of any personal data breach where required. We will update this Policy as rules are notified and will comply with all DPDPA obligations within applicable transition periods.

For enterprise customers requiring specific information about international data transfer mechanisms, this is addressed in our Data Processing Addendum.

9. Cookie Policy

ARIA uses cookies and similar technologies to operate the service securely and to understand how users interact with ARIA. We use the following categories:

Category	Can Be Disabled?	Purpose / Examples
Strictly Necessary	No (required for service)	Session management, authentication, CSRF protection (e.g., session_id, csrf_token). These are essential to ARIA's security and cannot be disabled.
Functional	Yes	Remembering user preferences such as language, display settings, or theme.
Analytics	Yes	Anonymised usage statistics to improve ARIA (e.g., page load times, feature usage). No personal identification.
Marketing / Advertising	Not applicable; we do not use these	We do not deploy third-party advertising or marketing tracking cookies in ARIA.

On first access to ARIA you can set your preferences for non-essential cookies via our consent banner. You can also adjust cookie settings in your browser at any time. We honour supported Global Privacy Control (GPC) signals for US residents as an opt-out of non-essential cookie-based data sharing where required by applicable law.

10. Security: Technical and Organisational Measures

Luminant implements technical and organisational security measures proportionate to our size, the sensitivity of the data we process, and applicable legal requirements. We are committed to protecting your personal data from unauthorised access, loss, destruction, or disclosure.

10.1 Technical Security Controls

Control	Implementation Detail
Encryption in Transit	TLS 1.2 or higher for all data transmitted to and from ARIA. TLS 1.3 preferred where supported.
Encryption at Rest	AES-256 encryption for stored personal data, session data, and backup data.
Access Controls	Role-based, least-privilege access to all systems containing personal data. Multi-factor authentication (MFA) required for all administrative and production system access.
Prompt Isolation	User conversations are logically isolated; no cross-user data contamination is architecturally possible.
No Prompt Logging for Training	ARIA prompts are not logged for AI training purposes. Session data is retained only for the operational purposes described in Section 5.
Vulnerability Management	Regular security patching and updates applied to all production infrastructure. Critical patches applied within defined SLAs.
Environment Separation	Production, staging, and development environments are logically separated. Personal data is not used in non-production environments without anonymisation.
Logging and Monitoring	Access logs, error logs, and anomaly detection applied to production systems. Security events are monitored and investigated.
Network Security	Firewalls, intrusion detection, and network segmentation applied to production infrastructure.
Sub-Processor Security	All AI and infrastructure sub-processors are contractually required to implement security measures at least equivalent to those described here.

10.2 Organisational Security Measures

Data protection training for all staff with access to personal data, conducted at onboarding and annually;
Regular access reviews of production systems to ensure least-privilege principle is maintained;
Sub-processor due diligence: security review before engaging any new sub-processor that will handle personal data;
Confidentiality obligations: all staff and contractors with access to personal data are bound by written confidentiality obligations; and
Acceptable use policy: governing the use of ARIA systems by Luminant staff.

10.3 Incident Response and Breach Notification

Luminant maintains an incident response procedure. In the event of a confirmed personal data breach:

We will contain and assess the breach as rapidly as possible;
We will notify affected users and relevant supervisory authorities (ICO and/or applicable US authorities) without undue delay and within 72 hours of confirmation where required by GDPR;
We will provide details of the nature of the breach, data categories and approximate number of individuals affected, likely consequences, and measures taken or proposed; and
We will document all breaches in our internal breach register, whether or not notification is required.

10.4 Certifications and Audit Status

Honest Disclosure on Certifications: Luminant Works Global does not currently hold ISO 27001 or SOC 2 Type II certifications. We are an honest small business with an ambitious vision and ARIA, this amazing tool. These certifications are disproportionate to our current scale. However, our security controls are designed to meet the substantive requirements of these frameworks. As Luminant grows, we intend to pursue appropriate independent certification. Enterprise customers requiring specific security assurance documentation should contact privacy@luminantglobal.com to discuss available evidence.

11. Children and Minors

ARIA is designed and intended exclusively for professional business use by adults. We do not knowingly collect, process, or store personal data from children under the age of 16 (or such other age as may be required under applicable law in your jurisdiction).

If you believe we have inadvertently collected personal data from a minor, please contact us immediately at privacy@luminantglobal.com. We will investigate and delete such data promptly.

12. Data Processing for Enterprise Customers

Where Luminant acts as a data processor for an enterprise Customer:

We process personal data only on the Customer's documented, lawful instructions; we will inform the Customer if we believe any instruction infringes applicable data protection law;
We implement security measures broadly consistent with those described in this Policy, and as specifically agreed in the Data Processing Addendum (DPA);
We engage sub-processors only under written contracts with data protection obligations at least equivalent to those in our agreement with the Customer;
We will promptly inform the Customer of any data subject rights requests, regulatory inquiries, or personal data breaches relating to ARIA data processed on the Customer's behalf;
We will assist the Customer in responding to data subject rights requests and in fulfilling their obligations under applicable data protection law;
We will not transfer personal data to countries outside the scope agreed in the DPA without the Customer's prior written consent; and
On contract termination or written request, we will delete or return all personal data processed on the Customer's behalf within 30 days, subject to applicable legal retention obligations, and certify such deletion on request.

Our Data Processing Addendum (DPA) is available on request at privacy@luminantglobal.com and is incorporated into all enterprise subscription agreements.

13. How We Share Personal Data

We do not sell, rent, or share your personal data for commercial purposes. We may share personal data only in the following limited circumstances:

Sub-processors and service providers: cloud hosting providers, AI model providers, and analytics providers, each bound by appropriate data processing agreements and security obligations;
Professional advisers: lawyers, auditors, and insurers bound by confidentiality;
Law enforcement and regulatory authorities: where required by applicable law, court order, or to protect the legal rights of Luminant or others;
Business transfers: in connection with a merger, acquisition, or sale of substantially all of Luminant's assets (users will be notified in advance of any such transfer); and
With your explicit consent: for any other purpose where you have given specific informed consent.

A full list of our current sub-processors and data-sharing partners is published on our website and also available on request at privacy@luminantglobal.com.

14. Accessibility

Luminant is committed to making ARIA and its associated web interfaces accessible to all users, including those with disabilities. We aim to conform to the Web Content Accessibility Guidelines (WCAG) 2.1 at Level AA as our target standard. Our accessibility commitments are as follows:

UK Equality Act 2010: we will not discriminate against users with disabilities in access to ARIA or our website and will make reasonable adjustments to ensure equivalent access;
European Accessibility Act (Directive 2019/882, applicable from June 2025): to the extent ARIA is offered to users in the European Economic Area and falls within the Act's scope, we will meet the applicable product and service accessibility requirements;
WCAG 2.1 AA target: our web interfaces aim to be perceivable, operable, understandable, and robust for users with visual, auditory, motor, and cognitive disabilities; and
Feedback: if you experience an accessibility barrier when using ARIA, please contact us at privacy@luminantglobal.com with 'Accessibility' in the subject line. We will respond within five business days and work to resolve the issue promptly.

15. Updates to This Policy

We may update this Policy from time to time to reflect changes in applicable law, our services, technology, or business practices. For material changes, we will:

Notify registered users by email or in-app notice with reasonable advance notice;
Update the 'Effective Date' and 'Version' at the top of this Policy;
Provide a summary of the key changes; and
Where required by law, seek fresh consent where the change affects processing based on consent.

The date of the most recent update is always shown at the top of this Policy. We recommend reviewing this Policy periodically. Continued use of ARIA after the effective date of a revised Policy constitutes acceptance of the changes.

16. Contact, Complaints, and Supervisory Authorities

16.1 Contact Luminant

Privacy Enquiries	privacy@luminantglobal.com
General Contact	luminance@luminantworks.com
Registered Office	College House, 17 King Edwards Rd., Ruislip, London HA4 7AE, United Kingdom
India Operations	A-Block, 4th Floor, Prince Info Park, Chennai 600058, India

16.2 Supervisory Authorities

If you are not satisfied with our response to a privacy complaint, you have the right to lodge a complaint with your relevant supervisory authority:

United Kingdom	Information Commissioner's Office (ICO): ico.org.uk \| Helpline: 0303 123 1113
European Union	Your local Data Protection Authority (DPA): full list at edpb.europa.eu
California, USA	California Privacy Protection Agency (CPPA): cppa.ca.gov
Other US States	Your State Attorney General's office
India	Personal Data Protection Board (PDPB): once formally constituted under DPDPA 2023

Version 2.0 | Effective: 1 March 2026 | Next Review: 1 March 2027