Lumo

Privacy Policy

This Privacy Policy explains how Lumo Wireless, Inc. collects, uses, discloses, and protects Personal Data when you visit lumo.to, use our applications, or interact with our eSIM connectivity services.

Effective Date: October 4, 2025

Legal Entity: Lumo Wireless, Inc.

Mailing: 2261 Market Street STE 86867, San Francisco, CA 94114 USA

Contact: help@lumo.to

By accessing or using our Services, you acknowledge that you have read this Privacy Policy and our Terms of Use and understand how we process your Personal Data. If you do not agree, please discontinue use of the Services.

1. Overview

Lumo Wireless, Inc. ("Lumo", "we", "us", or "our") provides global eSIM connectivity products and related software (the "Services"). This Privacy Policy describes the types of Personal Data we collect, how we use and share that data, the rights available to you, and how to contact us. It applies to all processing of Personal Data through our website lumo.to (the "Site"), customer portals, support channels, and marketing initiatives.

2. Who We Are and Scope

Lumo Wireless, Inc. is the data controller for processing activities described in this Privacy Policy. We may also act as a data processor for enterprise or reseller customers pursuant to separate agreements.

This Privacy Policy covers Personal Data collected from visitors, account holders, purchasers, and support contacts worldwide. Where specific regional laws provide additional rights or disclosures (for example, GDPR or the California Consumer Privacy Act), we include those requirements below.

Our Services are intended for adults. We do not knowingly offer Services to individuals under the minimum age defined by applicable law (see Section 17).

3. Key Definitions

  • Personal Data means information that identifies, relates to, describes, or is reasonably capable of being associated with an identified or identifiable individual.
  • Processing means any activity performed on Personal Data, including collection, use, disclosure, storage, or deletion.
  • Partners refers to carriers, aggregators, and technology providers that enable our eSIM connectivity and supporting infrastructure.
  • Services includes the Site, web and mobile applications, checkout flows, customer support, and communications offered by Lumo.

4. Personal Data We Collect

Data you provide directly. When you create an account, make a purchase, contact support, or participate in promotions, we may collect:

  • Contact details (name, email address, phone number if provided).
  • Account credentials (hashed passwords, authentication methods).
  • Profile information, preferences, and communications with us.
  • Order details (plans purchased, price, currency, timestamps, activation status).
  • Support tickets, troubleshooting logs, survey responses, and other information you choose to share.

Payment information. Payments are processed by Stripe or similar providers. We receive limited payment metadata such as billing country, card brand, last four digits, and transaction identifiers. We do not store full payment card numbers.

Data collected automatically. When you access the Services, we automatically log:

  • Device and technical data (device type, operating system, browser version, mobile identifiers, language, time zone).
  • Usage data (pages viewed, features used, referring URLs, exit pages, clickstream data, date and time stamps).
  • Approximate location derived from IP address for fraud prevention, regulatory compliance, and localized experiences.
  • Cookies and similar technologies that store session identifiers, authentication tokens, and analytics events (see Section 5).

Data from third parties. We may receive Personal Data from our Partners, analytics providers, identity verification vendors, advertising platforms (including Reddit), marketing platforms, social login providers (Google and Facebook), and AI service providers (including ElevenLabs) consistent with their privacy policies and your settings.

Aggregated and de-identified data. We may create aggregated, anonymized, or de-identified data derived from Personal Data. Such data no longer identifies individuals and may be used for analytics, research, and business intelligence.

5. Cookies and Similar Technologies

We use cookies, local storage, web beacons, tracking pixels, and analytics SDKs to operate and improve the Services. Cookies are small text files placed on your device that help us keep you signed in, remember preferences, prevent fraud, and understand usage patterns. We use both session cookies (which expire when you close your browser) and persistent cookies (which remain until deleted or expired).

We also use the Reddit Pixel, a tracking technology that collects information about your visits to the Site, including pages viewed, referring URLs, device information, and browsing activity. This helps us measure the effectiveness of our advertising campaigns and improve our marketing efforts. The Reddit Pixel may allow Reddit to track your activity across other websites and associate it with your Reddit account if you are logged in to Reddit.

You can manage cookies through browser settings or opt-out mechanisms provided by analytics and advertising providers. To opt out of interest-based advertising from Reddit, visit your Reddit personalization preferences or use industry opt-out tools such as the Digital Advertising Alliance's opt-out page. Disabling cookies may impact certain features such as account login and checkout.

6. How We Use Personal Data

  • Provide, operate, and maintain the Services, including account registration, authentication, and eSIM activation.
  • Process transactions, issue invoices, facilitate refunds, and provide customer support.
  • Communicate with you about orders, updates, security notices, policy changes, and marketing (where permitted).
  • Provide AI-powered voice customer support through our conversational AI assistant, including recording and transcribing voice interactions to deliver support services, improve assistant performance, and ensure quality.
  • Monitor and improve performance, troubleshoot issues, and develop new products and features.
  • Protect the security and integrity of the Services, prevent fraud or abuse, and enforce our Terms of Use.
  • Comply with legal obligations, tax requirements, regulatory reporting, and law enforcement requests.
  • Conduct analytics, research, and business planning using aggregated or de-identified data.
  • Measure the effectiveness of advertising campaigns and deliver relevant advertisements through third-party platforms such as Reddit.

7. AI-Powered Voice Assistant

We use ElevenLabs conversational AI technology to power our AI voice assistant that provides customer support through voice interactions on our website. When you interact:

  • You are interacting with AI, not a human. It is an artificial intelligence assistant designed to help with customer support inquiries.
  • Voice data collection. Your voice input, conversation transcripts, and related metadata (such as device information, timestamp, and session identifiers) are collected and processed by ElevenLabs on our behalf.
  • Recording and retention. Voice conversations may be recorded and transcribed. ElevenLabs stores this data to provide the service, improve AI performance, and ensure quality. Retention periods are governed by our agreement with ElevenLabs and applicable data protection requirements.
  • Third-party processing. ElevenLabs may use third-party large language model (LLM) providers to process your conversations and generate responses. Your interactions are subject to ElevenLabs' privacy policy and terms of service.
  • Your consent. By initiating a voice conversation, you consent to the recording, transcription, and processing of your voice data as described in this section.
  • EU data residency. Where required by law or our configuration, conversation data may be processed and stored within the European Union.

For more information about how ElevenLabs processes your data, please review their privacy policy at elevenlabs.io/privacy-policy.

8. Legal Bases for Processing (EEA/UK/Swiss Users)

Where the GDPR or similar laws apply, we process Personal Data under the following legal bases: (a) performance of a contract (providing the Services you request), (b) our legitimate interests (such as improving the Services, preventing fraud, and securing our systems), (c) compliance with legal obligations, and (d) your consent for specific activities (such as certain marketing communications or optional analytics where required). You may withdraw consent at any time by contacting us or adjusting preferences.

9. How We Share Personal Data

  • Service providers. Third-party vendors that assist with hosting, authentication (Supabase), payment processing (Stripe), analytics (Google Analytics, Vercel Analytics), advertising platforms (Reddit Pixel), AI-powered customer support (ElevenLabs), communications, support, and security. These providers access Personal Data only to perform services on our behalf and subject to contractual safeguards.
  • Connectivity Partners. Carrier networks, aggregators, and provisioning platforms that deliver eSIM connectivity and troubleshoot service issues.
  • Professional advisors. Lawyers, auditors, and accountants under appropriate confidentiality obligations.
  • Corporate transactions. In connection with a merger, acquisition, financing, or sale of assets, Personal Data may be transferred to another entity subject to this Privacy Policy or a successor policy with comparable protections.
  • Legal and safety. Authorities, courts, regulators, or other parties when we believe disclosure is necessary to comply with law, protect rights, address fraud or security concerns, or enforce agreements.

We do not sell Personal Data and do not share Personal Data for cross-context behavioral advertising as defined by the California Consumer Privacy Act (CCPA/CPRA). If this changes, we will update this Privacy Policy and provide required opt-out mechanisms.

10. International Data Transfers

We operate globally and may transfer Personal Data to countries other than the one in which it was collected. Our primary infrastructure is hosted in the European Union via Supabase. When we transfer Personal Data outside the EEA, UK, or Switzerland, we rely on lawful transfer mechanisms such as Standard Contractual Clauses, adequacy decisions, or other safeguards permitted by applicable law.

We take steps to ensure that recipients of Personal Data provide an adequate level of protection and process data in compliance with this Privacy Policy.

11. Data Retention

We retain Personal Data for as long as necessary to fulfill the purposes described in this Privacy Policy, including providing the Services, complying with our legal obligations, resolving disputes, and enforcing agreements. Retention periods vary depending on the type of data, regulatory requirements, and our operational needs. When Personal Data is no longer required, we will delete, anonymize, or de-identify it in accordance with applicable law and our data retention schedule.

12. Data Security

We implement technical and organizational measures designed to protect Personal Data, including encryption in transit, access controls, audit logging, and secure development practices. Despite these safeguards, no method of transmission or storage is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly of any suspected unauthorized access.

13. Your Privacy Choices

  • Review or update your account information through in-product settings.
  • Request access, deletion, or export of your Personal Data by emailing help@lumo.to.
  • Adjust cookie settings within your browser or opt out of analytics through provider tools.
  • Unsubscribe from marketing communications by following unsubscribe links in emails or contacting us.

14. Rights for EEA, UK, and Swiss Individuals

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • Access and obtain a copy of your Personal Data.
  • Request rectification of inaccurate or incomplete Personal Data.
  • Request erasure of Personal Data in certain circumstances.
  • Restrict or object to processing, including processing based on legitimate interests.
  • Request data portability.
  • Lodge a complaint with your local supervisory authority.

To exercise these rights, contact us at help@lumo.to. We may request additional information to verify your identity and will respond within the timeframe required by law.

15. California and Other U.S. State Privacy Rights

Residents of California, Colorado, Connecticut, Utah, Virginia, and other jurisdictions with comprehensive privacy laws may have additional rights, including:

  • The right to know the categories of Personal Data collected, the purposes of collection, and the categories of third parties with whom we share Personal Data.
  • The right to access, correct, or delete certain Personal Data.
  • The right to opt out of the sale or sharing of Personal Data or targeted advertising (we do not sell Personal Data or share it for cross-context advertising).
  • The right to limit the use of sensitive Personal Data (we do not collect sensitive Personal Data for inferring characteristics).
  • The right to appeal a denial of your request (where required by law).

Submit requests by emailing help@lumo.to. Please include your state of residence and the nature of your request. You may designate an authorized agent to exercise rights on your behalf by providing written authorization and verifying your identity.

16. Marketing Communications

We may send you promotional messages if you opt in or if permitted by law. You can opt out of marketing communications at any time by using the unsubscribe link in the email or contacting us. We may still send transactional or service-related communications necessary to provide the Services.

17. Cookies, Analytics, and Do Not Track

Some browsers include a "Do Not Track" signal. The Services do not currently respond to Do Not Track signals because there is no consistent industry standard. We continue to monitor developments and will update this Privacy Policy if our practices change. You can manage analytics preferences using the controls provided by Google Analytics and other vendors.

For more information about cookie usage, see Section 5.

18. Children's Privacy

The Services are not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data to us, please contact us so that we can delete the data and terminate the child's account.

19. Third-Party Links and Services

The Services may include links to third-party websites or integrations with third-party services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you access.

20. Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, Personal Data may be transferred to the acquiring entity. We will require the successor to honor this Privacy Policy or notify you of any material changes and obtain consent where required by law.

21. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Effective Date" above, providing a notice within the Services, or sending an email if you have provided one. Your continued use of the Services after the effective date of an updated Privacy Policy signifies acceptance of the changes.

22. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

  • Email: help@lumo.to
  • Mail: Lumo Wireless, Inc., 2261 Market Street STE 86867, San Francisco, CA 94114 USA

23. Additional Information for Support

We aim to respond to privacy inquiries within 30 days. If you are not satisfied with our response, you may contact your local data protection authority or seek alternative dispute resolution where available. For more information about how we secure your data or to request copies of our data protection agreements, please reach out to help@lumo.to.