Privacy Policy

Lumkey ("Lumkey", "we", "us", or "our") operates the Lumkey platform, accessible at lumkey.dev and api.lumkey.dev. This Privacy Policy describes how we collect, use, store, and share information when you use our services. If you have questions about this policy or your data, contact us at privacy@lumkey.dev.

We collect information you provide directly: — Account information: name, email address, organization name, and billing information when you register or subscribe. — Provider credentials: API keys for third-party model providers you configure in Lumkey. These are stored as protected ciphertext and are not readable after creation. — Policy and configuration data: rules, budgets, approval workflows, and settings you create within the platform. — Communications: messages you send to our support team. We collect information automatically when you use the service: — Log data: request metadata, timestamps, IP addresses, and usage patterns associated with Lumkey key usage. — Device and browser information: browser type, operating system, and referring URLs when you access the dashboard. — Cookies and similar technologies: session tokens and analytics identifiers as described in Section 6.

We use the information we collect to: — Provide, operate, and improve the Lumkey platform. — Process and fulfill your subscription and billing. — Send service notifications, security alerts, and product updates. — Respond to support requests and questions. — Monitor for abuse, security incidents, and policy violations. — Comply with legal obligations. We do not sell your personal data or provider credentials to third parties. We do not use your provider credentials for any purpose other than making authorized upstream calls on your behalf.

Provider credentials (API keys for OpenAI, Anthropic, Gemini, and other model providers) receive specific protections beyond our standard data handling: — Provider credentials are encrypted before storage using Google Cloud KMS-backed protection in the SaaS deployment. — The management API and dashboard are intentionally designed to not return raw provider credentials after creation. — Provider credentials are decrypted only in memory, only when Lumkey makes an authorized upstream provider call on your behalf. — No routine employee or support workflow includes a path to retrieve raw provider credentials. Lumkey is a controlled-service architecture, not a zero-knowledge system. We maintain the ability to decrypt provider credentials as a necessary function of operating an authorized proxy service. Our trust model is based on strong storage protection, restricted runtime access, and the absence of casual employee access paths — not on technical impossibility of decryption.

We share your information only in the following circumstances: Service providers: We use trusted third-party services for infrastructure (Google Cloud), payments (Stripe), and communications (email service providers). These processors handle data on our behalf under contractual protections. Legal requirements: We may disclose information when required by law, court order, or government authority, or when we believe disclosure is necessary to protect the rights or safety of Lumkey, our customers, or the public. Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change. With your consent: We may share information in other circumstances with your explicit consent. We do not share, sell, or rent your personal data to advertisers or data brokers.

We use cookies and similar technologies for: — Session management: to keep you authenticated across requests. — Analytics: to understand how customers use the dashboard and improve the product. We use privacy-respecting analytics tools and do not use cross-site tracking. You can configure your browser to refuse cookies, though some features of the dashboard may not function correctly without session cookies.

We retain your account information for as long as your account is active. Audit logs are retained according to your plan: — Free and Pro plans: 30-day audit log retention. — Enterprise plans: configurable retention, up to the period specified in your contract. After account deletion or contract termination, we delete or anonymize your data within 90 days, unless longer retention is required for legal or compliance purposes.

We implement technical and organizational measures appropriate to the sensitivity of the data we process. These include encryption at rest and in transit, access controls, monitoring, and regular security reviews. No security system is perfect. If you discover a security issue affecting Lumkey, please report it to security@lumkey.dev.

Depending on your location, you may have rights under applicable privacy law including the right to: — Access and receive a copy of the personal data we hold about you. — Correct inaccurate personal data. — Request deletion of your personal data, subject to our legal retention obligations. — Object to or restrict certain processing activities. — Data portability where processing is based on consent or contract. To exercise these rights, contact us at privacy@lumkey.dev. We will respond within 30 days.

Lumkey operates primarily in the United States. If you access the service from outside the United States, your information may be transferred to and processed in the United States or other countries where our service providers operate. We use appropriate transfer mechanisms, including Standard Contractual Clauses, where required.

Lumkey is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us at privacy@lumkey.dev and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a new effective date and, where appropriate, by email. Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

Questions about this Privacy Policy or your data: Email: privacy@lumkey.dev Company: LUMKEY Website: lumkey.dev