Privacy Policy

Last updated: May 13, 2026 · Effective date: May 13, 2026

Lumio ("Lumio", "we", "us", or "our") operates an AI-powered K–12 education platform that provides tools for students, teachers, parents, and school administrators (the "Service"). This Privacy Policy explains what information we collect, how we use and share it, and the rights and choices you have. By using Lumio you agree to the practices described here.

1. Scope and roles

When a school or district uses Lumio, the school acts as the data controllerfor student records and Lumio acts as a school official / service providerprocessing data on the school's behalf under FERPA (34 CFR § 99.31(a)(1)) and applicable state student-privacy laws (including California SOPIPA, NY Ed Law 2-d, and similar). For self-registered adult users, Lumio is the controller.

2. Information we collect

• Account information: name, email address, role (student, parent, teacher, admin), school or district affiliation, password (hashed), and authentication tokens.
• Educational records: assignments, writing submissions, AI tutor conversations, quiz/answer history, grades, attendance, class roster data, and progress analytics provided by the school or generated through use of the Service.
• Wellbeing data: mood check-ins and self-reported wellbeing inputs. This data is treated as sensitive and is never sold or used for advertising.
• Communications: messages between students, parents, teachers, and admins sent through the platform; support requests you send to us.
• Device and usage data: IP address, browser type, operating system, device identifiers, pages viewed, features used, referring URLs, and approximate (city-level) location derived from IP.
• Cookies and similar technologies: strictly necessary cookies for authentication and security; analytics cookies to understand product usage; advertising cookies on adult-only surfaces (see Section 5).

3. How we use information

• Provide, operate, secure, and improve the Service (including the AI tutor, writing coach, analytics, and parent reports).
• Personalize learning recommendations and surface at-risk insights to authorized educators.
• Authenticate users, prevent fraud, abuse, and misuse, and enforce our Terms of Service.
• Communicate service announcements, security alerts, and (with consent where required) product updates.
• Comply with legal obligations and respond to lawful requests from public authorities.
• Show ads to verified adult users only, to keep Lumio free for students and schools (see Section 5).

We do not use student personal information to build advertising profiles, to retarget students, or to train third-party AI models. AI features process student input only to generate the response shown back to that user.

4. Children's privacy — COPPA and FERPA

Lumio is designed for use in K–12 schools. For users under 13, we rely on the school as the verifiable parental consent agent under COPPA's school-authorization exception (16 CFR § 312.5(c)(6)). Schools and districts agree by contract that they have authority to provide such consent and to direct our processing of student data. Parents may review, request deletion of, or refuse further collection of their child's information by contacting their school administrator or emailing us directly.

We do not knowingly collect personal information from children under 13 outside of a school-authorized account. We do not show personalized or behavioral ads to users under 18 and we do not show any ads to users under 13.

5. Advertising

To keep Lumio free, we display ads using Google AdSense on surfaces used by adults (parents, teachers, administrators). We do not show ads to students under 18. Google and its partners may use cookies and device identifiers to serve and measure ads. You can opt out of personalized advertising at google.com/settings/ads or via the IAB tools at youradchoices.com.

6. How we share information

We do not sell personal information. We share data only as described below:

• With your school or district as needed to deliver the Service.
• With service providers bound by written contracts (cloud hosting, AI model providers, analytics, email delivery, ad serving on adult surfaces). They may use the data only to perform services for us.
• For legal reasons: to comply with law, valid legal process, or government request, or to protect rights, safety, or property.
• Business transfers: in connection with a merger, acquisition, or asset sale, subject to confidentiality and continued protection.

7. International data transfers

Lumio is hosted in the United States. If you access the Service from outside the U.S., you understand your information will be transferred to and processed in the U.S. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

8. Data retention

We retain account data for as long as the account is active. On account closure or upon school request, we delete or de-identify personal data within 90 days, except where retention is required by law or to resolve disputes. Backups are purged on a rolling schedule no longer than 180 days.

9. Security

We use industry-standard safeguards including TLS encryption in transit, encryption at rest, hashed passwords, role-based access controls, audit logging, and least-privilege access for staff. No system is perfectly secure; we encourage strong, unique passwords.

10. Your rights and choices

• Access, correction, and deletion of your personal data.
• Portability of data you have provided in a machine-readable format.
• Objection or restriction of certain processing.
• Withdraw consent at any time where processing is based on consent.
• Opt out of advertising cookies (see Section 5).

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and limit use of sensitive personal information, and to be free from discrimination for exercising these rights. EEA/UK users have rights under the GDPR and UK GDPR. To exercise any right, email privacy@luumio.lovable.app.

11. Do Not Track

We honor Global Privacy Control signals where required by applicable law. Most browsers' Do Not Track signals are not standardized; we treat GPC as a valid opt-out request for sale/sharing of personal information.

12. Changes to this policy

We may update this Policy from time to time. Material changes will be highlighted on the Service or sent by email. Continued use after the effective date constitutes acceptance.

13. Contact us

Lumio · privacy@luumio.lovable.app
For school-data-protection inquiries, please contact your school administrator first.