Lumenbase

    Privacy Policy

    Last updated: June 2026

    1. Introduction

    Lumenbase ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our customer relationship management (CRM) platform and related services.

    1.1 Our roles under data protection law

    We act in two distinct capacities:

    • Controller for: your account data (e.g. name, email, password), billing and payment-related data, and marketing preferences. We decide why and how this data is processed.
    • Processor for: CRM data (contacts, companies, deals, activities, and other data you upload or create in the platform). For this data, you are the controller and we process it only on your documented instructions (e.g. via our Terms of Service and, where applicable, a Data Processing Agreement).

    Where we act as processor, we do not use your CRM data for our own purposes except as necessary to provide, secure, and improve the service.

    1.2 Your responsibility for CRM data

    You are responsible for ensuring that you have a lawful basis to collect and process any personal data you upload or sync into the platform (including contact and company data). You must comply with applicable data protection and privacy laws (e.g. GDPR, CCPA) when collecting and using such data. We process CRM data on your behalf as your processor and in accordance with our Data Processing Agreement (DPA) where applicable.

    Our Data Processing Agreement (DPA) is available to customers upon request and sets out the terms under which we process personal data on your behalf. You may request a copy at privacy@lumenbase.io.

    We will notify you without undue delay if we become aware of a personal data breach affecting your data, in line with our processor obligations and the DPA.

    2. Information We Collect

    We collect information you provide directly (e.g. account, profile, payment, and CRM data) and information we obtain automatically (e.g. logs, device and usage data). The table below summarizes, for transparency and GDPR purposes, the main categories of personal data we process as controller, the purposes, and the legal bases we rely on (where the GDPR applies).

    Data categoryPurposeLegal basis (GDPR)
    Account data (name, email, password)Account creation, authentication, account managementContract performance
    Profile / workspace data (company name, job title)Providing the service, support, billingContract performance
    Payment / billing dataProcessing payments, invoicing, fraud preventionContract performance; legal obligation
    Marketing preferences and communicationsNewsletters, product updates, marketing (where consented)Consent; legitimate interest (where applicable)
    Logs, device and usage dataSecurity, availability, analytics, product improvementLegitimate interest
    Marketing site visitor data (anonymous ID, pages visited, links clicked, approximate location from IP, device/OS/browser/language)Understanding use of our marketing site, product improvement; if you create an account, we may link this history to your account for support and analyticsLegitimate interest; consent where required by law (e.g. EU/EEA) via cookie consent
    CRM data (contacts, companies, etc.)Processed on your behalf as processor; we do not use for our own purposesN/A (you determine legal basis as controller)

    Providing data and consequences of refusal. Where processing is necessary for the performance of our contract with you (e.g. account and billing data), provision of that data is a contractual requirement. If you do not provide it, we may not be able to create or maintain your account or provide the service. For optional data (e.g. marketing preferences), you may refuse or withdraw consent without affecting the core service.

    Automated decision-making. We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significantly affects you.

    2.1 Lumenbase Capture browser extension

    The Lumenbase Capture Chrome extension connects LinkedIn pages you visit to your Lumenbase workspace when you choose to link your account. This section describes how the extension handles data in addition to the CRM platform practices above.

    What the extension accesses

    • LinkedIn pages: When you browse linkedin.com while logged in, the extension can read profile and messaging information visible on pages you view (e.g. names, headlines, companies, profile URLs, connection and conversation data you choose to capture).
    • Local browser storage: Captured data and sync state are stored locally in your browser (IndexedDB and extension storage) until you sync or remove it.
    • Lumenbase account link: When you connect the extension in Lumenbase Integrations, we issue an authentication token so the extension can send data to your workspace over HTTPS (api.lumenbase.io).
    • LinkedIn session: The extension may read LinkedIn session cookies to confirm you are logged in to LinkedIn; it does not send those cookies to third parties.

    How extension data is used

    Extension data is used only to display CRM status on LinkedIn, sync contacts and conversations to your Lumenbase workspace at your direction, and operate the integration you enabled. We do not sell extension or LinkedIn-derived data, and we do not use it for advertising. LinkedIn contact data synced into your workspace is processed as CRM data on your behalf (see Section 1.1).

    Your choices

    You can disconnect the extension at any time from Lumenbase Integrations or by uninstalling the extension from your browser. Uninstalling removes locally stored extension data from your device. Data already synced to your workspace remains subject to your account retention settings and our CRM data policies; you may request deletion via privacy requests or privacy@lumenbase.io.

    3. How We Use and Share Your Information

    We use the information we collect to provide, maintain, and improve the service; process transactions; send technical and support messages; respond to requests; and ensure security. We do not sell your personal data. We may share data with service providers (subprocessors) who assist in operating our platform, subject to appropriate contracts. We may also disclose data where required by law or to protect our rights and safety. See Section 10 for subprocessor information.

    5. Data Retention

    We retain personal data only as long as necessary for the purposes set out in this policy or as required by law.

    • Account data: For the duration of your account plus a reasonable period after closure (e.g. 30–90 days) unless a longer period is required for legal, regulatory, or dispute-resolution purposes.
    • Billing / financial records: As required by applicable accounting and tax laws (often 7 years or more).
    • Logs and security-related data: Typically up to 12 months, unless a shorter or longer period is needed for security, legal, or compliance reasons.
    • Marketing site visitor data: We retain anonymous visitor data (pages visited, link clicks, device and location information) for a limited period (e.g. up to 24 months) for analytics and product improvement. If you register, we link this history to your account and treat it in line with our retention for account-related data. You may request deletion of your visitor profile by contacting us at privacy@lumenbase.io.
    • Marketing data: Until you withdraw consent or opt out; then we cease using it for marketing and retain only as needed for record-keeping or legal obligations.
    • CRM data (as processor): For the duration of your subscription and as per your instructions; after termination, in line with our data deletion terms and any legal retention requirements.

    You may request deletion of your account and associated personal data (subject to legal retention obligations). For CRM data, deletion is handled in accordance with your instructions and our DPA.

    6. Your Rights

    Depending on your location, you may have rights regarding your personal data, including: access; rectification (correction); erasure ("right to be forgotten"); restriction of processing; data portability; objection to processing; and, where processing is based on consent, the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

    To exercise these rights, contact us at privacy@lumenbase.io. You also have the right to lodge a complaint with a supervisory authority in your country.

    If we have designated an EEA representative under Article 27 GDPR, their contact details are available on request at privacy@lumenbase.io. For any GDPR-related requests you may contact us at that address.

    7. International Transfers

    Your data may be processed in countries outside your country of residence, including the United States and the region where our main hosting and subprocessors are located. We ensure appropriate safeguards are in place where required by law, such as Standard Contractual Clauses (SCCs) approved by the European Commission (and, where relevant, UK international data transfer agreements or the UK IDTA). Transfer Impact Assessments are performed where required. Copies of relevant safeguards (e.g. SCCs) are available upon request at privacy@lumenbase.io.

    8. Cookies and Tracking

    We use cookies and similar technologies for essential operation of the service (e.g. authentication, security). Non-essential cookies (e.g. analytics, marketing) require your prior opt-in where required by law (e.g. in the EU/EEA). We use a consent management mechanism to obtain and record your choices. You may withdraw consent or change your preferences at any time via our Cookie Policy and cookie preference controls, or your browser settings. Choosing to reject non-essential cookies prevents analytics tools from activating.

    Analytics (statistics). With your consent on our public marketing site, we use PostHog (hosted in the EU) to measure usage and improve our product. This analytics category includes page and feature usage, interaction events, and session replay (recordings of on-screen interactions such as scrolling and clicks). Session replay is treated as analytics, not as a strictly necessary function of the site. We configure replay to mask form field inputs by default. Analytics and replay do not run until you opt in via our cookie banner; see our Cookie Policy for details. When you use the logged-in Lumenbase application, we may collect similar usage and replay data to operate, secure, and improve the service as described in this policy and our agreements with you.

    Marketing site visitor cookie. When you browse our public marketing site (e.g. homepage, pricing, features), we may set a cookie (e.g. lb_visitor) that stores an anonymous identifier. This allows us to recognise returning visitors, understand how the marketing site is used (e.g. which pages and links are viewed or clicked), and derive approximate location and device information from your visits. If you later create an account, we may link that anonymous visit history to your account for our internal analytics and support. This processing is based on our legitimate interest in improving our product and marketing; where your jurisdiction requires consent for such cookies or tracking, we obtain it via our cookie banner. For more details, see our Cookie Policy.

    9. California Privacy Rights (CCPA / CPRA)

    If you are a California resident, the following applies in addition to the rest of this policy.

    Categories of personal information we collect (in the preceding 12 months): Identifiers (e.g. name, email, IP address, anonymous visitor ID); account and profile information; commercial information (e.g. subscription, usage); internet or network activity (e.g. pages visited, links clicked on our marketing site); approximate geolocation derived from IP; and, where relevant, payment and billing information.

    Sources: Directly from you; automatically from your use of the service; and from third parties (e.g. payment processors) where relevant.

    Categories of third parties we disclose to: Service providers (hosting, analytics, payment, support); and, where required, legal or regulatory authorities.

    We do not sell personal information as defined under the CCPA. We do not share personal information for cross-context behavioral advertising in a way that qualifies as a "sale" or "share" under the CCPA.

    If we process sensitive personal information (as defined under the CPRA), we use it only for purposes permitted under the CPRA and do not use or disclose it for purposes that would require a right to limit under the CPRA.

    You may submit requests to know, correct, or delete your personal information, or to exercise other CCPA/CPRA rights, by contacting us at privacy@lumenbase.io. We will verify your identity and respond within the timeframes required by law. You may also have the right to opt out of the sale or sharing of personal information; as stated above, we do not sell or share in that sense.

    10. Subprocessors

    We use subprocessors (e.g. hosting, infrastructure, analytics, payment, and support providers) to provide the service. We maintain a list of subprocessors that process personal data on our behalf. The list is available upon request at privacy@lumenbase.io or via a link we publish in our service or documentation. We enter into appropriate contracts with subprocessors to ensure the protection of your data. We will notify you of any intended changes to our subprocessors (e.g. addition or replacement) in a reasonable manner, and you may object to such changes where your contract or the DPA provides for it.

    11. Data Security

    We implement appropriate technical and organizational measures to protect your personal information, including encryption of data in transit and at rest where appropriate, access controls, and regular review of our security practices. Despite these measures, no method of transmission or storage is completely secure; we encourage you to use strong credentials and protect your account.

    12. Contact Us

    For questions about this Privacy Policy or our privacy practices, or to exercise your rights, contact us at privacy@lumenbase.io.

    Request copies: Request our Data Processing Agreement (DPA) · Request our subprocessor list