Legal

Privacy Policy

Effective date: March 18, 2026

Lume ("we", "us", "our") operates the Lume platform and the website at lumeemr.com. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services.

We are committed to complying with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL).

1. Information We Collect

Information you provide

• Account information: name, email address, phone number, and password when you create an account or are invited to a practice.
• Practice information: business name, address, phone number, and operating hours.
• Patient and customer data: names, contact information, prescriptions, insurance records, and order history entered by your practice into the platform.
• Beta signup information: practice name, contact name, email, and phone number submitted through our beta interest form.
• Communications: messages you send to us via email or other channels.

Information collected automatically

• Usage data: pages visited, features used, and actions taken within the platform.
• Device and browser information: IP address, browser type, operating system, and device identifiers.
• Cookies: session cookies for authentication. We do not use third-party advertising cookies.

2. How We Use Your Information

• To provide, maintain, and improve the Lume platform.
• To process and manage your account and practice data.
• To send transactional communications related to your account and orders.
• To send promotional communications where you have provided express consent, in compliance with CASL.
• To respond to your inquiries and provide customer support.
• To detect, prevent, and address technical issues and security threats.
• To comply with legal obligations.

3. Data Ownership and Tenancy

Your practice data belongs to you. Lume operates a multi-tenant architecture where each practice's data is logically isolated. We do not access, use, or share your patient data for any purpose other than providing the service to you.

You may export or request deletion of your practice data at any time by contacting us.

4. Consent and CASL Compliance

Lume helps your practice manage communication consent in compliance with CASL:

• Express consent is required for promotional messages (SMS and email). Consent is tracked per channel and can be withdrawn at any time.
• Implied consent applies to transactional messages related to existing business relationships, subject to CASL's time limits.
• Opt-out requests are processed immediately and override all other consent.

5. How We Share Your Information

We do not sell your personal information. We may share information with:

• Service providers: third-party services that help us operate the platform (hosting, email delivery, payment processing), bound by confidentiality obligations.
• Legal requirements: when required by law, regulation, or legal process.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to you.

6. Data Storage and Security

Your data is stored on secure infrastructure provided by Cloudflare and Neon (PostgreSQL). Data is encrypted in transit (TLS) and at rest. We implement access controls, audit logging, and regular security reviews to protect your information.

For Canadian practices, data processing occurs in North American data centres.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Practice data is retained for the duration of the subscription. After account closure, data is deleted within 90 days unless retention is required by law.

Beta signup information is retained until the beta program concludes or you request its removal.

8. Your Rights

Under PIPEDA, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Withdraw consent for promotional communications at any time.
• Request deletion of your personal information, subject to legal retention requirements.
• File a complaint with the Office of the Privacy Commissioner of Canada.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the effective date above.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Lume
Email: privacy@lumehq.io