Privacy Policy

Last updated: 1 Oct 2025

1. Introduction

Luma Technologies ApS ("Much", "we", "us", "our"), CVR-no: 45308324, also operating under the name The Ramp ApS, is committed to protecting your privacy and ensuring the lawful, fair, and transparent processing of personal data. This Privacy Policy explains how we collect, use, share, and protect personal data in connection with our Services.

Our commitment to safeguarding your information is paramount. This document also incorporates our Security Fact Pack (SFP), which outlines the measures we take to ensure the confidentiality, integrity, and availability of all data entrusted to us. The SFP reflects our current processes regarding data security protocols implemented during the development of our products and services.

Company information:
Luma Technologies ApS
CVR: 45308324
Højbro Plads 10
1200 Copenhagen K
Denmark

Data Protection Representative: Kristian Anker
Email: ka@heyluma.com

2. Scope

This Privacy Policy applies to personal data processed when you:

• Use our Services, websites, and applications.
  
  
  

• Create an account or register on behalf of your business.
  
  
  

• Communicate with us (e.g., via email or support channels).
  
  
  

• Provide data that is input into or processed by our AI-powered Services.
  
  
  

This Policy applies whether we act as a Data Controller (for account data, billing, communication) or as a Data Processor (for customer-provided input data processed via our Services).

3. Data Collection Practices

We collect data to provide and improve our Services, communicate with you, and enhance your overall experience. Our data collection adheres to strict principles of necessity and transparency.

Types of Data Collected

• General Personal Data: Such as names, email addresses, salaries, and contact details provided directly by users or indirectly via connected tools and services.
  
  
  

• Special Categories of Personal Data: Such as health information, trade union affiliation, political affiliation, directly provided by the user or indirectly via connecting tools and services.
  
  
  

• Usage Data: Information on how our Services are accessed and used, including IP addresses, browser types, and operating systems.
  
  
  

• Technical Data: Device information, log data, and unique identifiers.
  
  
  

• Input Data: Any personal data you input into the Services (e.g., contracts, communications, uploaded files).
  
  
  

• AI Interaction Data: Prompts, queries, and outputs that may contain personal data.
  
  
  

Methods of Data Collection

• Direct User Input: Information you provide when signing up for services, filling out forms, chatting with Much AI directly or via a connected app, or contacting support.
  
  
  

• Connections: Information stored in external tools or systems you connect to our platforms.
  
  
  

• Automated Means: Cookies, server logs, and tracking technologies when you interact with our platforms.
  
  
  

• Third-Party Sources: Data received from trusted partners, always with your consent or as permitted by law.
  
  
  

4. Purposes of Processing

We collect and process personal data for the following purposes:

• To provide and maintain our Services.
  
  
  

• To improve and develop our Services.
  
  
  

• To notify you about changes to our Services.
  
  
  

• To allow participation in interactive features.
  
  
  

• To provide customer support.
  
  
  

• To gather analysis or valuable information to improve our Services.
  
  
  

• To monitor usage of our Services.
  
  
  

• To detect, prevent, and address technical issues.
  
  
  

• To comply with legal obligations.
  
  
  

• For marketing and service announcements where legally permitted.
  
  
  

5. Legal Basis

We rely on the following legal bases under GDPR:

• Contractual necessity: to deliver the Services you request.
  
  
  

• Legitimate interests: to improve our Services, prevent fraud, ensure security.
  
  
  

• Consent: for certain marketing and cookies.
  
  
  

• Legal obligation: where processing is required by law.
  
  
  

6. Roles & Responsibilities

• For account and billing data, we act as Data Controller.
  
  
  

• For customer input data processed in the Services, you act as Data Controller, and we act as Data Processor.
  
  
  

• Our obligations as Data Processor are set out in a separate Data Processing Agreement (DPA), available upon request.
  
  
  

7. Sub-Processors

We may engage trusted third parties ("Sub-Processors") to deliver the Services (e.g., hosting providers, cloud infrastructure, analytics tools).

• A list of current Sub-Processors is available upon request.
  
  
  

• We remain fully responsible for the performance of our Sub-Processors.
  
  
  

• Customers will be notified of significant changes to Sub-Processors where required by law.
  
  
  

8. International Transfers

If personal data is transferred outside the EU/EEA, we ensure appropriate safeguards such as the EU Commission’s Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent measures.

9. Data Retention

We retain personal data only as long as necessary for the purposes described above, or as required by law. Business account data is generally retained for the duration of the account plus 2 years after termination, unless legal requirements mandate longer storage.

Upon termination of Services, and at your option, we will either:

• Return personal data in a structured, machine-readable format, or
  
  
  

• Securely delete or anonymize it, unless legal obligations require retention.
  
  
  

10. Data Protection Measures

Our robust data protection framework is designed to protect data from unauthorized access, alteration, disclosure, or destruction. We employ a multi-layered approach to security and prioritize an EU and GDPR-centric approach, aiming to retain data processing and residency within the EU to the extent possible. For any processing outside of the EU, we aim to only use providers with proven GDPR compliance.

Technical Safeguards

• Encryption: All sensitive data is encrypted in transit and at rest using industry-standard protocols.
  
  
  

• Access Controls: Strict access controls and authentication mechanisms limit data access to authorized personnel only.
  
  
  

• Network Security: Firewalls, intrusion detection, and regular vulnerability assessments protect our infrastructure.
  
  
  

• Secure Development: Security is integrated into our development lifecycle.
  
  
  

Organizational Safeguards

• Employee Training: Regular training on data privacy and security best practices.
  
  
  

• Data Minimization: We only collect and retain necessary data.
  
  
  

• Data Retention Policies: Data is retained only as long as necessary or legally required.
  
  
  

• Compliance & Audits: Regular audits and compliance checks.
  
  
  

Compliance Standards

StandardDescriptionAudit FrequencyGDPRGeneral Data Protection RegulationAnnuallyISO 27001 (in progress)Information Security ManagementIn progress

11. AI-Specific Provisions

• Usage Data: We may collect and create Usage Data (e.g., service performance metrics, feature utilization, diagnostics, logs, and metadata) to develop, improve, support, and operate the Services. We will not share Usage Data with third parties except (i) as permitted under this Policy or (ii) in aggregated and anonymized form so that you and your end users cannot be identified.
  
  
  

• Model Training Restrictions: We will not use Subscriber’s Confidential Information to train generative or base AI models, nor allow subcontractors to do so, unless agreed in writing (e.g., for fine-tuning).
  
  
  

• Input Data: You control what data you input. Avoid submitting unnecessary personal data.
  
  
  

• Outputs: Outputs may occasionally reproduce personal data included in prompts. You are responsible for reviewing outputs before use.
  
  
  

• Audit Rights: Upon request, we will provide information necessary to demonstrate GDPR compliance.
  
  
  

12. Data Breach Notification

If we become aware of a personal data breach affecting your data, we will notify you without undue delay, providing details of:

• The nature of the breach.
  
  
  

• The categories and approximate number of data subjects affected.
  
  
  

• The likely consequences.
  
  
  

• The measures taken or proposed to mitigate effects.
  
  
  

13. Your Rights

You have the following rights under GDPR:

• Right of access.
  
  
  

• Right to rectification.
  
  
  

• Right to erasure.
  
  
  

• Right to restriction.
  
  
  

• Right to data portability.
  
  
  

• Right to object.
  
  
  

• Right to withdraw consent at any time.
  
  
  

• Right to lodge a complaint with Datatilsynet.
  
  
  

To exercise these rights, contact our Data Protection Representative:
Kristian Anker – ka@heyluma.com

14. Cookies & Tracking

We use cookies and similar technologies to analyze usage, provide functionality, and improve the Services. Details are available in our Cookie Policy.

15. Updates

We may update this Privacy Policy from time to time. Updates will be published on our website, and significant changes may be communicated directly.

Contact Us
For any questions or concerns regarding this Privacy Policy or our security practices, please contact:

Kristian Anker (Data Protection Representative)
Email: ka@heyluma.com