Legal
Privacy Policy
Last updated: July 13, 2026
Lumelead (“Lumelead”, “we”, “us”) provides an AI-powered lead engagement and appointment booking platform for medical spas and aesthetic clinics (each a “Clinic”). This policy explains what information we collect, how we use it, who we share it with, and the choices you have.
The short version
- If you messaged a clinic — your conversation belongs to that clinic; we process it on their behalf. Want it deleted? See Data Deletion Instructions. Want messages to stop? Reply STOP or hit unsubscribe — it’s enforced automatically.
- If you run a clinic — you own your data. We never sell it, never use it for advertising, and never use it to train AI models. Delete your account and everything goes, backups included, within 35 days.
This policy covers two groups of people:
- Clinic users — staff of a Clinic that has an account with Lumelead. For this data, Lumelead is the data controller.
- Leads and clients — people who contact a Clinic through channels Lumelead powers (website chat, SMS, email, Instagram Direct, or Facebook Messenger). For this data, the Clinic is the data controller and Lumelead processes it on the Clinic’s behalf. If you want to exercise privacy rights over a conversation you had with a Clinic, you can contact the Clinic directly or come to us and we’ll coordinate.
1. Information we collect
From Clinic users
- Account details: name, business email, clinic name, and login credentials.
- Business content you provide: treatments, pricing, policies, FAQs, and voice/tone preferences used to configure your AI agent.
- Billing information: processed by Stripe; we store your subscription status and plan, not your card number.
From leads and clients (on behalf of a Clinic)
- Contact details a lead shares: name, phone number, email address.
- Conversation content: messages exchanged with the Clinic’s AI agent or staff across connected channels.
- Engagement data: lead status, qualification score, appointment booking activity, and campaign enrollment.
- Consent records: channel consent and opt-out status (e.g., SMS STOP requests, email unsubscribes).
From Meta Platforms (Facebook & Instagram)
When a Clinic connects its Facebook Page or Instagram professional account, we receive, via Meta’s APIs and with the Clinic’s authorization:
- The message content people send to that Page or Instagram account, and our replies.
- Basic sender information Meta provides for messaging, such as a page-scoped identifier and display name.
- Page/account metadata needed to route conversations to the right Clinic.
We use this “Platform Data” only to provide the messaging service to the Clinic — receiving, displaying, responding to, and organizing conversations. We process Platform Data in accordance with the Meta Platform Terms and applicable Meta developer policies. We do not sell Platform Data, use it for advertising, or use it to train AI models.
Collected automatically
- Technical data: IP address, browser type, and device information, used for security, rate limiting, and service operation.
- Cookies: strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies.
2. How we use information
- To operate the service: receive lead messages, generate AI-assisted replies in the Clinic’s configured voice, score and qualify leads, and deliver booking links.
- To let Clinic staff monitor and take over conversations at any time.
- To run Clinic-configured follow-up campaigns, honoring consent and opt-out status.
- To bill Clinics, provide support, secure the platform, and comply with legal obligations.
AI processing. Conversation content is processed by our AI infrastructure provider (Anthropic) to generate responses. Our agreements with AI providers prohibit them from using this data to train their models, and Lumelead does not use your data — or your leads’ conversations — to train AI models of our own. The AI agent answers only from the Clinic’s approved business content, and identifies itself as an AI assistant when asked directly.
3. How we share information
We never sell personal information. We share it only with:
- The Clinic you contacted — your conversation with a Clinic’s channels belongs to that Clinic and is visible to its staff.
- Service providers (subprocessors) that help us run Lumelead, bound by contract to use data only on our instructions — listed below.
- Legal authorities when required by law, or to protect the rights, safety, or property of Lumelead, our customers, or others.
Text messaging consent is never resold. SMS opt-in data and consent records are not shared with any third party for marketing or promotional purposes.
Subprocessors
The service providers that process personal data on our behalf, and why:
| Provider | Purpose | Data involved |
|---|---|---|
| Anthropic | AI response generation | Conversation content (training prohibited by contract) |
| Twilio | SMS delivery | Phone numbers, message content |
| Resend | Email delivery | Email addresses, message content |
| Stripe | Subscription billing | Clinic billing details (card data never touches our servers) |
| Cloud hosting & database | Infrastructure, encrypted storage, backups | All service data |
We keep this list current on this page. Questions about any provider: privacy@lumelead.com.
4. Data retention
We retain personal data for as long as the Clinic’s account is active or as needed to provide the service. Opt-out records are retained to honor the opt-out itself. When a Clinic account is deleted, all of its data — including every lead’s contact details and conversation history — is permanently deleted from our production systems, with residual copies removed from backups on a rolling basis within 35 days.
5. Data deletion & your rights
Depending on where you live, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict certain processing.
- Leads and clients: contact the Clinic you messaged, or email us at privacy@lumelead.com and we will coordinate with the Clinic. See our Data Deletion Instructions for step-by-step guidance, including for Facebook and Instagram conversations.
- Clinic users: manage data in your dashboard or email privacy@lumelead.com.
- Messaging opt-out: reply STOP to any SMS, or use the unsubscribe link in any email, and automated outreach to you stops immediately — enforcement is automatic and platform-wide.
We respond to verified deletion requests within 30 days.
6. Security
All data is encrypted in transit (TLS) and at rest. Each Clinic’s data is isolated with database-level tenant separation enforced on every query. Access to production systems is restricted and audited. Webhook endpoints verify cryptographic signatures, and our public surfaces are rate-limited.
7. Health information
Lumelead is a sales and scheduling layer, not a medical records system. The AI agent is designed to route clinical questions to Clinic staff rather than discuss them, and Clinics are instructed not to load medical records or treatment histories into Lumelead. We do not offer a HIPAA Business Associate Agreement at this time — if your workflows require one, do not use Lumelead for those workflows.
8. Children
Lumelead is a business tool and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.
9. International transfers
Our services are hosted in North America. If you contact a Clinic from another region, your data will be processed where our infrastructure is located, with the safeguards described in this policy.
10. Changes to this policy
We may update this policy as the service evolves. Material changes will be announced to Clinics by email or in-app notice, and the “Last updated” date above will change. Continued use of the service after changes take effect constitutes acceptance.
11. Contact us
Questions or requests: privacy@lumelead.com