Privacy Policy

1. Data controller

HellmAI Ltd is the data controller for personal data processed through LumenFlow. HellmAI Ltd is registered in England and Wales (company number 16412231). You can reach us at hello@hellm.ai.

2. What we collect

We collect information necessary to provide the service:

• Account information: name, email address, and authentication details when you sign up.
• Usage data: workspace activity, Sidekick conversations, tool calls, and action logs generated during your use of the service.
• Billing information: payment details processed by Stripe. We do not store card numbers directly.
• Technical information: IP address, browser type, and device information for security and performance purposes.
• Model provider API keys: if you use bring-your-own-key, your API keys are encrypted at rest with AES-256 and used solely to route requests to your chosen provider.

3. How we use your data

We use your data to: operate and improve the LumenFlow service; process your Sidekick requests and tool calls; generate action logs, cost tracking, and audit records; handle billing and account management; communicate with you about the service; and detect and prevent abuse.

4. Legal basis (UK GDPR)

We process your personal data under the following legal bases:

• Contract performance: processing necessary to provide the service you signed up for.
• Legitimate interests: service improvement, security monitoring, and fraud prevention, balanced against your rights.
• Consent: where required, such as for optional marketing communications.

5. AI model processing

When you use Sidekick, your prompts and context are sent to third-party AI model providers (such as OpenAI and Anthropic) to generate responses. We do not use your data to train AI models. If you use managed inference, we select the provider; if you use bring-your-own-key, requests are routed to your chosen provider. Third-party providers process data under their own privacy policies and data processing agreements.

6. Data retention

Workspace data (action logs, conversations, audit records) is retained according to your plan:

• Free: 7 days
• Team: 90 days
• Enterprise: 365 days

When data reaches the end of its retention period, it is permanently deleted by an automated process — not archived or soft-deleted. Account information is retained for as long as your account is active and deleted upon account closure, subject to any legal retention obligations.

7. Third-party processors

We use the following third-party services to operate LumenFlow:

• Supabase: database hosting and authentication (EU/US infrastructure)
• Vercel: application hosting and edge delivery
• Stripe: payment processing
• AI model providers (OpenAI, Anthropic): inference processing for Sidekick

8. Data security

We protect your data with: AES-256 encryption at rest for sensitive data including model API keys; HTTPS with HSTS for all data in transit; row-level security for workspace isolation at the database layer; and per-workspace key derivation via envelope encryption. See our Security page for more detail.

9. International transfers

Some of our processors are based outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses or adequacy decisions as applicable.

10. Your rights

Under UK GDPR, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate data.
• Erasure: request deletion of your personal data, subject to legal obligations.
• Portability: receive your data in a structured, machine-readable format.
• Restriction: ask us to limit how we process your data in certain circumstances.
• Objection: object to processing based on legitimate interests.

To exercise any of these rights, contact us at hello@hellm.ai. We will respond within one month.

11. Cookies

LumenFlow uses essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies. Analytics, where used, relies on privacy-respecting, cookieless approaches.

12. Children

LumenFlow is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

14. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated via email or an in-product notice. The “last updated” date at the top of this page reflects the most recent revision.

15. Contact

For privacy-related questions or to exercise your data rights, contact us at hello@hellm.ai.