Privacy Policy and Personal Data Protection
Last updated: June 2, 2026 · Version 2.1
🛡️ Our commitment: we do not sell your personal data
LÜM does not sell, rent, or hand over your name, email, or phone to third parties for purposes unrelated to the Service.
We use your data primarily to operate LÜM, process receipts, manage Lümis, prevent fraud, and provide your spending analytics.
Segments for promotions: We may commercialize behavioral data in grouped segments with partner merchants — for example, users who frequently shop at supermarkets — so they can offer you promotions within the platform. The third party never knows who you are individually: they receive no name, email, phone, or data that directly identifies you.
Analytics and trends: For market metrics or merchant reports, we work only with aggregated and anonymized data — many accounts combined, without revealing who you are.
1. Data controller
The data controller for personal data collected through LÜM services is the entity operating the LÜM brand and platform («LÜM», «we», «us» or the «Controller»), with principal operations in the Republic of Panama.
- Privacy: soporte@lumapp.org
- Receipts: facturas@lumapp.org
- General support: soporte@lumapp.org
2. Scope and definitions
Submitting receipts via WhatsApp, email or the app also requires the Explicit Data Consent Annex.
This Policy applies to processing in connection with lumapp.org, the LÜM mobile app, WhatsApp, Telegram, email (including facturas@lumapp.org), loyalty programs, surveys, games, and merchant partnerships.
Key terms align with Law 81: personal data, data subject, processing, controller, processor, and sensitive data as defined under Panamanian law.
If you do not agree, do not use LÜM services.
3. Processing principles (Law 81)
We process data lawfully, fairly, transparently, for specified purposes, with data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability as required by Law 81.
4. Categories of personal data
4.1. Identification and contact
4.1.1 Contact data use
Email addresses and phone numbers are not sold, rented, or exchanged. They are used only to operate your account, authentication, support, service notifications, and LÜM communications.
Personalization within LÜM (your analytics, categories, Lümis, offers) relies on individual processing of your data within the Service. Metrics or trends shared with third parties or produced in groups are provided, when applicable, in aggregated and anonymized form only, so you cannot be identified or contacted outside LÜM.
Name, phone, email, account identifiers, language, country, and identity verification data when required for fraud prevention or legal compliance.
4.2. Receipt and invoice data
Information in receipts, invoices, tickets, QR codes, purchase emails, and images you submit, including merchant, date, amounts, taxes, line items, and inferred spending patterns.
4.3. Financial and consumption data
Spending categories, trends, Lümis history, promotions, and survey responses about consumption habits.
4.4. Usage and technical data
App and website interactions, IP address, device identifiers, logs, cookies (see Cookie Policy).
Sensitive data: We do not actively request sensitive data. If you voluntarily include it in receipts or messages, we process it only as necessary to handle the document; avoid sending unnecessary sensitive information.
5. Purposes and legal bases
We process data to: operate the loyalty program; process receipts; provide spending analytics; personalize offers; work with merchants; prevent fraud; communicate with you; conduct marketing where permitted; comply with law; improve the product; and defend legal claims — based on consent, contract, legal obligation, and legitimate interest under Law 81.
You may withdraw consent at any time without affecting prior lawful processing; withdrawal may limit functionality.
5.1. Lümis y datos de lealtad — sin valor comercial
LOS LÜMIS SON PUNTOS PROMOCIONALES VIRTUALES SIN VALOR COMERCIAL, MONETARIO NI PATRIMONIAL. NO CONSTITUYEN DINERO, CRÉDITO, DEPÓSITO NI DERECHO ADQUIRIDO IRREVOCABLE. LÜM PUEDE MODIFICAR, CORREGIR, REVOCAR O CANCELAR LÜMIS Y BENEFICIOS SIN COMPENSACIÓN, INCLUIDA LA CORRECCIÓN RETROACTIVA DE ACREDITACIONES ERRÓNEAS.
Los datos de saldo de Lümis, historial de canjes y gamificación se tratan únicamente para operar el programa conforme a los Términos de Servicio.
6. Receipts, OCR, artificial intelligence and accuracy
You represent that you are authorized to share submitted documents and that they are truthful to your knowledge. We use OCR, business rules, and AI to extract data. Errors and omissions may occur. LÜM does not guarantee accuracy. You are responsible for reviewing derived information.
Unless you give separate express consent, we do not use full receipt content to train third-party AI models or sell identifiable receipts for training purposes. We may use aggregated or anonymized data to improve internal systems.
7. Automated decisions and profiling
Automated logic may credit Lümis, categorize spending, personalize offers, and detect fraud, with effects on your loyalty account. You may request human review where applicable under Law 81 by emailing soporte@lumapp.org.
8. Processors and sharing
We do not sell personal data for commercial purposes unrelated to the Service. We may share data with cloud providers, messaging platforms (including Meta/WhatsApp), analytics, support, fraud prevention, professional advisers, merchant partners (as needed for redemptions you choose), and authorities when legally required. Processors are bound by contract and security obligations.
Your direct identity is not a product. In particular, LÜM does not:
- Sell your name, email, or phone to advertisers, data brokers, or unrelated third parties
- Hand over your purchase history linked to your identity to third parties for external advertising
- Share information that directly and individually identifies you with the merchants or third parties to whom it communicates analyses or segments
- Exchange contact lists with external marketing partners
- Share your email or phone with third parties for advertising, external lists, or outreach unrelated to LÜM
What LÜM may do: commercialize behavioral segment information grouped and without individual identification, so the third party receives only trends or ranges — not who you are.
Your email and phone are used only within the LÜM Service.
Contact data (email and phone) are not sold or shared as identifiable lists. Any third-party metrics are shared only in aggregated and anonymized form.
Commercial insights to merchants are provided in aggregated or anonymized form when possible.
9. Merchant partners
Merchants are independent. Their privacy practices apply when you deal with them directly. LÜM is not responsible for merchants' data practices outside agreed limits.
10. International transfers
Data may be processed inside or outside Panama. Where applicable, measures, legal bases, or mechanisms permitted under Law 81 may be used (including contractual clauses, assessments, or consent where required). Global providers (e.g., cloud, WhatsApp) process data under their own policies.
11. Retention
We retain data as long as needed for the purposes above, dispute resolution, fraud prevention, and legal obligations, then delete, anonymize, or block data unless retention is mandatory.
12. Security
We use measures including TLS, encryption at rest (e.g., AES-256) for sensitive data, access controls, and incident procedures. No system is completely secure. You must protect your credentials and devices.
13. Personal data breaches
We will act per Law 81 and internal procedures, including notification to the competent authority and data subjects where legally required.
14. Data subject rights (Law 81)
Subject to Law 81, you may request access, rectification, cancellation/deletion, opposition, limitation, portability where applicable, withdrawal of consent, and protection against solely automated decisions where required.
Email soporte@lumapp.org with subject «Data rights — Law 81», your name, contact, right sought, and identity document when reasonably needed. We respond within legal timeframes. You may complain to the competent Panamanian data protection authority when available, or to Panamanian courts.
15. Minors
Services are for users 18+ only. We do not knowingly collect children's data. Contact soporte@lumapp.org if you believe we have.
16. WhatsApp, Telegram and third-party platforms
Before sending your first receipt via messaging or email, you must provide consent under the Data Consent Annex (e.g. replying «I ACCEPT» on WhatsApp or checking in-app boxes).
Third-party platform terms and privacy policies apply. LÜM does not control those providers. Do not send unnecessary sensitive data over insecure channels.
17. Cookies
See our Cookie Policy. Non-essential cookies follow our consent mechanism.
18. Limitation of liability (privacy)
TO THE MAXIMUM EXTENT PERMITTED BY PANAMANIAN LAW, LÜM AND ITS AFFILIATES SHALL NOT BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR LOSS OF PROFITS, DATA, OR GOODWILL ARISING FROM DATA PROCESSING, EXCEPT WHERE LAW MANDATES OTHERWISE. TOTAL LIABILITY FOR PRIVACY CLAIMS IS LIMITED TO THE GREATER OF AMOUNTS YOU PAID LÜM IN THE PRIOR TWELVE (12) MONTHS OR USD 100, EXCEPT FOR WILLFUL MISCONDUCT OR GROSS NEGLIGENCE WHERE PROHIBITED.
18.1. Waiver of claims and release
By accepting this Policy and using LÜM, you — to the extent permitted by Panamanian law — waive claims against LÜM relating to data processing, system errors, automated decisions, loss of Lümis or benefits, and third-party conduct, and release and discharge LÜM from liability arising from your use of the Service and information you voluntarily provide (including receipts), except non-waivable mandatory rights.
19. Changes
LÜM reserves the exclusive right to modify, update, or replace this Policy at any time, at its sole discretion, without prior notice or consent. The current version will be the one published on this page or our official channels. The absence of direct notification does not invalidate or delay the effectiveness of the changes. Continued use of the Service after the publication of modifications shall constitute your absolute, irrevocable, and binding acceptance. If you do not agree with any modification, your sole and exclusive remedy is to immediately stop using LÜM services.
20. Contact and Spanish version
Questions: soporte@lumapp.org. Authoritative Spanish version for Panama users: Política de Privacidad.