Privacy Policy

This Privacy Policy explains how LumireCRM ("we", "us") collects, uses, shares and protects personal data when you use our platform (the "Service"). It applies to the LumireCRM SaaS offered to brokers and prop firms, as well as to the customer-facing portals our tenants operate on top of the platform.

1. Controller

For tenant data (the data a broker uses to operate its business), the Tenant is the controller and LumireCRM is the processor. For platform-level data (account, billing, telemetry) LumireCRM is the controller.

2. Data we collect

• Account data: name, email, role, password hash, multi-factor secrets.
• Trader data: identifiers, contact details, country, KYC documents and outcomes (processed on behalf of the Tenant).
• Transaction data: deposits, withdrawals, payment-method identifiers, blockchain addresses, transaction hashes.
• Telemetry: request logs, IP, user-agent, OpenTelemetry traces, error reports (Sentry/GlitchTip).
• Communications: emails, in-app messages, support tickets you exchange with us or your broker.

3. How we use data

• To provide, maintain and improve the Service.
• To authenticate users and prevent fraud, abuse and unauthorised access.
• To enable Tenants to fulfil their own legal obligations (KYC, AML, sanctions screening).
• To send transactional notifications and (with consent where required) product updates.
• To comply with applicable law and respond to lawful requests.

4. Sharing

We share data with: (a) sub-processors listed in our DPA (e.g. Sumsub for KYC, Stripe for billing, Resend for email, blockchain RPC providers, MinIO storage); (b) Tenants whose accounts you transact under; (c) authorities when legally required. We do not sell personal data.

5. International transfers

The Service is hosted in DigitalOcean London and Hetzner Germany regions. Where data crosses jurisdictions, we rely on Standard Contractual Clauses or equivalent safeguards.

6. Retention

We retain account data while your account is active, and for up to 7 years thereafter where required by financial-services regulation. Telemetry is retained for 90 days by default. KYC documents are retained per the Tenant's regulatory obligations.

7. Security

We use TLS in transit, AES-256-GCM at rest for sensitive fields (including encrypted wallet private keys), per-tenant row-level security in Postgres, password hashing with Argon2id, mandatory MFA for staff accounts, and audit logging on every privileged action. No system is perfectly secure; we expect users to keep their own credentials safe.

8. Your rights

Subject to applicable law (GDPR, UK GDPR, CCPA, equivalent regimes), you may request access, correction, erasure, restriction, portability, or to object. Submit requests to privacy@lumirecrm.com. We respond within 30 days. For data the Tenant controls, we will route your request to them.

9. Cookies

We use first-party, strictly-necessary cookies for authentication and session management. We do not use third-party advertising cookies on the marketing site.

10. Changes

We will update this Privacy Policy as our practices evolve. Material changes will be notified at least 14 days before they take effect.

11. Contact

Privacy questions: privacy@lumirecrm.com.