Privacy Policy

Last updated: January 20, 2026

Introduction

Luma Health ("Luma," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical necessity documentation platform.

By using Luma, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Name
  • Practice name
  • NPI number (optional)
  • Specialty

Patient Data (Limited Clinical Context)

Luma is designed to operate without Protected Health Information (PHI). We collect only the minimum clinical context needed for documentation generation:

  • Patient first name only
  • Age or age range (not date of birth)
  • State of residence (no full address)
  • Payer/insurance company name
  • Diagnosis codes (ICD-10)
  • Clinical details and treatment history
  • Medication names and dosages

Information We Do NOT Collect

To maintain HIPAA compliance through the Safe Harbor de-identification method, we do not collect:

  • Dates of birth
  • Social Security numbers
  • Medical record numbers (MRN)
  • Full street addresses
  • Phone numbers or email addresses of patients
  • Insurance member IDs
  • Exact dates of service
  • Any other HIPAA-defined identifiers

How We Use Your Information

We use the information we collect to:

  • Provide and maintain our documentation generation service
  • Process and manage your account
  • Generate medical necessity documentation using AI
  • Research payer requirements and policies
  • Process payments and subscriptions
  • Send transactional emails (password resets, account notifications)
  • Improve our services and develop new features
  • Respond to customer support requests

AI Processing and Third-Party Services

Luma uses AI services to generate documentation. Our AI providers maintain strict data handling practices:

  • Zero data retention policies for API requests
  • SOC 2 Type II certification
  • Signed Business Associate Agreements (BAAs)
  • Compliance with HIPAA security and privacy requirements

Data sent to AI providers is processed in real-time and is not stored or used for model training.

Data Security

We implement industry-standard security measures to protect your data:

  • SOC 2 Type II certified infrastructure
  • End-to-end encryption for data in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Regular security audits and penetration testing
  • Role-based access controls
  • Automated PHI pattern detection and blocking

Data Retention

We retain your data as follows:

  • Account data: Retained while your account is active and for 30 days after deletion request
  • Generated documentation: Stored until you delete the case or your account
  • Payment records: Retained as required by law (typically 7 years)

Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account and data
  • Export your data in a portable format
  • Opt out of marketing communications

To exercise these rights, contact us at hello@useluma.io

HIPAA Compliance

Luma is designed to operate without collecting Protected Health Information (PHI) as defined by HIPAA. By using the Safe Harbor de-identification method, the limited patient context we collect (first name + clinical data) does not constitute PHI.

Business Associate Agreement (BAA): Because PHI is not collected or processed in our standard workflow, a BAA is generally not required. For organizations with internal policies requiring a BAA regardless of PHI handling, we offer enterprise arrangements.

User Responsibility: Users are responsible for ensuring they do not enter PHI into free text fields. Our platform includes automated detection that blocks common PHI patterns such as Social Security numbers and dates of birth.

Cookies and Tracking

We use essential cookies to maintain your session and preferences. We do not use third-party advertising cookies or sell your data to advertisers.

We may use privacy-respecting analytics to understand how our service is used and to improve the user experience.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy, please contact us at: hello@useluma.io