Privacy Policy

Last updated: 13 May 2026

lumenta ("we", "us", "our") is operated by Nupact UG (haftungsbeschränkt), registered in Germany. We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable national data protection laws.

This Privacy Policy explains what data we collect, why we collect it, how we process it, and what rights you have. It applies to all users of the lumenta platform at lumenta.io.

Core principle: lumenta is employee-controlled by design. Your individual behavioral data belongs to you. Your employer, manager, and HR team cannot access your individual coaching data, meeting analyses, or growth metrics. Only you decide what happens with your data.

1. Data Controller and Our Role

The data controller for the lumenta platform is:

Nupact UG (haftungsbeschränkt)
Email: info@nupact.ai

lumenta operates as a data controller for individual employee accounts. Unlike traditional enterprise software where the employer controls employee data, lumenta's architecture places data ownership with the individual employee. Your employer subscribes to the service and may receive anonymized aggregate analytics, but individual data processing decisions — including which meetings to observe and when to delete data — are made by you, the employee.

Where we process anonymized, aggregate data on behalf of a subscribing organization for HR analytics purposes, we act as a data processor under a Data Processing Agreement (DPA) with that organization. If your organization requires a DPA, please contact us at info@nupact.ai.

2. What Data We Collect

2.1 Account data

When you create an account, we collect your name, email address, and company affiliation. If you sign in with Google, we receive your Google profile information (name, email, profile picture) and, with your explicit consent, calendar access to schedule meeting observations.

2.2 Calendar data

If you connect your Google Calendar, we access your calendar events to identify meetings eligible for observation. We store event metadata (title, time, participants, conferencing link, and the event description/agenda when present). You control which meetings are observed through your observation mode settings (all meetings or only meetings you organize).

2.3 Meeting data

When lumenta observes a meeting, a bot joins the video call (Zoom, Microsoft Teams, or Google Meet) and records the audio. The bot identifies itself as a lumenta participant when joining, so all meeting attendees are aware of its presence. From the recording, we generate a diarized transcript (a transcript that identifies who said what). The original audio recording is deleted after transcript generation.

2.4 Behavioral data

From each transcript, we extract structured behavioral metrics using AI analysis. These include observable communication behaviors such as talk-time distribution, question frequency, feedback patterns, hedging language, and facilitation style. We do not perform emotion recognition, sentiment analysis, or psychological profiling. Our behavioral analysis is limited to concrete, observable communication patterns — the distinction the EU AI Act draws between permitted behavioral analysis and prohibited emotion recognition.

2.5 Coaching data

Your interactions with lumenta's AI coaching system, including your goals, coaching conversation history, Growth Ledger progress, and micro-commitments are stored as part of your coaching profile.

2.6 Technical data

We collect standard technical data including IP address, browser type, device information, and usage analytics to maintain and improve the service.

3. Legal Basis for Processing

Under the GDPR, we process your data on the following legal bases:

Data categoryLegal basis
Account dataPerformance of contract (Art. 6(1)(b) GDPR)
Calendar dataExplicit consent (Art. 6(1)(a) GDPR)
Meeting recordings & transcriptsExplicit consent of the employee user (Art. 6(1)(a) GDPR)
Behavioral data extractionLegitimate interest in providing the coaching service, balanced against employee control (Art. 6(1)(f) GDPR)
Coaching dataPerformance of contract (Art. 6(1)(b) GDPR)
Technical dataLegitimate interest in service security and improvement (Art. 6(1)(f) GDPR)
Aggregate HR analyticsLegitimate interest of the employer, subject to anonymization threshold (Art. 6(1)(f) GDPR)

4. How We Use Your Data

We use your data to:

  • Provide AI-powered behavioral coaching grounded in your actual meeting behavior
  • Track your developmental progress over time through the Growth Ledger
  • Generate post-meeting behavioral summaries and coaching reflections
  • Send you email notifications (meeting summaries, weekly digests) — which you can disable
  • Provide your employer with anonymized, aggregate organizational insights (only when the cohort size meets our minimum anonymity threshold of 5 individuals)
  • Maintain, secure, and improve the lumenta platform
What we never do: We never share your individual behavioral data, coaching conversations, goals, or growth metrics with your employer, manager, or HR team. The only data visible to your organization is anonymized aggregate analytics that cannot be traced back to any individual.
No AI training on your data. Your meeting transcripts, behavioral data, and coaching conversations are never used to train AI models — not by us, and not by our AI providers. Our AI processing is performed via commercial API agreements that contractually prohibit the use of customer data for model training.

5. Employee-Controlled Data Architecture

lumenta is designed around the principle that employees own their own developmental data. This means:

  • You choose which meetings are observed — you can change your observation mode at any time
  • Your individual coaching data, behavioral metrics, and growth progress are accessible only to you
  • Your employer sees only anonymized aggregate data with enforced minimum cohort sizes
  • You can request deletion of all your data at any time (see Section 8)
  • Participation in lumenta is voluntary and employee-initiated

6. Sub-processors and Data Transfers

We use the following sub-processors to deliver the lumenta service:

Sub-processorPurposeLocation
Supabase (via AWS)Database, authentication, file storageEU (Frankfurt)
VercelApplication hosting, serverless functionsEU (Frankfurt)
AnthropicAI analysis and coaching (Claude API)USA — with EU SCCs
Attendee.devMeeting bot provider (recording & transcription)USA — with EU SCCs
ResendTransactional email deliveryUSA — with EU SCCs

Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) and, where applicable, supplementary technical measures.

Our AI provider (Anthropic) processes meeting transcripts and coaching interactions via their commercial API. Under Anthropic's commercial API terms, customer inputs and outputs are not used for model training, and data is retained for a limited period (up to 30 days) solely for trust and safety purposes before being deleted.

We will notify subscribing organizations of any changes to our sub-processors with reasonable advance notice. If you would like to be notified of sub-processor changes, contact us at info@nupact.ai.

7. Data Retention

  • Audio recordings: Deleted immediately after transcript generation (typically within minutes)
  • Transcripts: Retained for the duration of your account to enable longitudinal coaching
  • Behavioral data & coaching history: Retained for the duration of your account
  • Account data: Retained until you delete your account or your organization's contract ends
  • Aggregate analytics: Retained in anonymized form; not subject to individual deletion

If you request account deletion, we will delete all personal data associated with your account within 30 days of your request. Some data may be retained beyond this period only where required by law (e.g., for tax or audit purposes).

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — Request a copy of all personal data we hold about you
  • Right to rectification (Art. 16) — Correct inaccurate personal data
  • Right to erasure (Art. 17) — Request deletion of all your personal data
  • Right to restrict processing (Art. 18) — Limit how we use your data
  • Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — Object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)) — Withdraw any consent at any time (e.g., calendar access, meeting observation)

To exercise any of these rights, contact us at info@nupact.ai. We will respond within 30 days as required by the GDPR.

9. EU AI Act Compliance

lumenta's AI system analyzes observable communication behavior — not emotions, biometric data, or psychological states. Under the EU AI Act, emotion recognition systems in the workplace are classified as prohibited (Article 5). lumenta does not fall into this category because:

  • We analyze concrete behavioral patterns (speaking time, question types, feedback structure) that are directly observable in meeting transcripts
  • We do not infer emotional states, stress levels, engagement, or psychological profiles
  • All behavioral proxies are grounded in peer-reviewed research with transparent methodology
  • Participation is voluntary and employee-controlled

10. Data Security

We implement technical and organizational measures to protect your data appropriate to our stage and the nature of the data we process. These currently include:

  • Encryption in transit (TLS) and at rest for all stored data
  • Row-level security (RLS) in our database, ensuring users can only access their own data
  • Secure authentication via industry-standard providers (Supabase Auth, Google OAuth)
  • Access to personal data restricted to founding team members on a need-to-know basis
  • No advertising cookies, tracking pixels, or third-party analytics that profile individuals

lumenta is currently in alpha. We do not yet hold formal security certifications (such as SOC 2 or ISO 27001). As we grow, we intend to pursue certifications appropriate to the needs of our customers. If you have specific security questions, we are happy to discuss our practices in detail at info@nupact.ai.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the competent supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Art. 34
  • Notify subscribing organizations in accordance with the terms of any applicable Data Processing Agreement

Notification will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

12. Cookies and Tracking

lumenta uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics that profile individual users.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the lumenta platform. The "Last updated" date at the top of this page reflects the most recent revision.

14. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority. In Germany, this is the relevant Landesdatenschutzbeauftragte for your state.

15. Contact

For any questions about this Privacy Policy or your data, contact us at:
info@nupact.ai