Privacy is how trust is built.

To run Lumara, we collect three categories of data:

• Operational data you put in — customer inquiries, measurements, quotes, orders, invoices, payments, work-order scans, fitter photos, signatures. This is YOUR data; we store it on your behalf.
• Account data — name, email, phone, role of each Lumara user in your tenant. Used for login, RBAC, audit log, and support.
• Technical telemetry — first-party page analytics (Plausible — no cookies, no personally-identifying tracking), error reports (Sentry — scrubbed of PII), and aggregate performance metrics. Used to keep the product working.

We do not collect biometric data, location data, government IDs, or any sensitive personal data as defined by the DPDP Act, beyond what is required for invoice GST compliance (GSTIN of the tenant business and its customers).

Your data is used strictly to:

• Run the Lumara product for you — store records, generate PDFs, push to Tally, send WhatsApp / SMS.
• Provide support — when you write to us with a question, we may view relevant records to help.
• Improve the product in aggregate (e.g., understanding which screens cause friction). All such analysis uses anonymised, aggregated metrics — never individual records.
• Send service notifications (billing, downtime alerts). Marketing emails are opt-in only.

We share specific data only with the specific sub-processors required to deliver the service:

• AWS (ap-south-1 region, India) — hosting + storage.
• Meta (WhatsApp Business API) — when you send a customer a quote/invoice via WhatsApp.
• MSG91 / SMTP provider — SMS and email delivery.
• Razorpay / Stripe India — subscription billing (we never see your card details).
• Plausible Analytics — page views; no cookies, no PII.
• Sentry — error reporting; PII scrubbed before transmission.

We do not sell your data, share it for advertising, or grant access to it for any purpose beyond the above. If we ever introduce a new sub-processor, you'll see it here first.

Primary database and file storage live in AWS ap-south-1 (India region). Backups are encrypted and replicated within the same region — your data does not leave India.

The only exception is the WhatsApp Business API (operated by Meta), which routes message content via Meta's global infrastructure. This is required to actually deliver WhatsApp messages.

India's Digital Personal Data Protection Act, 2023 grants you the following rights, which we honour:

• Right to access — request a copy of all data we hold about you.
• Right to correction — fix any inaccurate or incomplete data.
• Right to erasure — delete your data (subject to legal retention requirements, e.g., tax records under the Income Tax Act).
• Right to grievance redressal — raise a concern; we respond within 7 working days.
• Right to nominate — appoint another person to exercise these rights in case of incapacity.

Email privacy@datacaffe.in to exercise any of these.

The Lumara marketing website (lumara.datacaffe.in) uses no marketing cookies, no third-party trackers, no Facebook Pixel, no Google Analytics. We use Plausible Analytics, which is cookie-less and counts only page views in aggregate.

The Lumara product (app.lumara.datacaffe.in) uses a single first-party cookie for your login session. That's it.

Lumara is a B2B product for window-coverings businesses. We do not knowingly collect data from individuals under 18. If you believe a child's data has reached our systems by mistake, email privacy@datacaffe.in — we will delete it within 7 days.

When this policy changes materially, we notify the tenant admin by email at least 14 days before the change takes effect. The "Last updated" timestamp at the top of this page always reflects the current version. A changelog of past versions is available on request.

DataCaffe Technologies Pvt. Ltd. has appointed a Data Protection Officer in compliance with the DPDP Act.

Aparana M, Co-founder & DPO
dpo@datacaffe.in
DataCaffe Technologies Pvt. Ltd., India

For grievances under the DPDP Act, you may also approach the Data Protection Board of India after first giving us 30 days to respond.