Last updated: June 2026
Contents
This Privacy Policy is issued by Luminid, a sociedad de responsabilidad limitada duly organized and existing under the laws of the Republic of Costa Rica, with registered Legal Entity ID (Cédula Jurídica) 3102-950-241, having its principal place of business in San José, Costa Rica ("Luminid," "we," "us," or "our"). Luminid operates the talent platform accessible at luminid.org and all associated subdomains, mobile applications, APIs, and integrated services.
For the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, Costa Rican Law No. 8968 (Ley de Protección de la Persona frente al tratamiento de sus datos personales), and all other applicable data protection and privacy laws, Luminid is the data controller for Personal Data processed in connection with operating the Platform and its Services, including Account management, Simulation delivery, talent marketplace operations, fraud prevention, and Platform communications.
Where Luminid processes Candidate Personal Data on behalf of a Company in connection with a specific hiring Pipeline or process, Luminid acts as a data processor for that Company, which is the data controller. The terms governing such processing are set out in Luminid's standard Data Processing Agreement, available upon request.
PRIMARY CONTACT FOR PRIVACY MATTERS. For all questions, requests, complaints, or correspondence related to this Privacy Policy or the processing of your Personal Data, please contact us at:
Luminid San José, Costa Rica Email: hello@luminid.org Subject line: "Privacy Inquiry" or "Data Subject Request"
We acknowledge all privacy inquiries within five (5) business days and aim to resolve substantive requests within thirty (30) days, in compliance with applicable law. If your request is complex or you have submitted multiple requests, we may extend this period by an additional two months, in which case we will notify you.
This Privacy Policy applies to all Personal Data collected, processed, stored, shared, or otherwise handled by Luminid in connection with: (a) the operation of the Platform at luminid.org and all associated subdomains and applications; (b) the creation and management of User Accounts; (c) the delivery of Simulations and assessment services; (d) talent marketplace and job board operations; (e) communications and notifications sent to Users; (f) analytics, product development, and Platform improvement activities; (g) fraud prevention, security, and trust and safety operations; (h) customer support and technical assistance; (i) legal compliance and regulatory obligations; and (j) all other processing activities described in this Policy.
This Policy applies to all categories of Users, including: natural persons who register as Candidates; legal entities and their representatives who register as Companies; Authorized Users of Company Accounts; visitors to luminid.org who have not created an Account; and individuals whose data is submitted to the Platform by other Users (such as Candidates whose information is uploaded by Recruiters).
This Policy does not govern the privacy practices of Companies that use the Platform to conduct hiring. When a Company accesses your data through the Platform as part of a hiring process, that Company is acting as an independent data controller and its own privacy policy and data protection practices apply to its processing of your data. Luminid is not responsible for Company data practices.
This Policy is updated periodically. Material changes are communicated as described in Section 18. The current version of this Policy is always available at luminid.org/privacy. Your continued use of the Platform following the effective date of any update constitutes your acknowledgment of the updated Policy.
We collect a wide range of categories of Personal Data in order to operate the Platform and provide our Services. The specific data elements collected depend on how you use the Platform and what role you have registered under.
IDENTITY AND CONTACT DATA. When you create an Account, we collect your full name, email address, chosen password (stored in hashed form only and never in plaintext), and your selected role (Candidate or Company/Recruiter). If you authenticate via a third-party OAuth provider such as Google or LinkedIn, we receive your name and email address from that provider as part of the OAuth handshake.
PROFESSIONAL AND PROFILE DATA (CANDIDATES). If you complete a Candidate profile, we may collect: your professional headline and personal tagline; current and previous job titles, employers, employment dates, and responsibilities; educational institutions, degrees, fields of study, and graduation dates; professional certifications, licenses, and credentials; declared skills and competency levels; language proficiencies and levels; years of professional experience; industry and functional area preferences; career and salary preferences, including desired compensation range, work arrangement preferences (remote, hybrid, on-site), and geographic flexibility; current city and country of residence; upload of a resume, CV, portfolio, or other professional document; photograph or avatar if uploaded; professional social media profile links you choose to add; and any other information you voluntarily include in free-text fields.
SIMULATION AND ASSESSMENT DATA. When you complete a Simulation, we collect: all responses, answers, selections, and submissions made during the Simulation; timing data, including total time taken, time per question, and patterns of activity; input device patterns (keystroke dynamics, mouse or scroll behavior) for integrity and anomaly detection purposes; Simulation Scores and competency level designations assigned by our scoring systems; any written qualitative feedback or evaluator notes associated with your score; and the date, time, device, browser, and IP address from which the Simulation was taken.
APPLICATION AND PIPELINE DATA. When you apply to a Job Listing, we collect: your Application submission and all accompanying materials including cover letters, portfolio links, and responses to screening questions; the Job Listing to which you applied and the Company that posted it; the Application status and all Pipeline stages you move through; any notes, comments, ratings, or evaluations added by Recruiters; interview scheduling data including dates, times, and meeting details; offer letters, proposed compensation, and your acceptance or rejection decisions; and disposition records including reasons for rejection where provided.
COMPANY AND RECRUITER DATA. If you register as a Company, we collect: company legal name, trade name, and registered address; company size, industry, and organizational structure; the names, email addresses, and roles of all Authorized Users; billing and payment information including credit card or bank account details, billing address, and payment history; job posting history, search and sourcing activity, and Platform usage patterns; any assessment content created through the simulation builder; and correspondence and support interactions with Luminid.
TECHNICAL AND DEVICE DATA. For all Users, we automatically collect: IP address; device type, model, and operating system version; browser type and version; screen resolution and device settings; referring URL and exit pages; session identifiers and authentication tokens; pages and features accessed, and the sequence and timing of those accesses; search queries and filters applied on the Platform; click-through patterns and hover data; JavaScript errors and performance metrics; and network connection type and approximate geographic location derived from IP address.
COMMUNICATIONS DATA. We collect the content of all messages, emails, notifications, and other communications sent through or related to the Platform, including messages between Candidates and Recruiters in the Platform's messaging system, support tickets and customer service communications, feedback and survey responses, and any other correspondence you send to us.
PAYMENT AND BILLING DATA. For Companies on paid Subscriptions, we collect: payment card or bank account information (handled by our payment processor, Stripe, which maintains PCI-DSS compliance; we do not store full payment card numbers); billing name and address; invoice history and amounts; payment status and transaction identifiers; and tax identification numbers where required.
INFERRED AND DERIVED DATA. Based on your use of the Platform and the data you provide, we may infer or derive additional information, including: inferred skill gaps and areas for development based on Simulation performance; estimated job-fit scores for specific roles; and Platform engagement scores. These inferences are used to personalize your experience and improve matching algorithms and are not shared with third parties as standalone inferences.
SENSITIVE PERSONAL DATA. We do not intentionally collect sensitive categories of Personal Data as defined under applicable law, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for unique identification, health data, or data concerning sex life or sexual orientation. If you voluntarily include such information in free-text profile fields, we will process it to the extent necessary to provide the Service, on the basis of your explicit consent. We strongly advise against including such information in your profile.
We collect Personal Data through multiple channels and mechanisms.
DIRECT COLLECTION FROM YOU. The primary source of your Personal Data is information you provide directly to us, including during Account registration; while completing or updating your Profile; during the submission of Simulation responses; when applying to Job Listings; when using the Platform's messaging features; when uploading documents such as resumes or portfolios; when completing surveys or providing feedback; when contacting customer support; and when completing any other action through the Platform's interfaces that involves submitting information.
AUTOMATIC COLLECTION THROUGH TECHNOLOGY. We automatically collect technical data when you access and use the Platform through the use of: web server logs that record requests made to our servers; session management cookies that maintain your authentication state; analytics tracking scripts that record your interactions with Platform features; error tracking and performance monitoring tools; and fraud and integrity detection systems, including behavioral analysis of Simulation-taking sessions.
COLLECTION FROM THIRD PARTIES. We receive Personal Data about you from third parties in certain circumstances: (a) if you authenticate using Google OAuth or LinkedIn OAuth, we receive your name, email address, and basic profile information from those providers; (b) if a Company Recruiter sources your profile through the Platform's talent pool features, that Recruiter may provide or confirm additional information about you; (c) if another User refers you or submits information about you through the Platform; (d) from identity verification services, where we use them to verify your identity or professional credentials; and (e) from publicly available professional sources, where our systems reference publicly available information to supplement Platform data with your explicit consent.
COOKIES AND SIMILAR TRACKING TECHNOLOGIES. We use cookies, web beacons, pixel tags, local storage objects, and similar technologies to collect technical and behavioral data as described in Section 12 of this Policy. Detailed information about our cookie practices and how to manage your preferences is provided in that Section.
We process your Personal Data only for specified, explicit, and legitimate purposes. For each major category of processing, we identify the purpose and the legal basis on which we rely, as required by the GDPR and equivalent applicable data protection laws.
ACCOUNT CREATION AND MANAGEMENT. Purpose: To create and maintain your Account, verify your identity, manage your session, communicate account-related information, and enable you to access Platform features. Legal basis: Performance of the contract between you and Luminid (GDPR Art. 6(1)(b)); for optional profile enrichments, consent (Art. 6(1)(a)).
DELIVERY OF SIMULATIONS AND SCORING. Purpose: To administer Simulations, record your responses, calculate and display Simulation Scores, and provide competency assessments. Legal basis: Performance of contract (Art. 6(1)(b)); where AI profiling is involved, explicit consent and, where applicable, GDPR Article 9(2)(a) or equivalent.
CANDIDATE-EMPLOYER MATCHING AND JOB APPLICATIONS. Purpose: To display your profile to Companies you apply to or (if you enable discoverability) to Companies searching the talent pool, and to facilitate the Application and Pipeline process. Legal basis: Performance of contract and, for talent pool discoverability, your specific consent provided through your privacy settings (Art. 6(1)(a)).
JOB ALERTS AND NOTIFICATIONS. Purpose: To send you email or in-platform notifications about Job Listings that match your profile preferences, application status updates, interview scheduling, and other relevant platform activity. Legal basis: Performance of contract for transactional notifications; legitimate interests for job recommendations (Art. 6(1)(f)), balanced against your ability to opt out at any time.
PLATFORM OPERATIONS AND SECURITY. Purpose: To operate, maintain, monitor, and protect the Platform and its users; to detect, prevent, and respond to fraud, abuse, unauthorized access, security incidents, and technical errors. Legal basis: Legitimate interests of Luminid in operating a secure and reliable Platform (Art. 6(1)(f)); legal obligations where applicable (Art. 6(1)(c)).
PRODUCT IMPROVEMENT AND ANALYTICS. Purpose: To analyze aggregate and anonymized usage patterns, identify feature improvements, conduct A/B testing, and measure Platform performance. Legal basis: Legitimate interests (Art. 6(1)(f)), provided data is anonymized or pseudonymized before use in aggregate analysis; consent for non-essential analytics cookies (Art. 6(1)(a)).
AI MODEL TRAINING AND IMPROVEMENT. Purpose: To train, validate, test, and improve the AI and machine learning models underlying our Simulation scoring systems. Legal basis: Legitimate interests (Art. 6(1)(f)), provided training uses exclusively pseudonymized or anonymized datasets from which individual Candidates cannot be identified; explicit consent for any training on identifiable data. We do not sell individual Simulation responses for AI training purposes to third parties.
BILLING AND PAYMENT PROCESSING. Purpose: To process Subscription fees, generate invoices, manage payment method information, and handle billing disputes. Legal basis: Performance of contract (Art. 6(1)(b)); legal obligation for record-keeping (Art. 6(1)(c)).
LEGAL COMPLIANCE AND REGULATORY OBLIGATIONS. Purpose: To comply with applicable laws and regulations, respond to lawful requests from governmental and regulatory authorities, enforce our Terms of Service, and protect the legal rights of Luminid and its Users. Legal basis: Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) for enforcement activities not required by law.
MARKETING COMMUNICATIONS. Purpose: To send you promotional emails, product announcements, and industry news. Legal basis: Consent (Art. 6(1)(a)) for direct marketing. You may withdraw consent and unsubscribe at any time using the unsubscribe link in any marketing email or by updating your notification preferences in your Account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
DISPUTE RESOLUTION AND LEGAL DEFENSE. Purpose: To investigate and resolve disputes, enforce our agreements, defend legal claims against Luminid, and comply with court orders. Legal basis: Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) for legal defense.
We do not sell, rent, or trade your Personal Data to any third party for their own marketing or commercial purposes. We share your Personal Data only in the limited circumstances described in this Section.
WITH COMPANIES AND RECRUITERS. We share Candidate Personal Data with Companies in the following specific circumstances: (a) when a Candidate applies to a Job Listing, we share the Candidate's Profile data (to the extent included in the Application), Simulation Scores for Simulations assigned to that role, Application materials, and Application status with the Company that posted the Job Listing and its Authorized Users; (b) when a Candidate has enabled the "Proven Available" or equivalent discoverability feature, we display the Candidate's public Profile and Simulation Scores to Companies conducting talent searches; and (c) when a Recruiter sources a Candidate through the talent pool tools, we display the sourced Candidate's public profile. Candidates can restrict visibility and block specific Companies through their Profile privacy settings. Sharing with a Company for one Job Listing does not authorize that Company to use the Candidate's data for any other purpose.
WITH SERVICE PROVIDERS AND SUB-PROCESSORS. We engage carefully selected third-party service providers to assist in operating the Platform. These providers act as data processors on our behalf and are contractually bound by data processing agreements that prohibit them from using your data for any purpose other than providing services to Luminid and require them to maintain appropriate technical and organizational security measures. Current categories of service providers include: (a) cloud infrastructure and database hosting (data stored on servers operated by Supabase, which uses infrastructure provided by Amazon Web Services); (b) transactional email delivery service for sending Account notifications, application updates, and other platform communications; (c) payment processing (Stripe, which handles all payment card data under PCI-DSS compliance standards; Luminid does not store full card numbers); (d) analytics and monitoring (privacy-respecting analytics tools operating on aggregate and pseudonymized data); (e) error tracking and performance monitoring services; (f) AI and machine learning model infrastructure for Simulation scoring; (g) customer support tooling; and (h) identity and fraud verification services. A full list of current sub-processors is available upon request at hello@luminid.org.
WITH LAW ENFORCEMENT AND GOVERNMENTAL AUTHORITIES. We may disclose your Personal Data to law enforcement agencies, governmental authorities, regulatory bodies, courts, or other public institutions where we are legally required or compelled to do so, including in response to a valid subpoena, court order, government investigation, legal process, or mandatory regulatory request. We review all such requests for legal validity before complying and will notify you of any such request where we are legally permitted to do so and where doing so would not jeopardize an investigation. If we believe a request is overbroad or legally insufficient, we will seek to narrow or challenge it.
IN CONNECTION WITH BUSINESS TRANSACTIONS. If Luminid undergoes a merger, acquisition, restructuring, sale of all or substantially all of its assets, bankruptcy, or other corporate transaction, your Personal Data may be transferred to the acquiring or successor entity as part of that transaction. We will notify you via email and/or prominent notice on the Platform before your data is transferred and becomes subject to a different privacy policy. We will take reasonable steps to ensure that any acquirer provides protections for your Personal Data that are materially equivalent to those in this Policy.
WITH YOUR CONSENT OR AT YOUR DIRECTION. We may share your Personal Data with third parties where you have given us your explicit, specific, informed, and unambiguous consent to do so, including when you choose to connect third-party integrations, export your data, or direct us to share information with a specific party. You may withdraw consent at any time without affecting the lawfulness of sharing already carried out.
VERIFIED CREDENTIAL CONFIRMATION LINKS. When you export a résumé or otherwise share a Luminid verified credential, the exported document includes, by default, a confirmation link and QR code that a recipient (such as a recruiter) may use to confirm the credential against Luminid's live record. A confirmation link discloses only the minimum necessary to confirm a claim you have already chosen to disclose by sharing the document: the verified skill, the fact that the verification was issued by Luminid, the assessment format, the date of verification, and your name as it appears on the shared document. A confirmation link does not disclose your full profile, your contact details, your other skills, any numeric score, or any assessment content, and it operates independently of whether your public profile page is enabled. Because the link confirms only information you have already disclosed by choosing to share the document, this confirmation is enabled by default at the time of export; the legal basis is the performance of our contract with you in providing a portable, verifiable credential (GDPR Art. 6(1)(b)) together with your consent exercised by choosing to export and share (Art. 6(1)(a)). You may disable confirmation links at any time in Profile → Settings, after which existing links resolve to a neutral message stating that confirmation has been turned off, with no statement implying that the underlying verification is invalid. Confirmation always resolves against Luminid's live record; a downloaded or printed copy of a credential is a snapshot that may be altered or out of date, and the live record governs.
AGGREGATED AND ANONYMIZED DATA. We may share aggregated, anonymized, or de-identified data that does not identify any individual User with third parties for research, industry benchmarking, product development, and other legitimate business purposes. Such data does not constitute Personal Data and is not subject to this Policy's restrictions on sharing.
PROFESSIONAL ADVISORS. We may share Personal Data with our lawyers, auditors, accountants, and other professional advisors where necessary for them to provide services to us, subject to appropriate confidentiality obligations.
Given the significant potential impact of the Platform on Candidates' employment prospects and professional lives, Luminid applies heightened protections to Candidate Personal Data beyond general platform data practices.
PURPOSE LIMITATION ENFORCEMENT. Luminid's Terms of Service impose strict contractual obligations on Companies prohibiting the use of Candidate Personal Data for any purpose other than the specific hiring process for which it was made available. These obligations include prohibitions on using Candidate data for marketing, surveillance, non-employment profiling, resale, and aggregation with external data sources. Violation of these restrictions by a Company constitutes a material breach of the Terms of Service and may result in immediate termination and legal action.
COMPANY ACCESS CONTROLS. Access to Candidate Personal Data by Companies is controlled through Role-Level Security, meaning that each Company Account can only access data submitted by Candidates in Applications to that Company's own Job Listings, or Profile data of Candidates who have enabled discoverability. Companies cannot access the data of Candidates who have blocked them, and cannot access any Candidate's full personal contact information except where the Candidate has progressed to a stage in the Pipeline where such access is appropriate.
DATA MINIMIZATION IN SHARING. When a Candidate applies to a Job Listing, Luminid shares only the data elements the Candidate has included in their Application, not the entirety of the Candidate's Platform profile. Candidates control what information is shared with each Application.
RIGHT TO BLOCK COMPANIES. Candidates may block specific Companies from accessing their Profile in any context through the Privacy & Data settings in their Account. Blocking is immediate and permanent until the Candidate removes the block. Blocked Companies will not receive notification that they have been blocked.
SIMULATION SCORE PORTABILITY. Candidates' Simulation Scores are stored in their Account and are not deleted when a Company's Job Listing closes or when a Candidate's Application is rejected. Candidates may include their Scores in future Applications. Scores are not shared between Companies without the Candidate's affirmative action of including them in an Application.
CANDIDATE RIGHT TO WITHDRAW. Candidates may withdraw any Application at any time before a final decision is made. Withdrawal does not obligate Luminid or the Company to delete Application data already reviewed, but Luminid will anonymize such data in accordance with the retention schedule in Section 9.
PROTECTION FROM DISCRIMINATION. Luminid monitors Platform usage for patterns suggesting discriminatory use of Candidate data, including anomalous rejection rates based on demographic correlations. Luminid reserves the right to investigate and terminate Company Accounts where there is reasonable evidence of systematic discriminatory use of the Platform.
AUTOMATED PROCESSING IN SCORING. The Platform uses artificial intelligence and machine learning systems to assist in scoring Simulation responses. This may involve automated processing of your Simulation submissions to generate a Simulation Score without human review of each individual response. Where such automated processing produces a result that has a significant effect on your employment prospects — specifically, where a Simulation Score is used as a requirement for advancement in a hiring process — this may constitute automated decision-making within the meaning of GDPR Article 22.
YOUR RIGHTS IN RELATION TO AUTOMATED DECISIONS. In jurisdictions where GDPR Article 22 or equivalent protections apply, you have the right to: (a) not be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you; (b) request human review of any automated decision; (c) express your point of view regarding the decision; and (d) contest the decision and request that it be reconsidered. To exercise these rights, contact hello@luminid.org. Note that Companies using Simulation Scores to make hiring decisions are independently responsible for their obligations under GDPR Article 22 and equivalent laws in connection with those decisions.
PROFILING. Luminid engages in limited profiling of Candidates for the purpose of personalizing the Platform experience, including recommending Job Listings that may be of interest, surfacing relevant Simulations, and estimating match scores between Candidate profiles and Job Listings. This profiling does not use sensitive categories of Personal Data and does not produce legally significant decisions without human review. You may object to profiling at any time by contacting hello@luminid.org.
AI BIAS MITIGATION. Luminid takes the following steps to identify and mitigate potential bias in AI-assisted Simulation scoring: (a) regular review of scoring distributions across demographic groups to detect adverse impact where demographic data is available; (b) qualitative review of scoring rubrics by subject matter experts; (c) ongoing model evaluation against benchmarks of known performance; and (d) regular updates to training datasets to improve representativeness. Despite these efforts, we cannot guarantee that our AI systems are entirely free of bias, and we encourage Companies to conduct their own adverse impact analyses as required by applicable employment law.
HUMAN OVERSIGHT REQUIREMENT. Luminid requires through its Terms of Service that Companies employ meaningful human review in all hiring decisions and not automate rejections, advancements, or offers based solely on Simulation Scores. Luminid does not make hiring decisions on behalf of Companies; all final employment decisions are made by human decision-makers within the Company.
We retain your Personal Data for only as long as is necessary for the purposes for which it was collected, consistent with our legitimate business interests, legal obligations, dispute resolution needs, and enforcement of our agreements. This Section sets out specific retention periods for each category of data we hold.
ACTIVE ACCOUNT DATA. All Personal Data associated with an active Account is retained for the duration that the Account remains active. This includes Profile data, Simulation history, Application records, and Account settings.
SIMULATION SCORES AND RESULTS. Simulation Scores, response data, and associated assessment records are retained for a period of thirty-six (36) months from the date of the most recent Simulation taken or from the date of your last Platform activity, whichever is later. This retention period allows Candidates to maintain a historical record of their verified skills and allows Luminid to provide consistent, comparable scoring over time. After this period, Simulation Score data is anonymized (de-linked from your identity) and retained in aggregate form for research and calibration purposes.
CANDIDATE APPLICATION RECORDS. Candidate Application data, including the Application materials submitted, the Pipeline status records, recruiter notes, and associated Simulation Scores, is retained in its original form until the relevant Job Listing is closed or the Application is withdrawn. Following Job Listing closure, Application records are anonymized — stripped of all directly identifying information — within ninety (90) days, except where a longer retention period is required by applicable employment law (for example, US federal contractors are required to retain personnel records for specified periods). Candidates may request earlier anonymization by submitting a request to hello@luminid.org.
COMPANY ACCOUNT AND JOB LISTING DATA. Company Account data, including company profile, Authorized User records, and Job Listing history, is retained for the duration of the Company's active Subscription and for a period of thirty-six (36) months following termination or expiration of the Subscription, to facilitate re-activation and to support dispute resolution.
COMMUNICATIONS AND SUPPORT RECORDS. Messages exchanged through the Platform's messaging system are retained for twenty-four (24) months following the date of last activity in the relevant conversation thread. Customer support tickets and correspondence are retained for thirty-six (36) months following closure of the ticket.
SERVER AND ACCESS LOGS. Server access logs, error logs, security audit logs, and similar technical records are retained for twelve (12) months and then deleted, except where specific log records are needed in connection with an active security investigation, legal proceeding, or regulatory matter, in which case they are retained until the matter is resolved.
BILLING AND FINANCIAL RECORDS. Invoices, payment records, billing correspondence, and related financial documentation are retained for seven (7) years following the close of the relevant fiscal year, as required by Costa Rican tax and accounting law and comparable requirements in other jurisdictions where we operate.
COOKIE AND ANALYTICS DATA. Data collected through non-essential analytics cookies is retained in aggregated, anonymized form and is not associated with individual User identities beyond the active session or a rolling ninety (90) day window.
DELETED ACCOUNT DATA. When you delete your Account, Luminid initiates the following process: (a) all directly identifying Personal Data fields — including your name, email address, phone number, physical address, profile photograph, and other identifying fields — are erased or replaced with a non-identifying placeholder within thirty (30) days of your verified deletion request; (b) your authentication Account is permanently deleted from our identity management system within thirty (30) days of your verified deletion request; (c) data that is technically or legally required to be retained — such as aggregate Simulation data used in calibration, financial records required by tax law, and Application records that have been anonymized — is retained in anonymized form only, stripped of all linkage to your identity; and (d) backup copies of your identifiable data are purged within thirty (30) days as part of regular backup rotation cycles.
LEGAL HOLDS. Notwithstanding the retention periods set out above, we may preserve specific data for longer periods where we are required to do so by law, court order, regulatory directive, or where data is subject to a legal hold in connection with threatened or pending litigation or regulatory investigation. Data subject to a legal hold will be retained only for the duration required by the legal hold and deleted promptly upon its release.
Luminid is headquartered in San José, Costa Rica. The Platform's infrastructure utilizes cloud services provided by global technology providers, which means your Personal Data may be stored and processed in multiple countries, potentially including the United States, European Union member states, and other jurisdictions. By using the Platform, you acknowledge and consent to the transfer of your Personal Data to these jurisdictions.
ADEQUACY OF COSTA RICA. The Republic of Costa Rica has enacted Law No. 8968 on the Protection of Persons against the Processing of their Personal Data, which establishes a comprehensive data protection framework. For purposes of international data transfers from the EU, Costa Rica may be assessed as providing an adequate level of data protection under GDPR adequacy assessment criteria, although as of the date of this Policy a formal EU adequacy decision for Costa Rica has not been issued. We monitor the status of applicable adequacy determinations and update our transfer mechanisms accordingly.
EU STANDARD CONTRACTUAL CLAUSES. For transfers of Personal Data from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to countries that do not have an applicable adequacy decision, Luminid relies on the Standard Contractual Clauses ("SCCs") approved by the European Commission, the UK International Data Transfer Agreement, or equivalent transfer mechanisms. We execute SCCs with our sub-processors and data processors located in non-adequate countries, including our cloud infrastructure providers. Copies of applicable SCCs and our data transfer impact assessments are available upon request at hello@luminid.org.
DATA LOCALIZATION REQUIREMENTS. Where applicable law in your jurisdiction requires that certain categories of Personal Data be stored or processed only within that jurisdiction, and where such requirements apply to the data we hold about you, we will implement appropriate data localization measures. Please contact hello@luminid.org if you believe that a specific data localization requirement applies to your data.
BINDING CORPORATE RULES. Where applicable and where Luminid develops an intragroup transfer framework, we may rely on Binding Corporate Rules or equivalent approved intragroup transfer mechanisms.
Depending on your jurisdiction of residence and the legal framework applicable to your Personal Data, you may have the following rights. We will respond to all verified data subject requests within the time periods required by applicable law (generally 30 days, extendable to 60 days in complex cases upon notice).
RIGHT OF ACCESS (GDPR ART. 15; CCPA). You have the right to request confirmation of whether we process Personal Data about you, and if so, to receive a copy of that data along with information about the purposes of processing, the categories of data, the recipients or categories of recipients, the retention periods, and the safeguards applicable to international transfers. You may exercise this right by using the "Request data export" feature in Profile → Settings → Privacy or by emailing hello@luminid.org.
RIGHT TO RECTIFICATION (GDPR ART. 16). You have the right to request correction of inaccurate Personal Data we hold about you, and to have incomplete Personal Data completed. You can update most Profile data directly in your Account settings without contacting us.
RIGHT TO ERASURE / RIGHT TO BE FORGOTTEN (GDPR ART. 17). You have the right to request deletion of your Personal Data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other legal basis for processing; (c) you object to processing under legitimate interests and Luminid has no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) deletion is required to comply with a legal obligation. You may exercise this right by using the "Delete account" feature in Profile → Settings → Privacy or by emailing hello@luminid.org. Note that we may retain some data in anonymized or pseudonymized form, or where retention is required by law, as described in Section 9.
RIGHT TO RESTRICTION OF PROCESSING (GDPR ART. 18). You have the right to request that we restrict our processing of your Personal Data in certain circumstances, such as where you contest the accuracy of the data (pending verification), where processing is unlawful but you prefer restriction to deletion, or where we no longer need the data but you require it for legal claims. During a restriction period, we will continue to store your data but will not otherwise process it without your consent or for legal claims.
RIGHT TO DATA PORTABILITY (GDPR ART. 20). Where we process your data by automated means on the basis of consent or contract, you have the right to receive a copy of your Personal Data in a structured, commonly used, machine-readable format (such as JSON or CSV), and to transmit that data to another controller. This right covers Profile data, Simulation Scores, Application history, and Account settings.
RIGHT TO OBJECT (GDPR ART. 21). You have the right to object at any time to our processing of your Personal Data where such processing is based on our legitimate interests (GDPR Art. 6(1)(f)) or is for direct marketing purposes. Where you object to direct marketing, we will stop processing your data for that purpose immediately without any assessment of compelling grounds. Where you object to processing based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests or the processing is necessary for legal claims.
RIGHT TO WITHDRAW CONSENT. Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal. To withdraw consent, update your preferences in Account settings or contact hello@luminid.org.
RIGHT AGAINST SOLELY AUTOMATED DECISIONS (GDPR ART. 22). As described in Section 8, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Contact hello@luminid.org to request human review of any automated decision affecting you.
RIGHT TO LODGE A COMPLAINT. If you believe we have infringed your data protection rights, you have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, this is the DPA of your country of residence. For UK residents, this is the Information Commissioner's Office (ICO). For Costa Rican residents, this is the Agencia de Protección de Datos de los Habitantes (PRODHAB). Contact us first at hello@luminid.org, as we prefer to address your concerns directly.
CALIFORNIA RESIDENT RIGHTS. California residents have additional rights under the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA"): the right to know what Personal Information we collect, use, disclose, and sell (we do not sell personal information); the right to delete Personal Information subject to certain exceptions; the right to correct inaccurate Personal Information; the right to opt out of the sale or sharing of Personal Information (we do not sell or share for cross-context behavioral advertising); the right to limit use of sensitive Personal Information; and the right not to receive discriminatory treatment for exercising these rights. California residents may exercise these rights through the same channels described in this Section.
EXERCISING YOUR RIGHTS. To exercise any of the rights described in this Section, use the tools available in Profile → Settings → Privacy, or contact us at hello@luminid.org with the subject line "Data Subject Request." We will ask you to verify your identity before processing your request. We will not charge a fee for reasonable requests, but may charge a reasonable fee for manifestly unfounded or excessive requests.
WHAT ARE COOKIES. Cookies are small text files placed on your device by your web browser when you visit a website. We use cookies and similar technologies (including web beacons, pixel tags, local storage objects, session tokens, and fingerprinting for fraud prevention) to operate the Platform, remember your preferences, analyze usage, and ensure security.
STRICTLY NECESSARY COOKIES. These cookies are essential for the Platform to function and cannot be disabled without breaking core functionality. They include authentication cookies that keep you logged in during your session, session management cookies that maintain application state, security cookies that protect against cross-site request forgery (CSRF) and other attacks, and load balancing cookies that route your traffic to appropriate servers. We use these cookies on the basis of our legitimate interest in operating a functional and secure Platform. They expire at the end of your browser session or within a short fixed period.
FUNCTIONAL COOKIES. These cookies enhance the functionality of the Platform by remembering choices you have made. They include cookies that remember your preferred language, that remember your notification preferences, that remember whether you have dismissed certain banners or tooltips, and that persist certain UI state between sessions. We use these cookies on the basis of our legitimate interests or your consent. They are generally session-scoped or expire within 30 days.
ANALYTICS COOKIES. We use analytics technologies to understand how Users interact with the Platform. Analytics data helps us identify which features are most useful, where Users encounter difficulty, and how to improve the Platform experience. Analytics processing is carried out on pseudonymized or aggregate data and does not identify individual Users in reports. We use these cookies on the basis of your consent, which you may provide or withdraw through the cookie preferences panel. Analytics cookies typically expire within 90 days.
FRAUD AND INTEGRITY DETECTION TECHNOLOGIES. We use server-side and client-side techniques to detect fraudulent activity, unauthorized access, assessment integrity violations, and automated bot behavior. These include behavioral analytics that profile interaction patterns during Simulation sessions. This processing is carried out on the basis of our legitimate interest in maintaining Platform integrity and security.
THIRD-PARTY COOKIES. We do not use third-party advertising cookies, cross-site behavioral tracking cookies, or cookies placed by advertising networks or data brokers. Any third-party cookies present on the Platform are strictly limited to our authorized service providers (such as analytics and error tracking tools) and are subject to data processing agreements.
MANAGING COOKIE PREFERENCES. You may manage your cookie preferences through: the cookie preferences panel accessible via the "Cookie preferences" link in your Profile settings; your browser settings, which allow you to block or delete cookies; and browser extensions that provide granular cookie management. Note that blocking strictly necessary cookies will prevent you from logging in and using the Platform. Your preferences are stored and respected on a per-browser, per-device basis. Clearing your browser data will reset your cookie preferences.
DO NOT TRACK. Certain browsers offer a "Do Not Track" signal. As there is no universally accepted standard for responding to Do Not Track signals, the Platform does not currently respond differently to such signals. However, you may use the cookie preferences panel to achieve equivalent privacy controls.
Luminid takes the security of your Personal Data seriously and implements a comprehensive set of technical and organizational measures designed to protect your data against unauthorized access, disclosure, alteration, or destruction. While no system can guarantee absolute security, we apply industry-standard practices appropriate to the nature and sensitivity of the data we process.
ENCRYPTION IN TRANSIT. All data transmitted between your device and the Platform is encrypted using Transport Layer Security (TLS) version 1.2 or higher. We use strong cipher suites and implement HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks. API endpoints are accessible only over HTTPS.
ENCRYPTION AT REST. Personal Data stored in our production databases is encrypted at rest using AES-256 encryption, implemented at the storage layer by our cloud infrastructure provider. Database backups are also encrypted using equivalent standards.
ACCESS CONTROLS AND AUTHENTICATION. Access to production systems containing Personal Data is restricted to Luminid's engineering and security personnel who require access for their job function. Administrative access uses multi-factor authentication. Access logs are maintained and reviewed regularly. Database access requires individual user credentials with role-based permissions; no shared credentials are used for production system access.
ROW-LEVEL SECURITY (RLS). The Platform's database implements Row-Level Security policies at the database layer, ensuring that each authenticated User can query only the rows of data to which their Account is entitled. This is a defense-in-depth measure that limits the impact of any application-layer vulnerability.
PASSWORD SECURITY. User passwords are never stored in plaintext. All passwords are hashed using bcrypt with a work factor calibrated to current computational capabilities, and each password hash uses a unique per-user salt. Password transmission is protected by TLS. We enforce minimum password length and offer strong password guidance.
VULNERABILITY MANAGEMENT. We conduct regular automated dependency scanning and security audits of Platform code. We maintain a responsible disclosure process: if you discover a potential security vulnerability in the Platform, please report it immediately to hello@luminid.org rather than publicly disclosing it. We will investigate all reports promptly and, where appropriate, provide acknowledgment and recognition.
ORGANIZATIONAL MEASURES. In addition to technical controls, we implement organizational security measures including: employee security awareness training; background checks for staff with access to sensitive systems; access review processes; a formal information security policy; and vendor security assessments for third-party service providers.
INCIDENT RESPONSE. We maintain a formal data breach and security incident response procedure. In the event of a security incident that compromises the security of your Personal Data, we will: (a) contain and investigate the incident as quickly as possible; (b) where required by applicable law, notify the relevant supervisory authority within 72 hours of becoming aware of the breach; and (c) notify affected Users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, providing information about the nature of the breach, the data affected, the likely consequences, and the measures we have taken. Notifications will be sent by email to your registered email address.
LIMITATIONS OF SECURITY. Despite our efforts, no method of Internet transmission or electronic storage is completely secure. We cannot guarantee the absolute security of your data. Risks beyond our reasonable control include: interception of transmissions on networks we do not control; compromise of your device or credentials through malware or social engineering; nation-state level attacks on infrastructure; and zero-day vulnerabilities in software components.
In the event Luminid discovers a personal data breach — defined as a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed — Luminid will take the following steps.
INTERNAL RESPONSE. Upon discovering or being notified of a potential breach, Luminid will: (a) immediately activate its incident response team; (b) take all available measures to contain the breach and prevent further unauthorized access or disclosure; (c) preserve evidence relevant to the investigation; (d) determine the scope of affected data and affected individuals; (e) assess the risk posed to the rights and freedoms of affected individuals; and (f) document all findings and remediation steps.
SUPERVISORY AUTHORITY NOTIFICATION. Where required by applicable data protection law — including GDPR Article 33, the UK GDPR, and equivalent laws — Luminid will notify the relevant supervisory authority of a notifiable breach without undue delay and, where feasible, within 72 hours of becoming aware of it. If notification cannot be made within 72 hours, Luminid will provide the notification with a reasoned explanation for the delay. The notification will include: a description of the nature of the breach; the categories and approximate number of individuals concerned; the categories and approximate number of Personal Data records concerned; the name and contact details of the data protection contact; the likely consequences of the breach; the measures taken or proposed to address the breach; and any other information required by applicable law.
INDIVIDUAL NOTIFICATION. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Luminid will notify the affected individuals without undue delay. Notifications will include: a description in clear and plain language of the nature of the breach; the contact details of Luminid's privacy contact; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects. Luminid may communicate such notifications through prominent notice on the Platform, by email to affected Users' registered email addresses, or through any other appropriate communication channel.
COMPANY OBLIGATIONS. Where a data breach involves Candidate Personal Data that was processed by Luminid on behalf of a Company as data processor, Luminid will notify the relevant Company without undue delay so that the Company can fulfil its own notification obligations as data controller under applicable law. Companies are responsible for their own breach notification obligations to Candidates, supervisory authorities, and other relevant parties in connection with their processing of Candidate data.
The Platform is designed for, and intended to be used exclusively by, adults aged 18 years or older, or the age of legal majority in the User's jurisdiction of residence if higher. We do not knowingly collect, solicit, process, or store Personal Data from any individual under the age of 18.
If we become aware that we have inadvertently collected Personal Data from a minor, we will take immediate steps to delete that data from our systems. If you are a parent or guardian and believe that your minor child has registered for or used the Platform or otherwise provided Personal Data to Luminid, please contact us immediately at hello@luminid.org with the subject line "Minor's Data." We will investigate and, if confirmed, delete the relevant data promptly.
Companies using the Platform to post Job Listings are responsible for ensuring that their listings comply with applicable child labor laws and are directed only at individuals of legal working age in the relevant jurisdiction. Luminid does not review Job Listings for compliance with child labor laws and is not liable for any Company's failure to comply.
Where a jurisdiction requires a higher age of consent for data processing — for example, in the EEA under GDPR Article 8 — we may, in certain limited contexts, apply that higher age threshold for consent-based processing activities.
The Platform integrates with, links to, and relies on third-party services whose own privacy policies and data practices govern their processing of your data. This Section identifies our material third-party service relationships and provides relevant context. We encourage you to review the privacy policies of these services.
SUPABASE (DATABASE AND AUTHENTICATION INFRASTRUCTURE). Luminid uses Supabase for its primary database and authentication infrastructure. Supabase hosts our PostgreSQL databases and manages our authentication system. User data stored in Luminid's databases resides on servers managed by Supabase, which in turn uses Amazon Web Services infrastructure. Supabase's privacy policy is available at supabase.com. Supabase acts as a data processor for Luminid. Data may be processed in the United States and other jurisdictions where AWS infrastructure operates; Standard Contractual Clauses are in place where required.
STRIPE (PAYMENT PROCESSING). Luminid uses Stripe, Inc. to process all payment transactions for Company Subscriptions. When you provide payment information through the Platform, that information is transmitted directly to Stripe and is subject to Stripe's privacy policy and PCI-DSS compliance program. Luminid does not receive, store, or have access to your full payment card number, CVV, or equivalent sensitive payment credentials. Stripe's privacy policy is available at stripe.com/privacy.
EMAIL SERVICE PROVIDER (TRANSACTIONAL EMAIL). Luminid uses a third-party email delivery service to send transactional notifications including Account confirmations, application updates, Simulation results, interview scheduling, and security alerts. Email content is transmitted to this service provider for delivery purposes. This service provider acts as a data processor and is bound by a data processing agreement.
VERCEL OR EQUIVALENT HOSTING (WEB INFRASTRUCTURE). The Platform's web application is served from infrastructure provided by Vercel or an equivalent platform hosting provider. Your HTTP requests are processed by this provider's infrastructure as part of normal web operation. This provider acts as a data processor.
AI SCORING INFRASTRUCTURE. Luminid may use third-party AI model inference infrastructure to process Simulation responses for scoring purposes. When your Simulation responses are submitted to external AI models for scoring, those responses are transmitted to the relevant provider. We use data processing agreements with AI providers and take steps to ensure that Simulation response data is not used by providers to train their own models beyond what is strictly necessary. The relevant provider at any given time is available upon request.
ANALYTICS AND MONITORING. Luminid uses privacy-respecting analytics tools to measure Platform performance and user behavior. These tools operate on pseudonymized or anonymized data and are not used for behavioral advertising. Analytics data is not shared with advertising networks.
CHANGES TO SUB-PROCESSORS. We may update our list of sub-processors from time to time. Companies subject to the GDPR may object to the addition of new sub-processors by notifying us at hello@luminid.org within ten (10) days of receiving notice of the change; if the change is objected to and cannot be resolved, the Company's right to terminate for cause applies. A current list of sub-processors is available upon request.
Because the Platform is specifically designed to facilitate employment hiring, certain additional privacy considerations and protections apply to the processing of Personal Data in the employment context.
LAWFULNESS OF USING ASSESSMENT DATA IN HIRING. The use of psychometric assessments, skills tests, and work-sample Simulations in hiring is subject to legal requirements that vary by jurisdiction. Companies using the Platform are responsible for ensuring that their use of Simulation Scores and other assessment data complies with applicable employment law, including requirements for job-relatedness, validity, reliability, and adverse impact analysis. Luminid provides Simulation Scores as a tool to inform — not to determine — hiring decisions, and the legal responsibility for ensuring lawful use of those Scores rests with the Company.
CANDIDATE PRIVACY IN THE HIRING CONTEXT. Candidates have a legitimate privacy interest in the confidentiality of their Application materials, Simulation responses, and hiring process communications. Luminid implements controls to ensure that Candidate data is accessible only to Recruiters of the specific Company to which the Candidate applied, and is not visible to other Companies or publicly. Candidates' Profile data is visible to Companies searching the talent pool only when the Candidate has affirmatively enabled discoverability.
RECRUITER CONDUCT AND CANDIDATE DATA REQUESTS. Companies are responsible for responding to Candidates' data subject requests relating to the Company's own processing of Candidate data in the hiring context. If a Candidate submits a data subject request to Luminid that relates to the Company's processing (not Luminid's), Luminid will forward the request to the relevant Company and notify the Candidate accordingly. Candidates should direct requests relating to Company data practices directly to the Company's designated privacy contact.
PROHIBITION ON EXPLOITATIVE USE OF EMPLOYMENT DATA. The power asymmetry inherent in the hiring relationship creates particular risks of exploitative data use. Luminid specifically prohibits Companies from using Candidate data to: negotiate against a Candidate's interests using information the Candidate did not knowingly disclose for that purpose; compile dossiers on professional competitors; conduct surveillance on former employees; or engage in any form of retaliatory data use against Candidates who have raised concerns about discrimination or unlawful conduct.
BACKGROUND CHECKS AND REFERENCE VERIFICATION. The Platform does not provide background check, criminal history, credit check, or reference verification services. Where Companies use third-party background check providers in connection with hiring processes conducted through the Platform, those providers' services are separate from the Platform and governed by separate terms and privacy policies. Candidates have separate rights under applicable law regarding background check disclosures and adverse action notifications.
SALARY AND COMPENSATION DATA. Any salary preferences or compensation expectations provided by Candidates through the Platform are used only to improve Job Listing matching and are not shared with Companies in a form that could be used to negotiate against the Candidate's interests without the Candidate's knowledge. Salary ranges provided by Companies in Job Listings are shared with Candidates as platform information.
CHANGES TO THIS POLICY. We review and update this Privacy Policy periodically to reflect changes in our data processing practices, changes in applicable law, and feedback from our users. When we update this Policy: (a) the "last updated" date at the top of this page will reflect the effective date of the revision; (b) for material changes — defined as changes that significantly affect how we process your Personal Data or your rights regarding that processing — we will provide notice by email to your registered email address and by a prominent banner on the Platform at least fourteen (14) days before the change takes effect; (c) for non-material changes (such as clarifications, corrections, or administrative updates), the change will take effect on the date the updated Policy is posted; and (d) for changes required to comply with applicable law, the change will take effect on the date the legal requirement comes into force, with notice as soon as reasonably practicable.
Your continued use of the Platform after a material change takes effect constitutes your acceptance of the updated Policy. If you object to any change, your remedy is to delete your Account before the change takes effect. Historical versions of this Policy are maintained and are available upon request at hello@luminid.org.
GOVERNING DATA PROTECTION FRAMEWORK. This Policy is designed to comply with: Costa Rican Law No. 8968 (Ley de Protección de la Persona frente al tratamiento de sus datos personales) and its implementing regulations; the EU General Data Protection Regulation 2016/679 ("GDPR") in relation to EU and EEA residents; the UK General Data Protection Regulation and UK Data Protection Act 2018 in relation to UK residents; the California Consumer Privacy Act and California Privacy Rights Act in relation to California residents; and other applicable national and regional data protection laws where they impose requirements on Luminid's processing.
WHERE LAWS CONFLICT. Where applicable data protection laws impose different or conflicting requirements, Luminid will apply the more protective standard to the extent practicable, provided that doing so does not require Luminid to violate any other applicable law.
CONTACT AND DATA SUBJECT REQUESTS. For all privacy inquiries, data subject requests, complaints, or other communications regarding this Policy or Luminid's data processing practices, contact us at:
Email: hello@luminid.org (Subject: "Privacy Inquiry" or "Data Subject Request") Entity: Luminid Registered in: San José, Costa Rica Legal Entity ID (Cédula Jurídica): 3102-950-241
We are committed to resolving all legitimate privacy concerns promptly and in good faith. If you are not satisfied with our response, you have the right to escalate your complaint to your local supervisory authority as described in Section 11.
OVERVIEW OF LEGAL BASES. Under the GDPR, UK GDPR, and equivalent data protection frameworks, every processing activity must rest on a valid legal basis. The following table identifies the legal basis Luminid relies upon for each category of processing. Where multiple legal bases apply, all applicable bases are listed.
LEGITIMATE INTERESTS ASSESSMENT. Where Luminid processes Personal Data on the basis of legitimate interests, Luminid has conducted and documented a Legitimate Interests Assessment (LIA) confirming that: (a) the processing is necessary for the identified legitimate interest; (b) the processing is proportionate to the privacy impact; and (c) the legitimate interest is not overridden by the interests, rights, or freedoms of the data subject. You have the right to object to processing based on legitimate interests at any time; see Section 11 for how to exercise this right.
WITHDRAWAL OF CONSENT. Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. Withdrawal of consent may be effected through your Account settings, by clicking the unsubscribe link in marketing emails, or by contacting hello@luminid.org. Withdrawal of consent for certain processing (such as essential cookies) may affect your ability to use some features of the Platform.
AGGREGATION AND DE-IDENTIFICATION. Luminid may derive, compile, or generate data that is aggregated across Users or de-identified such that it cannot reasonably be used to identify any specific natural person, directly or indirectly, without the use of disproportionate means ("Aggregated Data" and "De-Identified Data," respectively). Examples include Platform-wide Simulation performance benchmarks, industry-level talent availability statistics, skill demand trends, aggregate hiring funnel metrics, and anonymized usage analytics. Aggregated Data and De-Identified Data do not constitute Personal Data for the purposes of this Policy.
LUMINID'S RIGHTS IN AGGREGATED DATA. Luminid owns all Aggregated Data and De-Identified Data derived from the operation of the Platform, including data derived from your use of the Platform. Luminid may use, analyze, publish, license, sell, or otherwise commercially exploit Aggregated Data and De-Identified Data for any lawful purpose, including: internal product development and research; publishing industry reports and benchmarking studies; licensing insights to enterprise customers for workforce planning; sharing with academic researchers under data use agreements; and improving the accuracy and fairness of Luminid's assessment algorithms.
SAFEGUARDS. Luminid employs technical and organizational safeguards to ensure that Aggregated Data and De-Identified Data cannot be re-identified. These safeguards include: applying k-anonymity standards ensuring no dataset reflects fewer than a threshold number of individuals; removing direct identifiers before any external disclosure; using differential privacy techniques in certain published datasets; reviewing outputs before publication to prevent inferential re-identification; and contractually restricting downstream recipients from attempting re-identification.
RE-IDENTIFICATION PROHIBITION. You may not, and you agree not to permit any third party to, attempt to re-identify any Aggregated Data or De-Identified Data obtained from or about the Platform. Any attempt to re-identify such data is a material breach of these Terms. If you believe that Aggregated Data or De-Identified Data published by Luminid can be re-identified, you are encouraged to report this to Luminid under the Responsible Disclosure policy in Section 24.
YOUR DATA CONTRIBUTIONS. You acknowledge that your use of the Platform, including your responses to Simulations, your engagement patterns, and your profile information, contributes to Luminid's aggregate datasets. This contribution is made as part of the inherent operation of the Platform and does not entitle you to any share of revenue derived from Aggregated Data.
COLLECTION OF DATA ABOUT NON-USERS. In operating the Platform, Luminid may receive, collect, or process information about individuals who have not registered for a Luminid Account ("Non-Users"). This section describes how Luminid handles such data.
CANDIDATE DATA SUBMITTED BY EMPLOYERS. Employers may import or submit data relating to job candidates who have not yet created a Luminid Account, including candidate names, email addresses, prior application history, or previous assessment results obtained outside the Platform. Employers who submit Non-User data represent and warrant that: (a) they have a lawful basis for submitting that data to Luminid; (b) they have provided all legally required notices to the affected individuals; (c) they have obtained any required consents; and (d) the submission does not violate any applicable data protection, privacy, or employment law. Luminid processes Non-User data submitted by Employers solely on behalf of and on the instructions of the Employer (acting as a data processor). If a Non-User subsequently creates a Luminid Account, Luminid will associate any existing data with the new Account subject to applicable data protection law.
REFERRAL AND INVITATION DATA. If you invite a third party to join Luminid through a referral mechanism, Luminid will collect the referred person's email address for the sole purpose of sending a one-time invitation. If the invitation is not accepted within thirty (30) days, Luminid will delete the email address from its systems. Luminid will not send marketing communications to referred individuals without their separate consent.
PUBLICLY AVAILABLE PROFESSIONAL DATA. Luminid may collect and display information about individuals from publicly available professional sources (such as public LinkedIn profiles, company websites, or professional directories) for purposes of enabling Employers to identify and reach out to potential candidates ("Sourcing Feature"). Individuals whose data is collected through the Sourcing Feature have the right to: (a) request that their data be removed from the Sourcing Feature by contacting hello@luminid.org; (b) request information about what data is held; and (c) object to processing. Luminid will honor such requests within thirty (30) days. Luminid does not collect or use publicly available professional data in any jurisdiction where such collection is prohibited by applicable law.
THIRD-PARTY DATA PROVIDERS. Luminid may supplement its data with information obtained from third-party data providers, enrichment services, or data brokers for purposes including identity verification, fraud prevention, and profile enrichment. Where Luminid uses third-party data providers, Luminid contractually requires those providers to: have a lawful basis for sharing the data; comply with applicable data protection law; provide accurate and up-to-date data; and cooperate with data subject requests. If you believe that inaccurate data about you has been introduced through a third-party data provider, you have the right to request correction or deletion under Section 11.
USE OF SUBPROCESSORS. Luminid uses third-party service providers ("Subprocessors") that process Personal Data on Luminid's behalf as part of delivering the Platform. Luminid maintains written data processing agreements with all Subprocessors, contractually requiring them to implement appropriate technical and organizational security measures, process Personal Data only on Luminid's documented instructions, assist Luminid in fulfilling data subject requests, notify Luminid promptly in the event of a data breach, and submit to audits or inspections by Luminid or a designated third-party auditor upon reasonable notice.
CURRENT SUBPROCESSORS. Luminid's current Subprocessors include, without limitation, the following categories:
SUBPROCESSOR CHANGES. Luminid will inform you of any intended changes to its Subprocessor list, including the addition or replacement of Subprocessors, by publishing an updated Subprocessor list at luminid.org/privacy or by email notification at least thirty (30) days before any new Subprocessor begins processing Personal Data. If you have legitimate grounds for objecting to the use of a new Subprocessor, you may notify Luminid at hello@luminid.org within twenty (20) days of the change notice. Luminid will engage with your objection in good faith. If the parties cannot resolve the objection, you may terminate your Account on the grounds of the objection without penalty.
INTERNATIONAL SUBPROCESSORS. Some Subprocessors may be located outside the EEA, UK, or other jurisdiction from which you access the Platform. All such international transfers are governed by the applicable transfer mechanisms described in Section 10 of this Policy.
PROCESSOR-TO-PROCESSOR TRANSFERS. Where Luminid processes data as a processor on behalf of an Employer (an Enterprise data controller), Luminid will only engage Subprocessors with the Employer's prior authorization (general or specific as agreed in the applicable Data Processing Agreement) and will remain liable to the Employer for the Subprocessor's compliance with data protection obligations to the extent permitted by applicable law.
EEA AND UK RESIDENTS — SUPPLEMENTAL RIGHTS AND INFORMATION.
DATA PROTECTION AUTHORITY. EEA residents have the right to lodge a complaint with the supervisory authority of the EU Member State where they habitually reside, work, or where the alleged infringement occurred. UK residents have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). Luminid's lead supervisory authority for EU GDPR purposes is determined by the location of its EU establishment or, in the absence of an EU establishment, by the location of its representative. Luminid will designate an EU or UK representative as required by applicable law and will publish representative contact details at luminid.org/privacy.
AUTOMATED DECISION-MAKING. Luminid uses automated processes in generating Simulation scores and candidate-to-opportunity match scores. Decisions based solely on automated processing that produce legal or similarly significant effects on you are subject to rights under Article 22 GDPR. You have the right to: (a) request human review of any automated decision that materially affects you; (b) express your point of view regarding the automated decision; and (c) contest the automated decision. To exercise these rights, contact hello@luminid.org with "GDPR Article 22 Request" in the subject line. Luminid will respond within thirty (30) days. Please note that some automated processing is necessary for the provision of the assessment service you contracted for; where this is the case, Luminid will disclose the logic involved and offer meaningful human review.
STANDARD CONTRACTUAL CLAUSES. For transfers of Personal Data from the EEA to countries without an adequacy decision, Luminid relies on Standard Contractual Clauses ("SCCs") approved by the European Commission under implementing decision (EU) 2021/914. For transfers from the UK, Luminid relies on the UK International Data Transfer Agreement (IDTA) or addendum to the EU SCCs as approved by the ICO. Copies of relevant SCCs and IDTAs are available upon request at hello@luminid.org.
---
CALIFORNIA RESIDENTS (CCPA/CPRA).
CATEGORIES OF PERSONAL INFORMATION COLLECTED. In the preceding twelve (12) months, Luminid has collected the following categories of Personal Information as defined by the CCPA: Identifiers (name, email, IP address, device identifiers); Commercial information (subscription and payment history); Internet or other electronic network activity (usage data, clickstream); Geolocation data (country and region level); Professional or employment-related information (work history, skills, assessment results); Inferences drawn from other categories (candidate match scores, skill ratings). Luminid does not sell or share Personal Information for cross-context behavioral advertising as defined by the CPRA. Luminid does not have actual knowledge that it sells or shares the Personal Information of consumers under sixteen (16) years of age.
CCPA/CPRA RIGHTS. California residents have the right to: (a) Know what Personal Information is collected, used, shared, or sold; (b) Delete Personal Information, subject to exceptions; (c) Correct inaccurate Personal Information; (d) Opt out of the sale or sharing of Personal Information (Luminid does not sell Personal Information); (e) Limit the use and disclosure of sensitive Personal Information; (f) Non-discrimination for exercising CCPA/CPRA rights. To exercise these rights, submit a request to hello@luminid.org or use the in-Account privacy request tool. Luminid will verify your identity before processing your request. Luminid will respond to verifiable consumer requests within forty-five (45) days, with a possible extension of an additional forty-five (45) days when reasonably necessary.
---
BRAZIL RESIDENTS (LGPD).
LEGAL BASES UNDER THE LGPD. Luminid processes Personal Data of Brazilian residents under the following legal bases: performance of contract (Article 7(V) LGPD); compliance with legal obligation (Article 7(II) LGPD); legitimate interest (Article 7(IX) LGPD); consent (Article 7(I) LGPD) where applicable. Where consent is the legal basis, Luminid will obtain it through free, informed, unambiguous, and revocable consent as required by Article 8 LGPD.
LGPD RIGHTS. Brazilian residents have the right to: confirm the existence of processing; access Personal Data; correct incomplete, inaccurate, or outdated data; anonymize, block, or delete unnecessary or excessive data; data portability; delete Personal Data where processing is consent-based; information about third parties with whom data has been shared; information about the possibility of withholding consent and the consequences; and withdrawal of consent. Brazilian residents may also petition the National Data Protection Authority (ANPD). Requests may be submitted to hello@luminid.org.
---
COSTA RICA RESIDENTS.
LAW NO. 8968 RIGHTS. Residents of Costa Rica have rights under the Ley de Protección de la Persona frente al tratamiento de sus datos personales (Law No. 8968) and its implementing regulations, including the right to access, rectify, cancel, and oppose the processing of their Personal Data (collectively, "ARCO Rights"). To exercise ARCO Rights, submit a written request to hello@luminid.org identifying yourself and your specific request. Luminid will respond within ten (10) business days. Costa Rica residents also have the right to lodge a complaint with the Agencia de Protección de Datos de los Habitantes (PRODHAB).
REPORTING SECURITY AND PRIVACY ISSUES. Luminid is committed to protecting the security and privacy of all Users. If you discover a security vulnerability, data exposure, or privacy issue affecting the Platform, please report it to us responsibly and in good faith before public disclosure.
HOW TO REPORT. Send your report to hello@luminid.org with the subject line "Security/Privacy Disclosure." Your report should describe: (a) the nature of the vulnerability or exposure (e.g., unauthorized data access, authentication bypass, insecure direct object reference, data leakage); (b) the affected component, URL, endpoint, or feature; (c) step-by-step instructions to reproduce the issue; (d) the potential impact on user data or Platform security; and (e) any suggested remediation. If your report involves potential access to Personal Data of other Users, please limit your verification to the minimum necessary to demonstrate the existence of the vulnerability.
OUR COMMITMENTS. Upon receiving your report, Luminid will: (a) acknowledge receipt within five (5) business days; (b) investigate the reported issue promptly; (c) keep you informed of our progress at reasonable intervals; (d) remediate validated vulnerabilities as quickly as practicable; (e) notify you when remediation is complete; and (f) not pursue legal action against you for good-faith research conducted in compliance with this section.
DATA PROTECTION INCIDENT REPORTING. If you discover or have reason to believe that Personal Data of Platform Users has been exposed, exfiltrated, or accessed without authorization (whether by you, a third party, or a Platform vulnerability), you are required to notify Luminid immediately at hello@luminid.org with the subject line "Potential Data Breach." Include all information available to you about the nature, scope, and potential impact of the exposure. Do not attempt to access, retain, analyze, or disclose any Personal Data of other Users that you discover in the course of security research.
PRIVACY-SPECIFIC VULNERABILITY CLASSES. In addition to technical security vulnerabilities, Luminid specifically encourages responsible disclosure of the following privacy-affecting issues: over-permissive data access controls (ability to access another user's data); inadequate data minimization (collection of Personal Data beyond what is stated in this Policy); insecure data transmission or storage of Personal Data; failures in data subject request processing that could expose Personal Data; and third-party integrations that share Personal Data beyond stated purposes.
RESPONSE TIMELINES. Luminid targets the following response timelines for disclosed vulnerabilities: Critical (active data exposure or authentication bypass): remediation within seventy-two (72) hours; High (significant risk of data exposure or privilege escalation): remediation within seven (7) days; Medium (limited-scope vulnerabilities): remediation within thirty (30) days; Low (informational findings): reviewed and addressed within ninety (90) days. These timelines are targets and Luminid will communicate with you if extended remediation time is required.