Skip to main content
Back to Home

Privacy Policy

Last updated: February 10, 2026

1. Introduction

Lumos Gate ("we", "us", "our") operates the lumosgate.com website and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

We are committed to protecting your privacy. Our Service is designed with a privacy-first, zero-knowledge architecture. We collect only the minimum data necessary to provide the Service.

2. Our Privacy Architecture

Lumos Gate is an infrastructure management platform. It is important to understand what this means for your privacy:

  • We do not inspect your traffic. Traffic flows through your own servers, not ours. We have no access to the content of requests or responses.
  • We do not store traffic logs. Our dashboard collects only aggregate statistics (request counts, bandwidth totals). Individual request data remains on your servers.
  • Your real server IPs remain private. Only the shield server IPs are publicly visible.
  • Agent software runs on your infrastructure. The Lumos Agent runs on servers you own and control. We communicate with it only for configuration updates and aggregate metrics.

3. Information We Collect

3.1. Account Information

When you register, we collect:

  • Email address (required for authentication and communication)
  • Full name (optional)
  • Company name (optional)
  • Password (stored as a bcrypt hash; we cannot read your password)

3.2. Service Configuration Data

When you use the Service, we store:

  • Server names and shield server IP addresses
  • Domain names you configure
  • Backend server addresses (IP or hostname)
  • WAF rules and security configurations
  • SSL/TLS certificate metadata (not private keys)
  • DNS failover configurations

3.3. Aggregate Metrics

Our agent reports aggregate statistics only:

  • Total request counts per hour
  • Total bandwidth usage
  • Error counts (4xx, 5xx aggregates)
  • WAF blocked request counts
  • Average response latency

These are numerical aggregates. We do not collect individual request URLs, request bodies, response bodies, user-agent strings, or end-user IP addresses in our central database.

3.4. Technical Data

We automatically collect:

  • IP address when you access the dashboard (for rate limiting and security)
  • Browser type and version (from HTTP headers)
  • Session tokens (for authentication)

4. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Push configuration updates to your shield servers
  • Display analytics and metrics in your dashboard
  • Send transactional emails (account verification, password reset, security alerts)
  • Enforce our Terms of Service and Acceptable Use Policy
  • Comply with legal obligations
  • Protect against fraud, abuse, and security threats

We do not use your information for advertising, profiling, or selling to third parties.

5. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data based on:

  • Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f) GDPR): Security, fraud prevention, abuse detection, and service improvement.
  • Legal obligation (Art. 6(1)(c) GDPR): Compliance with applicable laws, including responding to lawful requests from authorities.
  • Consent (Art. 6(1)(a) GDPR): Where specifically requested, such as for optional marketing communications.

6. Data Sharing and Third Parties

We share your data only in the following circumstances:

6.1. Service Providers

  • Email delivery: We use a third-party email service provider to send transactional emails. They receive only the email address and message content necessary for delivery.
  • Hosting: Our infrastructure is hosted on servers we manage. Database and application data reside on infrastructure under our control.

6.2. Legal Requirements

We may disclose information if required by:

  • Valid legal process (court order, subpoena, search warrant)
  • Applicable law or regulation
  • Government or law enforcement requests where legally compelled

6.3. Safety and Abuse

We may share information when necessary to investigate or prevent illegal activity, fraud, threats to safety, or violations of our Terms of Service.

We never sell your data. We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

7. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account termination.
  • Configuration data: Deleted when you remove the associated server or domain, or upon account deletion.
  • Aggregate metrics: Retained for up to 12 months, then automatically purged.
  • WAF blocked request logs: Retained for up to 90 days.
  • Security logs: Authentication and abuse-related logs retained for up to 6 months for security purposes.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Passwords are hashed using bcrypt with a cost factor of 12
  • API keys are stored as SHA-256 hashes
  • Agent communication uses encrypted WebSocket connections
  • Agent configurations support AES-256-GCM encryption at rest
  • Database connections use TLS encryption
  • Rate limiting protects against brute-force attacks

While we take reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

9. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data ("right to be forgotten").
  • Portability: Request your data in a structured, commonly used, machine-readable format.
  • Restriction: Request restriction of processing in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. International Data Transfers

Your data may be processed on servers located in different jurisdictions. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Other legally recognized transfer mechanisms

11. Cookies

We use only essential cookies required for the Service to function. For detailed information, please see our Cookie Policy.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service dashboard at least 30 days before they take effect.

We encourage you to review this page periodically for the latest information on our privacy practices.

14. Contact Us

For privacy-related inquiries, data requests, or complaints:

If you are in the EEA and believe our processing of your data violates the GDPR, you have the right to lodge a complaint with your local data protection authority.