Skip to main content

LEGAL

Privacy Policy

Last updated: 15 June 2026

1. Who we are

Lumorrow ("Lumorrow," "we," "our," or "us") operates an AI-native programmatic ad exchange. We are the data controller for information collected on this website and for platform account data. For personal data processed in connection with online advertising — including bid-request data, cookie and device identifiers, and IP addresses — Lumorrow acts as an independent controller. Each party in the advertising supply chain (Lumorrow, publishers, and demand partners) is separately responsible for its own lawful basis, transparency notices, consents, and for honouring applicable consent and opt-out signals (including IAB TCF strings and Global Privacy Control). This reflects the data protection terms agreed in our Master Services Agreements with platform partners.

Lumorrow operates as Lumorrow Ltd, a company registered in England and Wales under company number 17237950. Our registered office is Suite 3, 2nd Floor 760 Eastern Avenue, Newbury Park, Ilford, United Kingdom, IG2 7HU.

Our contact address for privacy matters is [email protected].

2. Scope of this policy

This policy applies to:

  • This website (lumorrow.com) — covering visitors who browse, read our blog, or submit contact enquiries.
  • The Lumorrow platform — covering publishers and demand partners who hold accounts and use our services.
  • Auction and bid-request processing — covering technical data processed through our exchange infrastructure on behalf of platform participants.

It does not govern the privacy practices of publishers or demand partners who use Lumorrow to serve advertising to end users on their own properties. Those parties are independent data controllers and are responsible for their own end-user disclosures.

3. Data we collect

3.1 Website visitors

  • Contact form submissions: company name, email address, role, and any information voluntarily provided in the message field.
  • Technical log data: IP address, browser type, referring URL, pages visited, and timestamps. This data is collected automatically by our web server and supporting analytics tooling.
  • Analytics and tag-management data: we use Google Tag Manager to deploy Google Analytics on this website. Google Analytics may collect pseudonymous identifiers (for example, client IDs), page interactions, approximate geolocation, and device/browser information.
  • Cookies and similar technologies: see our Cookie Policy for detail.

3.2 Platform accounts (publishers and demand partners)

  • Account data: company name, authorised contact name(s), email address(es), billing details, and tax identification numbers where required.
  • Integration configuration: domain lists, ad unit configuration, endpoint URLs, and related technical settings.
  • Support and communications: records of correspondence, support tickets, and call notes.

3.3 Auction and bid-request data

When a bid request flows through the Lumorrow exchange, it may contain:

  • IP address and derived geolocation (country, region, city)
  • Device identifiers (where provided and consented in accordance with applicable law)
  • User-agent strings and inferred device attributes
  • Page URL, content category, and IAB taxonomy signals
  • Publisher-supplied audience segments and contextual signals
  • IAB TCF v2.2 consent strings and GPP strings, where applicable

This data is processed transiently for auction decisioning purposes. Aggregated and anonymised auction event data is retained for reporting and optimisation.

We process personal data in accordance with applicable data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), the Privacy and Electronic Communications Regulations (PECR), the EU GDPR, and the CCPA/CPRA where applicable. Where the UK GDPR or EU GDPR applies, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)): processing necessary to perform our publisher and demand partner agreements, including account management, auction operation, and payment.
  • Legitimate interests (Art. 6(1)(f)): operating a secure and reliable exchange, fraud and invalid-traffic detection, product analytics, and responding to enquiries. We have assessed that these interests are not overridden by data-subject rights.
  • Legal obligation (Art. 6(1)(c)): retaining financial and transaction records as required by law.
  • Consent (Art. 6(1)(a)): where we send optional marketing communications, or where end-user consent is required under PECR (and equivalent ePrivacy rules) for cookie or identifier-based processing.

5. How we use data

  • Operate, maintain, and improve the Lumorrow ad exchange platform
  • Process bid requests and run auction logic in real time
  • Measure website traffic and engagement through Google Analytics reporting
  • Provide reporting dashboards and yield analytics to publishers and demand partners
  • Detect, investigate, and prevent invalid traffic, fraud, and abuse
  • Communicate service updates, technical notices, and support responses
  • Manage billing, invoicing, and financial reconciliation
  • Comply with legal and regulatory obligations
  • Maintain supply-chain transparency via sellers.json and related IAB standards

6. Data sharing and disclosure

We do not sell personal data. We may share data with:

  • Demand partners: bid request data is transmitted to participating demand partners as part of the auction process. This disclosure is between independent controllers, is inherent to the operation of the exchange, and is governed by the data protection terms in our Master Services Agreement (clause 4), under which each party acts as an independent controller responsible for its own compliance.
  • Analytics and tag-management providers: Google Ireland Limited and Google LLC, as processors/sub-processors for Google Tag Manager and Google Analytics services used on lumorrow.com.
  • Infrastructure and cloud providers: hosting, database, monitoring, and CDN services operating under data-processing agreements.
  • Payment processors: for billing and financial transaction purposes only.
  • Professional advisers: lawyers, accountants, and auditors, subject to professional confidentiality obligations.
  • Regulators and law enforcement: where required by applicable law, court order, or regulatory request.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, where the successor entity is bound by terms no less protective than this policy.

7. International data transfers

Our infrastructure may be located in jurisdictions outside the European Economic Area (EEA) or United Kingdom. Where we transfer personal data internationally, we ensure an adequate level of protection through one or more of the following mechanisms:

  • Adequacy decisions issued by the relevant supervisory authority — including, for certified recipients in the United States, the EU-US Data Privacy Framework and its UK Extension (the UK-US Data Bridge)
  • EU Standard Contractual Clauses (SCCs) adopted by the European Commission
  • UK International Data Transfer Agreements (IDTAs), or the EU SCCs together with the UK Addendum

Where we rely on SCCs or an IDTA, we carry out and document a reasonable and proportionate Transfer Risk Assessment. You may request a copy of the relevant transfer mechanism by contacting us at [email protected].

8. Data retention

  • Contact enquiries: retained for up to 2 years from the date of last contact.
  • Platform account data: retained for the duration of the account relationship and for up to 7 years thereafter for legal and financial compliance purposes.
  • Auction event data (aggregated): retained for up to 25 months for reporting, reconciliation, and model training. Raw bid-level logs containing personal data are purged on a shorter rolling cycle consistent with our data minimisation obligations.
  • Website log data: retained for up to 90 days.

9. Your rights

Under GDPR (EEA / UK residents)

You have the right to: access your personal data; rectify inaccurate data; erasure ("right to be forgotten") where no overriding legitimate purpose exists; restriction of processing; data portability; and to object to processing based on legitimate interests. You also have the right to lodge a complaint with your local supervisory authority.

Under CCPA / CPRA (California residents)

You have the right to know what personal information we collect and how it is used; to delete your personal information (subject to exceptions); to correct inaccurate personal information; to opt out of the sale or sharing of personal information (we do not sell or share personal information as defined under CCPA); and to non-discrimination for exercising your rights.

Exercising your rights

To exercise any of the above rights, email [email protected] with sufficient detail to identify your request. We will respond within 30 days (or within the statutory period required by applicable law). We may ask you to verify your identity before processing the request.

10. Children's data

The Lumorrow website and platform are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us immediately and we will delete it.

11. Security

We implement technical and organisational measures appropriate to the risk, including TLS encryption in transit, access controls, audit logging, and regular security reviews. No method of transmission or storage is completely secure; we cannot guarantee absolute security but commit to notifying affected parties, partners, and regulators in the event of a personal data breach as required by applicable law — and, for personal data shared with platform partners, without undue delay and in any event within 72 hours of confirmation.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to platform account holders and by a prominent notice on this page. The "last updated" date at the top reflects the most recent revision. Continued use of our services after the effective date of any change constitutes acceptance.

13. Contact

For any privacy-related questions, requests, or complaints, contact us at:

Lumorrow Ltd
Company No. 17237950
Suite 3, 2nd Floor 760 Eastern Avenue
Newbury Park, Ilford
United Kingdom, IG2 7HU
[email protected]