Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This document establishes Luma AI's data collection and processing practices for users of its AI video and image generation services. The policy authorizes Luma to collect and use images, videos, text, and other personal data submitted by users to train and improve its AI models. Users in the EU and UK are entitled to exercise data subject rights including access, correction, deletion, and portability by contacting hello@lumalabs.ai.
This document governs Luma AI's collection, use, disclosure, and processing of personal information from users of its website, applications, and AI-powered services, with stated legal bases including consent, contractual necessity, legal obligation, and legitimate interests for EEA/UK users under GDPR. The policy asserts that Luma collects a broad range of data including user-uploaded images and videos, AI conversation inputs and outputs, device identifiers, location inferred from IP address, collaboration data including real-time cursor position, and third-party sourced data from marketing partners and data providers; notably, the terms authorize use of this information to train and improve Luma's AI models and machine learning systems. The explicit authorization to use user-uploaded content and conversation inputs for AI model training is an operationally significant provision that may engage user expectations around content ownership and consent, particularly given that inputs may include personal images, videos, and text; the policy does not specify an opt-out mechanism for AI training use specifically, which may create tension with GDPR legitimate interests balancing requirements and emerging AI-specific regulatory frameworks. The policy engages GDPR and UK GDPR for EEA and UK users, CCPA and similar US state privacy laws for California and other US residents, and may require evaluation under the EU AI Act given Luma's AI model development activities; the explicit carve-out for enterprise processor relationships means enterprise-context users are governed by separate contractual arrangements rather than this policy.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial3 important changes detected
3 versions captured · Last updated: June 2026
Luma AI removed the word 'API' from the navigation menu in its privacy policy header on April 29, 2026. The previous version listed 'Product Pricing API Enterprise News' while the …
View change record →New provision creates a significant carve-out where enterprise customers' own privacy policies supersede Luma's stated commitments, limiting user protections in B2B contexts.
New provision explicitly authorizes data collection from external third parties and data brokers, expanding the sources of personal information beyond direct user interactions.
Separates and reframes conversation data collection into a distinct provision with reduced severity, making it less prominent despite the sensitivity of chat content including multimedia materials.
New provision articulates data retention and deletion practices, providing transparency about how long personal information is retained.
Removal of explicit partner and affiliate data sharing clause may represent narrowing of permitted disclosures or reframing under different provisions.
Removal of the explicit Do Not Track disclaimer may indicate compliance improvement or simply streamlining of privacy policy language.
Removal of COPPA compliance statement may obscure the service's position on child data protection or indicate the policy was relocated elsewhere in the document.
Removal of the high-severity 'Legitimate Interests' legal basis provision eliminates transparency around broad processing justifications, potentially obscuring reliance on legitimate interests for data use.
Severity downgraded from high to medium, and the provision was split—conversation/input data collection details moved to separate 'Conversation and Input Data Collection' provision, removing the explicit statement about Outputs reproducing Input information.
Text is identical; provision retained with no changes.
Provision name slightly revised from 'Broad Data Collection — Device, Location, and Usage Tracking' to 'Broad Device and Usage Data Collection' but excerpt text appears identical.
Text is identical; provision retained with no changes.
2 provisions unchanged.
View full change record →Monitoring
Luma AI has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle AI Model Training Use of User Content and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.