What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages GDPR and UK GDPR for EEA and UK users, with Luma asserting legitimate interests as a basis for product development and internal analytics, which may face scrutiny under GDPR's legitimate interests balancing test, particularly for AI training on user-submitted content. CCPA and analogous US state privacy statutes apply to California and other qualifying US residents. The EU AI Act may require evaluation given Luma's explicit use of user data for AI model…

How does Luma AI's Luma AI Privacy Policy affect users?

The policy establishes that user-submitted content—including images, videos, and text—may be used for model training purposes. Users may request deletion of their personal data or exercise data subject rights by contacting Luma, and marketing communications may be opted out of through the same contact method. The document does not establish a separate opt-out mechanism specific to model training use.

How often is Luma AI's Luma AI Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Luma AI updates this document?

Yes. Monitor subscribers ($19/month) can add Luma AI to their watchlist and receive same-day email alerts whenever this document or any other Luma AI document changes.

CA-D-000497

Luma AI Privacy Policy

Luma AI

Last change detected May 5, 2026 Privacy policy

SHA-256: 87648a1b74cf9feda16… 2 versions captured 2 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Luma AI ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

0 High severity

6 Medium severity

2 Low severity

Summary

This document establishes Luma AI's data collection and processing practices for users of its AI video and image generation services. The policy authorizes Luma to collect and use images, videos, text, and other personal data submitted by users to train and improve its AI models. Users in the EU and UK are entitled to exercise data subject rights including access, correction, deletion, and portability by contacting hello@lumalabs.ai.

Technical / Legal Breakdown

This document governs Luma AI's collection, use, disclosure, and processing of personal information from users of its website, applications, and AI-powered services, with stated legal bases including consent, contractual necessity, legal obligation, and legitimate interests for EEA/UK users under GDPR. The policy asserts that Luma collects a broad range of data including user-uploaded images and videos, AI conversation inputs and outputs, device identifiers, location inferred from IP address, collaboration data including real-time cursor position, and third-party sourced data from marketing partners and data providers; notably, the terms authorize use of this information to train and improve Luma's AI models and machine learning systems. The explicit authorization to use user-uploaded content and conversation inputs for AI model training is an operationally significant provision that may engage user expectations around content ownership and consent, particularly given that inputs may include personal images, videos, and text; the policy does not specify an opt-out mechanism for AI training use specifically, which may create tension with GDPR legitimate interests balancing requirements and emerging AI-specific regulatory frameworks. The policy engages GDPR and UK GDPR for EEA and UK users, CCPA and similar US state privacy laws for California and other US residents, and may require evaluation under the EU AI Act given Luma's AI model development activities; the explicit carve-out for enterprise processor relationships means enterprise-context users are governed by separate contractual arrangements rather than this policy.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

2 important changes detected

2 versions captured · Last updated: May 2026

May 5, 2026

low

What changed Luma AI added a navigation link to 'API' in the header of their privacy policy page on May 5, 2026. This is a minor website navigation change with no impact on the actual privacy practices, data handling, or rights described in the policy itself.

Why this matters This change adds a website navigation link and has no material impact on consumer privacy rights, data handling practices, or policy terms. The underlying privacy policy language and protections remain unchanged.

View full change record →

April 29, 2026

low

What changed Luma AI removed the word 'API' from the navigation menu in its privacy policy header on April 29, 2026. The previous version listed 'Product Pricing API Enterprise News' while the updated version states 'Product Pricing Enterprise News'. This is a formatting or navigation change with no operational effect on the privacy practices described in the policy itself.

Why this matters This change does not affect consumer rights, data handling, or privacy practices. The updated policy describes the same privacy practices as before. The modification is limited to the website navigation menu presented at the top of the policy document.

View full change record →

Medium — 6 provisions

AI Model Training on User Content Compare →

Luma uses the images, videos, text, and other content you submit to its services to train and improve its AI models.

Added April 30, 2026 Standard Seen across 284 platforms
Enterprise Processor Carve-Out Compare →

If you use Luma through an enterprise customer's deployment, this privacy policy does not protect you; instead, the enterprise customer controls how your data is handled under a separate agreement.

Added May 8, 2026 Standard Seen across 284 platforms
Third-Party Data Sourcing Compare →

Luma may buy or obtain personal information about you from data brokers, marketing partners, and public sources, and combine it with data it already holds about you.

Added May 10, 2026 Standard Seen across 284 platforms
Business Transfer Clause Compare →

If Luma is sold, merges with another company, or goes through bankruptcy, your personal information may be transferred to the new owner as part of that transaction.

Added May 10, 2026 Standard Seen across 252 platforms
Broad Device and Usage Data Collection Compare →

Luma collects detailed technical information about your device, including advertising identifiers, installed applications, CPU usage, and network type, every time you use its services.

Added May 10, 2026 Standard Seen across 284 platforms
Conversation and Input Data Collection Compare →

Everything you type, upload, or share in a conversation with Luma's AI agents is collected and stored, and may appear in the AI's responses.

Added May 10, 2026 Standard Seen across 284 platforms

Low — 2 provisions

European Privacy Rights Compare →

If you are in the EU or UK, you have the right to access, correct, delete, restrict, or export your personal data, and to complain to your national data protection authority.

Added April 30, 2026 Standard Seen across 284 platforms
Data Retention Policy Compare →

Luma keeps your personal data for as long as it is needed for its stated purposes, though specific retention periods are not defined in the policy.

Added May 10, 2026 Standard Seen across 284 platforms