Luma may buy or obtain personal information about you from data brokers, marketing partners, and public sources, and combine it with data it already holds about you.
This analysis describes what Luma AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Users may not be aware that Luma can build a more detailed profile of them by combining data from external sources with account and usage data, potentially without direct interaction from the user.
Interpretive note: The provision does not specify the categories or sources of third-party data, making it difficult to assess the full scope of data combined with user profiles; GDPR Article 14 notice adequacy depends on how this is implemented in practice.
New provision explicitly authorizes data collection from external third parties and data brokers, expanding the sources of personal information beyond direct user interactions.
View full change record →Luma may augment your profile with personal information obtained from third-party data providers and marketing partners, meaning the data Luma holds about you could be broader than what you directly provided. This is disclosed but no specific opt-out mechanism for third-party data sourcing is described in the policy.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Luma AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Other Sources. We may obtain your personal information from other third parties, such as marketing partners, publicly available sources, and data providers, and combine it with other information we have about you.— Excerpt from Luma AI's Luma AI Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 14, which requires that data controllers notify individuals when personal data is obtained from sources other than the data subject, including the categories of data and the source. CCPA also requires disclosure of categories of personal information collected from third parties. The FTC Act's framework on data broker practices is relevant. Applicable law may constrain how broadly these terms are implemented in practice. GOVERNANCE EXPOSURE: Medium. The provision is broad and does not specify the categories of third-party data obtained or the identity of data providers. Under GDPR Article 14, Luma must provide notice to affected individuals within a reasonable period; this policy may not fully satisfy that obligation in its current form depending on how it is implemented. JURISDICTION FLAGS: EEA and UK users have the clearest rights to notice and to object to processing based on data obtained from third parties. California residents may have CCPA rights to know the sources of personal information collected about them. The breadth of the provision warrants review under any jurisdiction that regulates data broker practices. CONTRACT AND VENDOR IMPLICATIONS: Enterprises conducting due diligence on Luma should assess whether third-party data sourcing practices are disclosed in enterprise-specific agreements and whether they create any compliance issues under applicable sectoral regulations. COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether Luma's notice obligations under GDPR Article 14 are satisfied by this policy alone or require supplemental disclosure. Data mapping exercises should identify the categories of data obtained from third-party sources and assess the legal bases relied upon for such collection and use.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Users may not be aware that Luma can build a more detailed profile of them by combining data from external sources with account and usage data, potentially without direct interaction from the user.
Luma may augment your profile with personal information obtained from third-party data providers and marketing partners, meaning the data Luma holds about you could be broader than what you directly provided. This is disclosed but no specific opt-out mechanism for third-party data sourcing is described in the policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Luma AI.