Luma owns all data derived from analyzing how users interact with and use its services, including any anonymized or aggregated data derived from user activity.
This analysis describes what Luma AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Even if your individual personal data is deleted, Luma retains ownership of the aggregated and usage data derived from your activity and the analytical insights generated from it, which can be used to develop new products and services.
Interpretive note: Whether the aggregation process adequately anonymizes personal data to remove GDPR and CCPA applicability depends on Luma's specific technical methodology, which is not described in the agreement.
Luma retains full ownership of usage patterns and aggregated behavioral data derived from your interactions with the platform, and this data can be used to build new products and services, even after you close your account.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
RedCard. We share information with our financial partners to operate the Target RedCard program.
Monitoring
Luma AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"As between the parties, Luma owns and retains all right, title, and interest, including all related intellectual property and proprietary rights, in and to the Aggregated Data and Usage Data (including any improvements, modifications, and enhancements thereto), the know-how and analytical results generated in the Processing and use thereof, and any and all new products, services, and developments, modifications, customizations, or improvements to the Services made based on the Aggregated Data or Usage Data.— Excerpt from Luma AI's Luma AI Terms of Service
(1) REGULATORY LANDSCAPE: This provision engages GDPR's treatment of anonymized and aggregated data. If the data is genuinely anonymized to GDPR standards, it falls outside GDPR's scope and Luma's ownership assertion is generally consistent with applicable law. However, if aggregated data can be re-identified or if the aggregation process itself involves personal data processing, GDPR obligations apply. The California Consumer Privacy Act similarly does not apply to genuinely aggregated data but does govern the processing steps used to create it. The FTC's guidance on data minimization and purpose limitation is relevant context. (2) GOVERNANCE EXPOSURE: Medium. The breadth of the ownership assertion, which includes all know-how and analytical results generated from usage data and all new products developed based on such data, is standard in SaaS agreements but should be noted by enterprise customers who may seek to negotiate limitations. The key legal question is whether the aggregation process adequately anonymizes personal data such that GDPR and CCPA frameworks no longer apply. (3) JURISDICTION FLAGS: EU/EEA deployment requires careful assessment of whether Luma's aggregation methodology meets GDPR anonymization standards as interpreted by the European Data Protection Board. The standard for genuine anonymization under GDPR is high, and pseudonymization is not equivalent to anonymization. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request transparency about the specific data categories included in Usage Data and Aggregated Data and the anonymization methodology applied. This provision effectively means Luma can use behavioral insights derived from enterprise customer deployments to improve its products and develop competitive offerings, which may be a commercial concern in some contexts. (5) COMPLIANCE CONSIDERATIONS: Data mapping exercises should distinguish between personal data processing steps involved in creating Aggregated Data and the Aggregated Data itself. If the aggregation process involves personal data, a lawful basis and appropriate safeguards must be identified. Privacy notices should disclose that usage and aggregated data are used for product improvement purposes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Even if your individual personal data is deleted, Luma retains ownership of the aggregated and usage data derived from your activity and the analytical insights generated from it, which can be used to develop new products and services.
Luma retains full ownership of usage patterns and aggregated behavioral data derived from your interactions with the platform, and this data can be used to build new products and services, even after you close your account.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Luma AI.