Legal

Data Processing Agreement

Last updated: May 27, 2026

This Data Processing Agreement ("DPA") governs the processing of Customer Personal Data (as defined below) by LayGen Inc d/b/a Lume ("Lume", "we", "us", and "our") in connection with providing the Lume Services to Customers. This DPA supplements, and is incorporated by reference into, the Lume Terms of Service and any relevant order for Lume Services. By using the Lume Services, or by signing an order for Lume Services, you accept and agree to be bound by this DPA.

Lume may update this DPA at any time, in its sole discretion. Lume will notify you of changes to this DPA by posting the changes to the Lume website or application, by email, or through other communications. If you continue to use the Lume Services after Lume posts updates to the DPA, you agree to be bound by those updated terms.

This DPA will remain in effect from the earlier of the date you begin using the Lume Services or enter an order for Lume Services, until such time as Lume no longer processes Customer Personal Data on your behalf. This DPA will expire upon deletion or disposal of all Customer Personal Data.

1. Definitions

"Account Data" means Personal Data of Customer's personnel and authorized representatives that Lume collects in connection with account creation, billing, access to the Lume Services, and contract administration.

"Customer" or "you" means the merchant or business counterparty entering this DPA.

"Customer Personal Data" means Personal Data processed by Lume on behalf of Customer in connection with the provision of the Lume Services. Customer Personal Data does not include Account Data, or Personal Data that Lume or its affiliates receive directly from Lume's end users.

"Data Protection Laws" means all applicable data privacy and data protection laws, rules, and regulations to which Customer Personal Data is subject, which may include the GDPR and US Data Protection Laws.

"Data Subject Request" means a valid and lawful request from or on behalf of an individual to exercise that individual's rights relating to Personal Data under Data Protection Laws.

"GDPR" means the EU General Data Protection Regulation 2016/679 or, where applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018.

"Lume Services" means the messaging-automation platform and related services that Lume provides to ecommerce stores, including the delivery of messages through the Service (including WhatsApp and SMS/MMS) and integrations with ecommerce platforms such as Shopify and Wix, as further described in the Lume Terms of Service.

"Lume Terms of Service" means the Lume Terms of Service available at /terms, as updated from time to time.

"Non-Personal Data" means Customer Personal Data that has been aggregated, de-identified, or anonymized so it no longer meets the definition of Personal Data under Data Protection Laws, and cannot reasonably be identified to Customer.

"Personal Data" has the meaning assigned to the terms "personal data", "personal information", "personally identifiable information", and similar terms as defined under Data Protection Laws.

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data on systems managed by or otherwise controlled by or on behalf of Lume.

"Standard Contractual Clauses" means the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

"UK" means the United Kingdom of Great Britain and Northern Ireland.

"US Data Protection Laws" means all applicable federal and state data privacy and data protection laws, rules, and regulations in effect in the United States to which Customer Personal Data is subject, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020.

"UK Addendum" means the International Data Transfer Addendum to the European Commission's standard contractual clauses for international data transfers issued by the UK Information Commissioner's Office under S119A(1) of the UK Data Protection Act 2018.

The terms "controller", "processor", "data subject", "process", "supervisory authority", "sensitive personal data", "special categories of personal data", "subprocessor", "business", and "service provider" will have the same meaning assigned to them in relevant Data Protection Laws.

Under this DPA, the words "include" and "including" mean "including but not limited to."

Capitalized terms used but not defined within this DPA will have the meaning set forth in the Lume Terms of Service.

2. Roles of the Parties

2.1 When providing the Lume Services to Customers and as otherwise set forth in this Section: (a) for purposes of the GDPR, Customer acts as a controller or processor, and Lume acts as a processor or subprocessor, as further described in Schedule 1; and (b) for purposes of US Data Protection Laws, Lume acts as a service provider or processor, as further described in Schedule 3.

2.2 Where Lume processes Account Data, for purposes of the GDPR, it acts as a data controller. For purposes of US Data Protection Laws, Lume acts as a business. Lume's data processing activities related to Account Data are subject to the Lume Privacy Policy.

2.3 Customer represents and warrants that: (a) Customer will comply with its obligations as a controller under Data Protection Laws in respect of its processing of Customer Personal Data and any processing instructions it issues to Lume; and (b) it has provided notice and obtained all necessary authorization (including verifiable consent) and rights necessary under Data Protection Laws for Lume to process Customer Personal Data and provide the Lume Services. Customer's obligations include obtaining valid consent before sending messages through the Service (including WhatsApp and SMS/MMS), consistent with the Lume Anti-Spam Policy.

3. Data Processing

3.1 Lume will process Customer Personal Data only to provide the Lume Services in accordance with the Lume Terms of Service and any relevant order. Customer may issue further written instructions in accordance with this DPA. Lume will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer's instructions and Data Protection Laws, and the parties will act promptly and in good faith to modify the instructions.

3.2 Lume will limit access to Customer Personal Data only to personnel who have a business need for such access, and will ensure that such personnel are subject to confidentiality obligations at least as protective of Customer Personal Data as the terms of this DPA.

3.3 Where permitted by Data Protection Laws, Lume may process Customer Personal Data: (i) for its internal use to build or improve the quality of its products and services; (ii) to detect Security Incidents; (iii) to protect against fraudulent or illegal activity, including to verify that a subscriber is authorized to consent to receive marketing messages by identifying the device or confirming the subscriber's contact information; and (iv) any other purposes permitted by Data Protection Laws.

3.4 Lume may process Non-Personal Data for its own lawful purposes, including to improve Lume's products and services.

4. Subprocessors

4.1 Customer authorizes Lume to engage subprocessors to process Customer Personal Data. Lume will enter into a written agreement with subprocessors imposing requirements for processing Customer Personal Data that are consistent with this DPA. Lume will remain responsible to Customer for a subprocessor's failure to perform its obligations related to processing of Customer Personal Data.

4.2 Lume makes available the list of subprocessors below. Lume will publish and make available to Customer any proposed updates with reasonable advance notice. Lume may notify Customer via the Lume website or application, the contact email associated with Customer's account, or other means of communication. Customer may object in good faith to Lume's use of a new subprocessor by written notice to hi@golume.app within ten (10) days after Lume has published its proposed change. The parties will work together in good faith to find a mutually acceptable resolution to such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the portion of any relevant order relating to the affected Lume Services by providing no less than thirty (30) days' written notice. During any such objection period, Lume may suspend the affected portion of the Lume Services in its sole discretion.

Sub-processors

The current list of sub-processors may be updated from time to time; the latest list is available on request at hi@golume.app.

5. Cross-Border Transfers of Customer's Personal Data

5.1 Customer authorizes Lume to store and process Customer Personal Data anywhere Lume or its subprocessors maintain facilities, including the United States.

5.2 If Customer Personal Data originating in the European Economic Area is transferred, either directly or via onward transfer, to a country that is not recognized by the European Commission as providing an adequate level of protection for Personal Data, the Standard Contractual Clauses as supplemented by this DPA will apply to the transfer. Each party's acceptance of this DPA will be considered a signature to the Standard Contractual Clauses to the extent applicable hereunder. For purposes of the Standard Contractual Clauses:

  1. Module Two will apply in the case of processing where Customer acts as a controller of Customer Personal Data with Lume acting as a processor of Customer Personal Data. Module Three will apply in the case of processing where Customer acts as a processor of Customer Personal Data with Lume acting as a subprocessor of Customer Personal Data.
  2. Clause 7 of the Standard Contractual Clauses (Docking Clause) will not apply.
  3. Clause 9(a) Option 2 (General Written Authorization) is selected, and the time period to be specified is determined in Section 4 (Subprocessors).
  4. The option in clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
  5. With regard to clause 17 of the Standard Contractual Clauses (Governing law), Customer and Lume agree that option one will apply, and that the governing law will be the law of the Republic of Ireland.
  6. In clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), Customer and Lume agree that any dispute arising from the Standard Contractual Clauses will be resolved by the courts of the Republic of Ireland.
  7. For the purpose of Annex I of the Standard Contractual Clauses, Schedule 1 contains the specifications regarding the parties, the description of the transfer, and the competent supervisory authority.
  8. For the purpose of Annex II of the Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures.
  9. The specifications for Annex III of the Standard Contractual Clauses are determined by Section 4 (Subprocessors) of this DPA. The subprocessor's contact person's name, position, and contact details will be provided by Lume upon request.

5.3 If Customer Personal Data originating in the UK is transferred, either directly or via onward transfer, to a country that is not recognized by the UK as providing an adequate level of protection for Personal Data, the UK Addendum will apply to the transfer, and will be deemed executed between the relevant Customer and Lume. If Customer directs Lume to transfer Customer Personal Data from any other jurisdiction where applicable Data Protection Laws require that additional steps, or safeguards, be imposed before such Customer Personal Data can be transferred to another jurisdiction, Lume will cooperate with Customer to take appropriate steps to comply with applicable Data Protection Laws.

5.4 Lume will, upon Customer's request, provide information to Customer which is reasonably necessary to complete a transfer impact assessment. At Lume's reasonable request, Customer will reimburse Lume for any assistance provided by Lume with respect to a transfer impact assessment.

5.5 Lume may, in its sole discretion, replace any transfer mechanism to ensure that data transfers comply with Data Protection Laws. If at any time a transfer mechanism set forth in this DPA ceases to constitute an appropriate safeguard under Data Protection Laws, Lume may update this DPA with alternative appropriate measures.

6. Data Subject Rights Requests

As between Customer and Lume, Customer will have sole discretion and responsibility in responding to Data Subject Requests. Lume will provide Customer with self-service functionality, or with other reasonable assistance as required for Customer to fulfill its obligations under Data Protection Laws to respond to Data Subject Requests. Lume may charge Customer, and Customer will reimburse Lume, for any such assistance beyond providing self-service features included as part of the Lume Services. Lume will forward to Customer without undue delay any Data Subject Request received by Lume, and may advise the relevant individual to submit their request directly to Customer. Requests directed to Lume may be sent to hi@golume.app.

7. Regulator and Government Requests

Lume will provide prompt written notice to Customer of any request for disclosure of, or access to, Customer Personal Data, or any other notices, complaints, or enforcement actions related to Customer Personal Data, that have been submitted or brought by a government or regulatory body or law enforcement agency, including any data protection supervisory authority. The foregoing obligation will not apply to the extent prohibited by law or legally binding order of the relevant body or agency. Where possible, Lume will allow Customer to assume conduct of and respond to requests under this Section, or otherwise challenge such request by all reasonable means.

8. Data Protection Impact Assessments and Prior Consultation

Where required by Data Protection Laws, at Customer's expense, Lume will provide reasonable assistance to Customer to perform a data protection impact assessment.

9. Security

Lume will implement and maintain reasonable administrative, technical, and physical measures designed to protect Customer Personal Data. When assessing the appropriate level of security, Lume will take into account the nature of the Customer Personal Data, and the scope, context, and purpose of relevant processing.

10. Security Incidents

Upon becoming aware of a Security Incident, Lume will provide written notice as required by Data Protection Laws without undue delay and within the time frame required under Data Protection Laws to the email address associated with Customer's account. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or data subjects affected by the Security Incident. Lume will take reasonable steps to contain, investigate, and mitigate any Security Incident, and to the extent practicable, will provide Customer with timely information about the foregoing. Lume's notification or response to a Security Incident under this Section will not be construed as an acknowledgement of any fault or liability by Lume.

11. Assessments and Audits

Lume will provide information reasonably necessary to demonstrate compliance with this DPA upon Customer's reasonable request. Where Data Protection Laws afford Customer an audit right, Customer (or its independent third-party auditor reasonably acceptable to Lume) may carry out an audit of Lume's policies, procedures, and records relevant to the processing of Customer Personal Data by having Lume complete a data protection questionnaire of reasonable length.

12. End of Processing

Following termination of a Customer's account and after you cease all use of the Lume Services, Lume will, at Customer's option, delete and/or provide to Customer a copy of all Customer Personal Data, except that: (a) back up or archival copies will be deleted in accordance with Lume's data retention schedule; and (b) for compliance with applicable laws, Lume will retain relevant data solely for that purpose and consistent with all other obligations under this DPA.

13. General

This DPA together with the Lume Terms of Service sets forth the entire agreement between Customer and Lume with respect to the subject matter of this DPA. Except for the changes made by this DPA, the Lume Terms of Service and any relevant order remain unchanged and in full force and effect. If any term or condition of this DPA is declared illegal or otherwise unenforceable, it will be severed from the remainder of this DPA without affecting the legality or enforceability of the remaining portions. To the extent this DPA conflicts with the Lume Terms of Service or a relevant order, this DPA will govern, unless the order expressly states that a relevant term will supersede. For the avoidance of doubt and to the extent allowed by Data Protection Laws, all limitations of liability set forth in the Lume Terms of Service apply to this DPA.

Schedule 1: Details of Processing

With respect to any transfers of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to Lume (as data importer):

A. List of Parties

1. Data Exporter

Customer operating in the countries which comprise the European Economic Area and UK.

Customer's contact person details will be notified to Lume prior to the processing of Customer Personal Data via Customer's account.

The activities relevant to the data transfer under the Standard Contractual Clauses are the Lume Services, as may be further described in an order between Customer and Lume.

Customer acts as a controller (Module Two) or processor (Module Three).

2. Data Importer: Lume

LayGen Inc d/b/a Lume
ATTN: Legal Department
201 E Center St
Ste 112-3320
Anaheim, CA 92805
United States

The data importer's contact person can be contacted at hi@golume.app.

The activities relevant to the data transfer under the Standard Contractual Clauses are the Lume Services, as may be further described in an order between Customer and Lume.

Lume acts as a processor (Module Two) or subprocessor (Module Three).

B. Description of the Transfer

1. Categories of Data Subjects: Customer's subscribers, customers, and other individuals that Customer may seek to engage through messages sent through the Service (including WhatsApp and SMS/MMS) using the Lume Services.

2. Categories of Personal Data Transferred: Personal Data related to Customer's messaging communications and as otherwise determined by Customer's configuration of the Lume Services, which may include full name, phone number, email address, address, shipping information, purchase and transaction information, device ID, IP address, browsing data from Customer's website (e.g. products viewed and/or included in shopping carts) via integrations such as Shopify and Wix, message content and related message data, and other Personal Data Customer may choose to collect via or provide to Lume.

3. Special Categories of Personal Data (If Applicable): Customer will not transfer any sensitive Personal Data or special categories of Personal Data to Lume.

4. Frequency of the Transfer: Personal Data is transferred on a continuous basis and is determined by the Customer's configuration of the Lume Services.

5. Nature of the Processing: Processing required for the provision of the Lume Services to Customers as further described in the Lume Terms of Service, including collection, access, use, transfer, deletion, hosting, and storage of Customer Personal Data.

6. Purpose(s) of the Data Transfer and Further Processing: Personal Data is processed for the purpose of providing the Lume Services to Customers, and as otherwise set forth in this DPA.

7. The Period for Which Personal Data Will Be Retained, or, If That Is Not Possible, The Criteria Used to Determine That Period: Lume will retain Customer Personal Data as further set forth in Section 12 (End of Processing).

8. Sub-Processor (If Applicable): The list of sub-processors is made available in Section 4 (Subprocessors) of this DPA, and the latest list is available on request at hi@golume.app.

C. Competent Supervisory Authority

The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13. With respect to Customer Personal Data subject to the UK Addendum, competent supervisory authority means the UK Information Commissioner's Office.

Schedule 2: Technical and Organizational Measures

Lume has implemented the following technical and organizational measures. Lume may update or amend these measures from time to time.

1. Administrative Measures

2. Physical Measures

3. Technical Measures

Schedule 3: US Addendum

This US Addendum will apply to any processing of Customer Personal Data by Lume as a service provider or processor under this DPA, subject to US Data Protection Laws.

To the extent required by US Data Protection Laws, Lume will not:

  1. sell Customer Personal Data or otherwise make Customer Personal Data available to any third party for monetary or other valuable consideration;
  2. share Customer Personal Data with any third party for cross-behavioral or targeted advertising;
  3. retain, use, or disclose Customer Personal Data for any purpose other than for the business purposes specified in the Lume Terms of Service and any relevant order, or as otherwise permitted by US Data Protection Laws;
  4. retain, use, or disclose Customer Personal Data outside of the direct business relationship between the parties; and
  5. except as otherwise permitted by US Data Protection Laws, combine Customer Personal Data with Personal Data that Lume receives from or on behalf of another person or persons, or collects from its own interaction with the data subject.

The foregoing will not restrict Lume from:

  1. complying with applicable laws;
  2. complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
  3. cooperating with law enforcement agencies concerning conduct that Lume believes in good faith may violate federal, state, or local laws; or
  4. exercising or defending legal claims.

If you have questions about this DPA or wish to request a copy of the current sub-processor list, contact us at hi@golume.app. See also our Privacy Policy, Terms of Service, and Anti-Spam Policy.