The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to all individuals within the European Union and European Economic Area. Lumora Cloud is committed to full GDPR compliance and protecting the privacy rights of all our users. As a data controller and processor, we have implemented comprehensive measures to ensure your personal data is processed lawfully, fairly, and transparently. This document outlines our GDPR compliance practices and your rights under the regulation.

We process personal data only when we have a valid legal basis: Contract Performance: • Processing necessary to provide our productivity platform services • Managing your account and subscription • Delivering features like task management and collaboration tools Legitimate Interests: • Platform security and fraud prevention • Service improvement and analytics • Customer support and communication Consent: • Marketing communications (with explicit opt-in) • Non-essential cookies and tracking • Optional features and integrations Legal Obligation: • Compliance with applicable laws and regulations • Response to legal requests and court orders • Tax and financial record keeping

As a data subject, you have the following rights: Right of Access (Article 15): • Request a copy of personal data we hold about you • Receive information about how your data is processed • Access data in a commonly used, machine-readable format Right to Rectification (Article 16): • Correct inaccurate or incomplete personal data • Update your profile and account information • Request correction of processing records Right to Erasure (Article 17): • Request deletion of your personal data • Exercise 'right to be forgotten' where applicable • Note: Some data may be retained for legal or legitimate business purposes Right to Restrict Processing (Article 18): • Limit how we process your personal data • Suspend processing while disputes are resolved • Maintain data without active processing Right to Data Portability (Article 20): • Export your data in a structured, commonly used format • Transfer data to another service provider • Receive data directly or have it transmitted to another controller Right to Object (Article 21): • Object to processing based on legitimate interests • Opt out of direct marketing communications • Object to automated decision-making and profiling

We implement comprehensive technical and organizational measures: Technical Safeguards: • End-to-end encryption for data in transit and at rest • Multi-factor authentication and access controls • Regular security audits and penetration testing • Automated threat detection and response systems • Secure development practices and code reviews Organizational Measures: • Data protection by design and by default • Regular staff training on data protection • Clear data processing policies and procedures • Incident response and breach notification procedures • Vendor management and due diligence processes Compliance Certifications: • SOC 2 Type II certification • ISO 27001 information security management • Regular third-party security assessments • Compliance with industry best practices

Lumora Cloud operates globally, and your data may be transferred outside the EEA: Transfer Safeguards: • Standard Contractual Clauses (SCCs) approved by the European Commission • Adequacy decisions for transfers to countries with adequate protection • Binding Corporate Rules for intra-group transfers • Certification schemes and codes of conduct where applicable Transfer Locations: • Primary data processing occurs within the EEA • Some service providers may be located in the United States or other countries • All transfers are subject to appropriate safeguards and legal mechanisms • We regularly review and update transfer mechanisms as regulations evolve Your Rights: • You can request information about specific transfer safeguards • You may object to transfers in certain circumstances • We will provide details of transfer mechanisms upon request

We have established comprehensive breach response procedures: Breach Detection: • Automated monitoring and alerting systems • Regular security assessments and audits • Staff training on identifying potential breaches • Clear escalation procedures for security incidents Notification Timeline: • Supervisory authority notification within 72 hours of awareness • Individual notification without undue delay for high-risk breaches • Documentation of all breaches and response measures • Regular review and improvement of breach response procedures Breach Response: • Immediate containment and assessment of the incident • Investigation to determine scope and cause • Implementation of measures to prevent recurrence • Communication with affected individuals and authorities as required • Post-incident review and process improvement

Our platform uses AI and automated processing for productivity features: Automated Processing: • Task prioritization and scheduling recommendations • Productivity insights and analytics • Content suggestions and workflow optimization • Spam and security threat detection Your Rights: • Right to human review of automated decisions • Right to contest automated decision-making • Right to receive explanation of automated processing logic • Right to opt out of certain automated processing Safeguards: • Regular testing for bias and accuracy • Human oversight of automated systems • Clear explanation of automated decision logic • Appeal processes for contested decisions

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance: DPO Responsibilities: • Monitor compliance with GDPR and other data protection laws • Conduct privacy impact assessments • Serve as point of contact for supervisory authorities • Provide guidance on data protection matters • Handle data subject requests and complaints Contact Information: • Email: hello@lumora.cloud • Response time: Within 30 days for most inquiries Governance Structure: • Regular privacy committee meetings • Quarterly compliance reviews and audits • Annual data protection training for all staff • Continuous monitoring of regulatory developments

To exercise your GDPR rights, please contact us: Request Methods: • Email: hello@lumora.cloud • Through your account settings for certain requests • Via our support system for urgent matters Verification Process: • We may request additional information to verify your identity • Verification helps protect your personal data from unauthorized access • We will process verified requests within 30 days (extendable to 90 days for complex requests) No Fee Policy: • Most requests are processed free of charge • Excessive or repetitive requests may incur a reasonable fee • We will inform you of any fees before processing your request Response Timeline: • Acknowledgment within 5 business days • Full response within 30 days of verification • Complex requests may require up to 90 days with explanation

If you believe we have not handled your personal data in accordance with GDPR: Internal Complaint Process: • Contact our team at hello@lumora.cloud • We will investigate and respond within 30 days • Escalation procedures are available for unresolved issues Supervisory Authority: • You have the right to lodge a complaint with your local supervisory authority • You can contact the authority in your country of residence, work, or where the alleged violation occurred • List of EU supervisory authorities: https://edpb.europa.eu/about-edpb/board/members_en Lead Supervisory Authority: • [Name of Lead Supervisory Authority] • Address: [Authority Address] • Website: [Authority Website] • Email: [Authority Email] We encourage you to contact us first so we can address your concerns directly, but you always have the right to contact supervisory authorities.