Back to home

Privacy Policy

Effective Date: June 20, 2026 Scope: United States Users Only

LumoTravel.ai is operated by LumoTravel LLC, a New York limited liability company ("LumoTravel," "we," "us," or "our"), which provides an automated flight and hotel price monitoring and optimization platform. Because we handle your travel itineraries (flights and hotels) and act on your behalf to secure airline credits and lower hotel rates, security and transparency are our foundational principles.

This Privacy Policy explains how we collect, use, retain, and protect your information when you use our website, application, and related services (collectively, the "Services").

1. Information We Collect

We collect information necessary to monitor your travel portfolio, negotiate with airlines and hotels on your behalf, and ensure the security of your account.

  • Account Information: When you create an account, we collect your name and email address.
  • Identity & Verification Data: To successfully execute rebookings and claim e-credits with airlines, and to cancel and rebook hotel reservations on your behalf, we collect your Date of Birth and Phone Number. This data must exactly match your official travel documents.
  • Travel Itinerary Data: When you forward a booking confirmation to us, or sync your inbox (see "Google Account Data" below for how Gmail inbox sync is handled — limited to flight booking confirmations from airlines and travel agencies; all other email is ignored), we extract your travel data. For flights this includes your Passenger Name Record (PNR), origin, destination, dates, airline, flight numbers, cabin class, fare brand, seat assignments, and original price paid; for hotels this includes your reservation/confirmation number, property name, city, check-in and check-out dates, room type, rate, and original price paid. For a flight booked with points or miles (an award ticket), we additionally extract the loyalty program you redeemed with, the number of miles redeemed, and any cash taxes or co-pay.
  • Financial Information: To process our success fee, we require a valid payment method. All payment data is vaulted and processed directly by our payment provider, Stripe. LumoTravel does not view, collect, or store your raw credit card numbers.
  • Device & Usage Data: We collect standard technical information when you interact with our Services, including your IP address, browser type, and interaction logs.

2. How We Use Your Information

LumoTravel operates strictly on a performance model. We use your data exclusively to deliver that performance and optimize your travel portfolio:

  • To Provide the Service: We continuously monitor the extracted details of your flights and hotel reservations to detect price drops.
  • To Execute Rebookings: We use your PNR or hotel reservation number, name, Date of Birth, and Phone Number to interface with airlines and hotels and secure your e-credits or rebooked lower rates.
  • To Communicate With You: We send strictly transactional emails, including price drop alerts, claim tokens, and success fee receipts. We also send promotional updates, which you may opt out of at any time.
  • To Ensure Security: We monitor usage data to prevent fraud, unauthorized access, and to debug platform errors.

3. Information Sharing & Sub-processors

We do not sell your personal data. We only share information with trusted infrastructure partners, airlines, and hotels to the extent necessary to provide the Services.

  • Airlines, Hotels & Travel Providers: To secure your e-credit or rebook a lower hotel rate, we must transmit your booking details back to the respective airline or hotel (e.g., Delta, United, Marriott, Hilton). Disclaimer: Once this data is transmitted to the travel provider, it is governed exclusively by that provider's privacy policy. LumoTravel is not liable for how airlines or hotels handle or retain your data.
  • Infrastructure Sub-processors: We utilize enterprise-grade vendors to host and operate our platform, including providers for database and authentication, application hosting, payment processing, travel-pricing data, email delivery, error logging, and customer support chat. A current list of our named sub-processors is available on request at legal@lumotravel.ai.
  • Data Parsing & AI Models: We use a third-party AI provider to parse your confirmation emails into structured trip details. We use this provider under terms that prohibit it from using your data to train or improve its AI models, or from having its personnel review your content, so your personal data and itineraries are never used to develop, improve, or train generalized (non-personalized) artificial-intelligence or machine-learning models.
  • Human Operations: In cases where an airline strictly prohibits automated rebookings, or where a hotel reprice must be executed by cancelling the refundable reservation and rebooking it, authorized, US-based LumoTravel personnel will securely access specific booking details (Name and PNR, or hotel confirmation number) to manually execute the rebooking on your behalf.
  • Customer Support Chat: Our in-app support chat is operated by Crisp (Crisp IM SAS, France). When you open the chat, Crisp processes your account email, name, IP address, the in-app pages you view, your device and browser information, and the content of the messages you send, stored on servers within the European Union (Netherlands and Germany). We never share data obtained from your Google account — including email content or itineraries synced from Gmail — with Crisp.

4. Data Security

We protect the travel data and account credentials you entrust to us with layered, industry-standard safeguards, designed to keep your information secure both in transit and at rest:

  • Encryption in Transit: All data exchanged between you, LumoTravel, and our infrastructure providers is protected with TLS encryption (HTTPS), so it is never transmitted in the clear.
  • Encryption at Rest: The databases that store your information are encrypted at rest by our hosting providers. As an additional layer, we apply field-level encryption to the most sensitive identifiers we hold, including your flight Passenger Name Records (PNRs), hotel confirmation numbers, traveler names, and the access credential for a connected Gmail account. These fields are encrypted with a key held separately from the database, so they remain protected even against direct database access.
  • Payment Data: We never store your raw card numbers. Payment credentials are vaulted and processed entirely by our PCI-DSS-compliant payment provider, Stripe.
  • Access Controls & Isolation: Your data is isolated at the database level so that each account can access only its own records. Internal access is limited to a small number of authorized, US-based personnel, is restricted to the specific booking identifiers needed to perform a task, and is never used to browse your inbox.
  • Minimized Handling of Email Content: When you connect Gmail, raw message content is used only transiently to extract your trip details and is never written to durable storage (see "Google Account Data" below). We do not retain the bodies of synced emails.
  • Operational Safeguards: We monitor our systems for unauthorized access and abuse, keep sensitive values out of our application logs, and maintain a published security contact for responsible disclosure at lumotravel.ai/.well-known/security.txt.

No method of electronic transmission or storage is completely secure, so we cannot guarantee absolute security. We do, however, work continuously to protect your information and to address any vulnerability promptly.

5. Google Account Data (Gmail Inbox Sync)

If you choose to connect your Gmail account, LumoTravel requests read-only access (the Google gmail.readonly scope) to read your email messages solely to detect flight booking confirmations and identify trips eligible for price monitoring. These confirmations come both directly from airlines and from travel agencies that book flights on your behalf — including online travel agencies and bank or credit-card travel portals (for example, Expedia, Booking.com, Chase Travel, American Express Travel, or Capital One Travel). Detecting a booking requires reading the body of these flight-confirmation emails (which contain the flight numbers, PNR, and fare, and — for an award ticket — the loyalty program, miles redeemed, and any cash co-pay); email headers alone are not sufficient. We identify candidate confirmations using the sender and the message content, parse only flight-confirmation content, and ignore all other email. We never send, modify, label, or delete your email.

Before we request access to your Gmail account, we show an in-app disclosure that names exactly what we access (your Gmail messages, read-only) and why, which you must affirmatively approve before you are sent to Google's consent screen. Connecting Gmail is optional; flight and hotel forwarding and manual entry remain available without it. (Gmail inbox sync currently detects flight confirmations only; hotels can be added by forwarding a confirmation or entering them by hand.)

The use of information received from Google Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements. Specifically:

  • We do not transfer or sell information obtained through Google APIs to third parties, except: to provide or improve user-facing features that are prominent in the LumoTravel application and only with your consent; for security purposes (such as investigating abuse); to comply with applicable law; or in connection with a merger, acquisition, or sale of assets, with notice to you.
  • We do not use this information for advertising, including personalized, interest-based, or retargeted advertising.
  • We do not retain Google user data to develop, improve, or train generalized (non-personalized) artificial-intelligence or machine-learning models.
  • We do not allow humans to read this data, except where you have given explicit consent to view specific messages, where necessary for security purposes (such as investigating abuse), or where required to comply with applicable law. Where an operator must use your booking identifiers (such as your name and PNR, or hotel confirmation number) to execute a rebooking an airline or hotel does not permit us to automate, that operator uses only the identifiers from the trip you enrolled us to act on; operators do not browse your Gmail.

Raw Gmail message bodies (the HTML and text) are never written to durable storage and are discarded immediately after parsing. The structured flight details we extract are retained while your account is active so we can monitor and reprice your trips; the message subject line is retained as routing metadata and purged on the same 30-day schedule as forwarded email. You can disconnect Gmail or delete your account at any time. Disconnecting Gmail stops all future inbox sync and revokes Google's access to your mailbox; trips already enrolled remain under monitoring so we can continue to reprice them. Deleting your account additionally removes the flight data derived from your inbox — except that where a trip resulted in a repricing or a charge, the associated transaction record and operator audit log are retained for up to seven (7) years for tax and accounting compliance, as described in our Data Retention & Deletion section below. If a self-service disconnect or deletion control is not yet available to you, email support@lumotravel.ai and we will disconnect Gmail or delete your data for you.

6. Data Retention & Deletion

We adhere to a strict data minimization protocol:

  • Raw Emails: If you forward an email to us, the raw HTML and text of that message are permanently purged from our systems after 30 days. (For Gmail inbox sync, the message body is never stored at all — it is discarded immediately after parsing; only the subject line is retained as routing metadata, under the same 30-day purge, as described in the "Google Account Data" section.)
  • Active Travel Data: Parsed flight and hotel booking data, your Date of Birth, and your Phone Number are retained while your account is active so we can continuously monitor and reprice future bookings.
  • Records of Repricings, Charges & Audit Ledgers: If you choose to delete your account, we will immediately purge your travel dashboard and active monitoring data. However, to comply with federal tax and accounting laws, we retain records of repricings and charges, anonymized operator audit logs, and Stripe transaction records for up to seven (7) years.

7. Cookies & Tracking Technologies

We use cookies to maintain the security and functionality of the platform:

  • Essential Cookies: Required to keep your session authenticated and secure while using the dashboard.
  • Analytics Cookies: Used to understand how users interact with our marketing pages so we can improve the platform. You may adjust your browser settings to decline non-essential cookies.
  • Support Chat Cookies: When you use our in-app support chat, our support provider (Crisp) sets a functional first-party cookie to maintain your conversation.

8. Your Privacy Choices

You retain full control over your travel portfolio and personal data:

  • Account Deletion: You may request the deletion of your account and travel data at any time via your account settings.
  • Inbox Sync Controls: You may turn off automatic enrollment and disconnect a connected inbox at any time from your dashboard settings (see our Terms of Service).
  • Tracking Controls: You may pause or stop monitoring for any specific trip — flight or hotel — directly from your dashboard.
  • Marketing Opt-Out: You may unsubscribe from promotional emails at any time using the link provided at the bottom of the emails. Transactional notices regarding charges and security will still be delivered.

9. Children's Privacy

LumoTravel acts as an authorized agent for financial optimization. Therefore, you must be at least 18 years old to use our Services. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected such data, we will immediately delete it.

10. US State Privacy Rights (CCPA/CPRA)

If you are a resident of California, Virginia, Colorado, or other states with applicable privacy laws, you possess specific rights regarding your personal information:

  • Right to Know: You may request a copy of the specific pieces of personal data we hold about you by emailing support@lumotravel.ai, and we will provide it within the period required by applicable law.
  • Right to Delete: You may request the deletion of your personal data, subject to the financial compliance exceptions noted in our Data Retention & Deletion section.
  • Do Not Sell My Personal Information: LumoTravel categorically does not sell your personal data, nor do we share it for cross-context behavioral advertising.

11. Changes to this Policy

We may update this Privacy Policy as we add new features (such as direct email inbox syncing) or as regulatory requirements change. We will notify you of any material changes by updating the "Effective Date" and sending a notice to the email address associated with your account.

12. Contact Us

If you have any questions regarding this Privacy Policy, our data practices, or if you wish to exercise your data rights, please contact us at:

LumoTravel LLC Email: support@lumotravel.ai