lumi.'s Privacy Policy relies on legitimate interests as the legal basis for two distinct processing activities:
Each is assessed separately below using the ICO's three-part balancing test: purpose, necessity, and balance.
To operate a functional personal journalling service: processing voice entry transcripts through AI systems to generate summaries, identify patterns, tag life areas, and maintain a longitudinal record — which is the core value proposition of lumi.
Yes. Without processing journal content through AI, lumi. cannot function. The service exists to provide AI-assisted reflection — this processing is not incidental, it is the product.
Yes. Processing personal data to deliver a service a user has signed up for and actively uses is a well-established legitimate interest recognised by the ICO. It is proportionate, lawful, and not in conflict with data protection principles.
Yes. The AI analysis that produces summaries, tags, intentions, voice profiles, and pattern alerts cannot be performed without access to the transcript content. There is no less privacy-intrusive way to deliver these features.
No. A journalling tool that does not process journal content cannot generate meaningful reflections. The data processed is the minimum necessary — transcripts are processed but audio is deleted immediately. Sensitive fields are encrypted at rest. No content appears in application logs.
Journal entry transcripts are personal and potentially sensitive — they may contain health information, relationship details, financial circumstances, or emotional content. This is a significant factor that weighs toward the individual's interests.
Users sign up for lumi. explicitly to have their journal entries processed by AI. The AI-powered nature of the service is disclosed prominently in the beta disclaimer, Terms of Service, and AI Disclosure Notice — all of which must be acknowledged before use. There is no reasonable expectation that the service would function without processing their content.
The processing is used solely to provide the service back to the same user. Content is not shared, sold, or used for any other purpose. No third party other than the necessary sub-processors (Anthropic, OpenAI, Railway) accesses content. The impact is low beyond what the user has actively chosen by using the service.
AES-256-CBC encryption at rest for all sensitive fields. Audio deleted immediately after transcription. No content in application logs. User can delete all data at any time via Settings. Full disclosure of AI processing before first use.
The controller's interest in operating a functional AI journalling service is genuine, necessary, and proportionate. Users have clear reasonable expectations that their content will be processed. Safeguards meaningfully mitigate the privacy impact. The balance falls in favour of the controller's legitimate interest.
Legitimate interests is an appropriate legal basis for service operation and improvement processing. The three-part test is satisfied. Processing should continue with the safeguards documented above maintained.
To protect user wellbeing by running an automated keyword check on entry transcripts before AI processing, and surfacing crisis support resources if signals of significant distress are detected.
Yes. lumi. handles emotionally sensitive material in a private, often unsupervised context. Users may record entries during periods of significant distress. The safety monitoring system exists specifically to ensure users are not left without signposting to support in those moments.
Yes — and unusually, this legitimate interest aligns directly with the interests of the individual being protected. The processing exists to benefit the user, not to extract value from them. The ICO recognises protecting individuals from harm as a legitimate interest even where it involves processing sensitive content.
Yes. Detecting distress signals in journal entries requires reading those entries. There is no alternative mechanism that would achieve the same protective outcome without processing the transcript content.
The processing is already minimised: the keyword check runs locally on the server before any external API call is made, uses pattern matching only (not AI analysis), does not store the result beyond a flag value, and does not involve human review at any point. The check is a single pass — it does not build a profile or retain keyword match data.
The same sensitive personal data as LI-1 — journal transcripts that may contain health and emotional content. The keyword check specifically targets the most sensitive content.
Users are informed during onboarding and in the beta disclaimer that lumi. monitors entries for signs of distress and may surface support information. This is a reasonable expectation for a tool handling sensitive personal content, and users actively acknowledge it before first use.
The impact is protective, not harmful. The check either does nothing (the vast majority of entries) or surfaces support resources. No data leaves the system as a result. No third party is alerted. The user retains full control throughout.
There is no meaningful conflict. A user in distress has an interest in being signposted to support — which is exactly what the system does. A false positive shows resources the user does not need, which is a minor inconvenience rather than a harm.
This is one of the clearest cases for legitimate interests available — the processing exists to protect the very person whose data is being processed. The balance falls strongly in favour of the controller's legitimate interest.
Legitimate interests is an appropriate legal basis for safety monitoring. The three-part test is satisfied — and the individual's interests and the controller's interests align rather than conflict. Processing should continue with the safeguards documented above maintained.
| Trigger | Action |
|---|---|
| Every 12 months | Routine review — confirm processing activities, purposes, and safeguards remain accurate |
| New processing activity added | New LIA required before processing begins if legitimate interests is the intended basis |
| Material change to safety system | Re-assess LI-2 — particularly if human review is ever introduced |
| Change to sub-processors | Re-assess whether safeguards remain sufficient under LI-1 |
| ICO guidance update | Review both assessments against new guidance within 60 days |
Prepared by: Sarah-Jane Barton trading as lumi., data controller
ICO registration: C1942494
Date prepared: May 2026
Next review due: May 2027
This assessment should be reviewed by a qualified solicitor before public launch and updated as the processing activities or safeguards materially change.