Lumina Care Therapy | Culturally Aware Online Therapy Platform UK

This Data Processing Agreement ("DPA") sets out the terms under which Lumina Care Therapy ("Lumina", Company No. 16797732) processes personal data on behalf of independent therapists using the Platform, in accordance with Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Roles

Therapists are independent Data Controllers for clinical decision-making and therapy records.

Lumina acts as Data Controller for platform operations (accounts, billing, platform support, and safety monitoring).

Where therapist clinical notes are stored within the Platform, Lumina acts as Data Processor processing such clinical data solely on the documented instructions of the Therapist (the Data Controller), except where required by applicable law.

2. Schedule — Processing Details (Article 28(3) UK GDPR)

The following details are provided in accordance with Article 28(3) UK GDPR, which requires data processing agreements to set out the subject matter, duration, nature and purpose of the processing, the type of personal data, and the categories of data subjects.

Subject Matter

The storage, retrieval, and secure hosting of clinical therapy records created by the Therapist in connection with the delivery of therapy services to patients via the Platform.

Duration

For the duration of the Therapist's active account on the Platform, and thereafter for such period as necessary to comply with the Therapist's data retention obligations or applicable law (typically 7 years from the date of last session in line with standard professional guidance), or until the Therapist instructs deletion.

Nature and Purpose of Processing

Lumina processes clinical data solely to provide secure Platform infrastructure enabling the Therapist to create, store, access, and manage therapy records. Lumina does not analyse, use, or disclose clinical data for any purpose other than the provision of this infrastructure, except as required by law or for safeguarding purposes.

Type of Personal Data Processed

Clinical notes authored by the Therapist
Session records and appointment history
Patient-provided information shared within the Platform for the purpose of therapy
Health and mental health information (Special Category Data under Article 9 UK GDPR)
Patient identity and contact data where stored in records by the Therapist

Categories of Data Subjects

Patients who have booked and received therapy services from the Therapist via the Platform

3. Processing Limitation

Lumina will process clinical data only for the purpose of providing secure Platform functionality and only on documented instructions from the Therapist, except where processing is required by applicable law, in which case Lumina will notify the Therapist unless prohibited from doing so by law.

4. Confidentiality

Lumina ensures that all personnel authorised to process clinical data are subject to binding confidentiality obligations (whether by contract or statutory duty) and receive appropriate data protection training.

5. Security

Lumina implements appropriate technical and organisational measures including encryption in transit (TLS 1.2+), encryption at rest, role-based access control, authentication safeguards, and audit logging. Lumina conducts regular reviews of its security posture and has completed a DPIA for health data processing. Details of security measures are available on request.

6. Sub-processors

Lumina may engage sub-processors to assist in delivering Platform services. All sub-processors are subject to written data processing agreements that impose data protection obligations equivalent to those in this DPA and consistent with UK GDPR Article 28 requirements.

For the current list of sub-processors see our Sub-processor List.

7. Sub-processor Change Notification

In accordance with Article 28(2) UK GDPR, Lumina will provide the Therapist with prior written notice of any intended changes to sub-processors (additions or replacements) that handle clinical data. Notice will be provided by email to the Therapist's registered platform email address and by update of the Sub-processor List page, with a minimum of 30 days' notice before the change takes effect.

The Therapist has the right to object to the appointment of a new sub-processor within 14 days of receiving notice. If the Therapist objects and Lumina is unable to accommodate the objection, the Therapist may terminate their account without penalty in respect of the change. Continued use of the Platform after the notice period constitutes acceptance of the new sub-processor.

8. Breach Cooperation

Lumina shall notify the Therapist without undue delay (and in any event within 72 hours where feasible) upon becoming aware of a personal data breach affecting clinical data. Notification will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of records affected, and the measures taken or proposed to address the breach. Lumina shall cooperate fully with the Therapist in meeting any applicable reporting obligations.

9. Data Subject Rights Assistance

Taking into account the nature of the processing, Lumina will provide reasonable technical and organisational assistance to enable the Therapist to respond to data subject requests relating to clinical data within the statutory timeframes. Lumina will promptly forward any data subject requests it receives that relate to clinical data to the Therapist.

10. Deletion / Return

Upon termination of the Therapist's account, Lumina will delete or return all clinical data as instructed by the Therapist within 30 days, subject to any applicable legal retention requirements that oblige Lumina to retain such data for a longer period. Lumina will notify the Therapist of any such retention obligations.

11. Audit

Lumina will make available to the Therapist all information reasonably necessary to demonstrate compliance with this DPA and will permit reasonable audits by the Therapist or a mandated auditor, subject to the following conditions: (a) a minimum of 30 days' written notice; (b) audits are conducted during normal business hours and no more than once per 12-month period (except where a breach has occurred); (c) the Therapist bears the cost of any audit; and (d) all audit findings are treated as confidential. Lumina may satisfy audit requests by providing relevant certifications or third-party audit reports in lieu of direct inspection where appropriate.

12. Diversity & Matching Data

The Platform collects diversity and preference data from therapists — including gender, cultural background, faith tradition, and LGBTQ+/trans affirming status — for the purpose of patient matching and profile display. This data constitutes Special Category Data under Article 9 UK GDPR where it relates to sexual orientation or religious belief.

Lumina processes this data as Data Controller on the basis of explicit consent provided at registration. Therapists may update or remove this information at any time via the Manage Account section. Lumina may, with therapist consent, edit this data for accuracy or platform standards compliance in accordance with the Therapist Contractor Agreement.

13. AI Processing (Lumi)

The Platform operates Lumi, an AI-powered tool that processes patient inputs to provide emotional support, self-assessment guidance, and therapist matching assistance. Lumi responses are generated via OpenAI's API. OpenAI is engaged as a sub-processor and is subject to appropriate data processing safeguards including Standard Contractual Clauses and the UK Addendum (IDTA).

Lumi conversations are not shared with therapists and do not form part of the clinical record unless the patient explicitly chooses to share them. Lumi conversations are not used to train AI models. A daily usage limit applies per user.

Lumina acts as Data Controller for Lumi conversation data. Processing is based on explicit consent provided at registration and confirmed by use of the Lumi feature.

14. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales. This DPA is subject to and forms part of the Therapist Contractor Agreement.

15. Enterprise / B2B Arrangements

This DPA governs arrangements with individual therapists. Where Lumina enters into agreements with organisations, employers, or enterprise clients, a separate Data Processing Agreement will be required that reflects the specific controller/processor relationship applicable to that arrangement. Please contact info@luminacaretherapy.co.uk to request an enterprise DPA.