Privacy Policy

How LUMEN collects, uses, and protects your data across our platform.

Last updated: 25 May 2026

Introduction

LUMEN is an operational intelligence platform built for healthcare insurance workflows. The platform and related services (collectively, the "Services") are operated by AFSV Consulting Hub Europe Limited, a private limited company incorporated in Ireland, with registered office at 18 Mallow Street Upper, Limerick, Ireland (CRO Number 805657; Corporation Tax Reference CT04660543MH). In this Privacy Policy, "we", "our", "us", or "the Controller" refer to AFSV Consulting Hub Europe Limited.

This Privacy Policy explains how we collect, use, store, and protect personal data when you access or use our Services. By using LUMEN, you agree to the practices described in this policy. If you do not agree, please discontinue use of our Services. This policy applies to all users including healthcare insurance staff, healthcare administrators, and organizational accounts.

Our Role: Controller and Processor

Under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), we act in two distinct capacities depending on the data category:

  • Data Controller — for account, identity, usage, technical, and communication data described below. We determine the purposes and means of this processing.
  • Data Processor — for healthcare insurance operational data submitted by or on behalf of our enterprise customers. The customer organization (e.g., a diagnostic centre, clinic, or insurer) remains the Data Controller for this data and we process it on documented instructions under a Data Processing Agreement (DPA) entered into pursuant to Article 28 GDPR.

Information We Collect

We collect the following categories of data:

Account & Identity Data

Name, email address, job title, organization name, phone number, and login credentials provided when you create an account or are invited by an organization administrator.

Usage & Operational Data

Claims workflow interactions, dashboard activity, filter selections, report views, session duration, and feature usage patterns collected automatically as you use the platform.

Healthcare Insurance Data (Processed as Processor)

Information related to insurance claims, reimbursement statuses, authorization codes, insurer identifiers, and operational workflow data submitted through or processed by the platform on behalf of your organization. This data may include information relating to health (a special category of personal data under Article 9 GDPR) and is processed strictly on documented instructions from the customer organization acting as Controller. Lawful basis for processing this special category data rests with the Controller, typically Article 9(2)(h) GDPR (management of healthcare systems and services) and/or Article 9(2)(b) GDPR, supported by applicable national law. We do not determine the purposes or means of this processing.

Technical Data

IP address, browser type and version, operating system, device identifiers, time zone, referral URLs, and crash/error logs collected automatically via our infrastructure.

Communication Data

Messages, support requests, feedback, and correspondence you send to us directly.

How We Use Your Data

We use the data we collect to:

  • Provision, operate, and maintain the LUMEN platform and Services
  • Authenticate users and manage account access controls
  • Process and display healthcare insurance operational data on your behalf
  • Provide customer support and respond to enquiries
  • Send transactional notifications, system alerts, and operational updates
  • Analyze platform usage to improve features and fix issues
  • Detect, investigate, and prevent security incidents or fraudulent activity
  • Comply with legal obligations under applicable law
  • Generate anonymized, aggregated analytics that do not identify individuals

We do not sell your personal data to third parties. We do not use healthcare operational data for advertising purposes.

Legal Bases for Processing

Each purpose listed above is supported by one or more of the following lawful bases under Article 6 GDPR:

  • Performance of a contract (Article 6(1)(b)) — provision, operation, and maintenance of the platform; authentication and access control; customer support; transactional notifications.
  • Legitimate interests (Article 6(1)(f)) — security, fraud prevention, vulnerability monitoring, platform analytics, product improvement, and anonymized aggregated reporting; namely our interest in operating a secure and reliable service. You may object to this processing at any time as described in "Your Rights" below.
  • Legal obligation (Article 6(1)(c)) — compliance with Irish corporate, tax, accounting, and consumer law and other applicable legal duties.
  • Consent (Article 6(1)(a)) — non-essential cookies, optional marketing communications, and any other consent-based processing. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Where we process special category data (information relating to health) as Processor on behalf of customer organizations, the lawful basis under Article 9 GDPR rests with the customer organization acting as Controller.

Data Sharing and Sub-processors

We share personal data only in the following circumstances:

Sub-processors and Service Providers

We engage trusted third-party service providers (cloud infrastructure, hosting, email delivery, payments, monitoring, accounting) who process personal data strictly on our behalf under written data processing agreements consistent with Article 28 GDPR. An up-to-date list of our sub-processors is published at lumen.afsvgroup.com/subprocessors and is incorporated by reference into this policy. We will provide reasonable advance notice of any new sub-processor to enterprise customers as required by the applicable DPA.

Your Organization

Account administrators within your organization may access data associated with your account as permitted by your organization's role configuration within LUMEN.

Legal Requirements

We may disclose data when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect the rights, safety, or property of LUMEN, our users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users before any such transfer occurs.

International Data Transfers

We and our sub-processors may process personal data in jurisdictions outside the European Economic Area (EEA), including India, the United Arab Emirates, and the United States. Where we transfer personal data outside the EEA to a country that has not received an adequacy decision from the European Commission, we rely on the Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914, supplemented where necessary by a Transfer Impact Assessment and additional technical and organizational measures (encryption in transit and at rest, role-based access controls, contractual confidentiality obligations). For transfers to the United States, where the recipient is certified under the EU–U.S. Data Privacy Framework, we additionally rely on the adequacy decision of 10 July 2023. A copy of the safeguards in place is available on request at privacy@afsvgroup.com.

Data Security

LUMEN implements industry-standard technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure. These include:

  • TLS/HTTPS encryption for all data in transit
  • Encryption at rest for sensitive stored data
  • Role-based access controls and least-privilege principles
  • Regular security audits and vulnerability assessments
  • Multi-factor authentication for administrative access
  • Incident response procedures compliant with GDPR Article 33 breach notification

While we take security seriously, no system is completely immune to risks. We encourage users to use strong, unique passwords and report any suspicious activity to security@afsvgroup.com.

Data Retention

We retain personal data for as long as your account is active or as needed to provide the Services. Specifically:

  • Account data — retained for the duration of your active account plus 90 days after closure to support recovery requests.
  • Healthcare operational data — retained per your organization's data processing agreement. Default retention is 24 months unless a longer period is required by applicable law.
  • Usage logs — retained for 12 months for security and performance monitoring purposes.
  • Support communications — retained for 3 years for quality and compliance purposes.

Upon account deletion, we will anonymize or securely delete your personal data within 30 days, except where retention is required by law.

Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

  • Right of Access — Request a copy of the personal data we hold about you.
  • Right to Rectification — Request correction of inaccurate or incomplete data.
  • Right to Erasure — Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
  • Right to Restriction — Request that we limit how we process your data in certain circumstances.
  • Right to Data Portability — Receive your data in a structured, machine-readable format.
  • Right to Object — Object to processing based on legitimate interests.
  • Right to Withdraw Consent — Where processing is consent-based, withdraw at any time without affecting prior lawfulness.

To exercise any of these rights, contact us at privacy@afsvgroup.com. We will respond within one month of receipt of your request, as required by Article 12(3) GDPR, with a possible extension of up to two further months for complex or numerous requests.

Right to Lodge a Complaint — You have the right to lodge a complaint with a supervisory authority. Because our establishment is in Ireland, our lead supervisory authority is the Data Protection Commission (DPC) of Ireland, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland — www.dataprotection.ie. You may also lodge a complaint with the supervisory authority of your Member State of habitual residence (for users resident in Italy, the Garante per la protezione dei dati personali, www.garanteprivacy.it).

Cookies and Tracking

LUMEN uses cookies and similar tracking technologies to operate the platform and improve your experience. We use the following categories:

Essential Cookies

Required for authentication, session management, and core platform functionality. These cannot be disabled.

Analytics Cookies

Used to understand how users interact with the platform so we can improve it. Data is aggregated and anonymized where possible.

Preference Cookies

Store your settings and preferences (e.g., language, theme) across sessions.

You can manage non-essential cookies via your browser settings. Disabling analytics cookies will not affect platform functionality.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Display an in-platform notification for active users
  • Send an email notification to account holders where required by law

Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the changes. We encourage you to review this page periodically.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection team:

Data Controller: AFSV Consulting Hub Europe Limited

Registered office: 18 Mallow Street Upper, Limerick, Ireland

CRO Number: 805657

Corporation Tax Reference: CT04660543MH

Data Protection Officer: Michela Zaninetti

Privacy contact: privacy@afsvgroup.com

Support: emea.support@afsvgroup.com