1. Introduction
Lumoweb ("we", "our", or "us") is a website design and management service headquartered in Toronto, Ontario, Canada. We are committed to protecting the privacy of our clients, prospects, and website visitors in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), and all applicable provincial privacy laws.
This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have regarding your information. By using our services or website at lumoweb.ca, you agree to the terms of this policy.
2. Information We Collect
We collect personal information only for defined, legitimate purposes. The categories of information we may collect include:
2.1 Information you provide directly
- Account & contact information: Name, email address, phone number, business name, mailing address
- Business information: Industry type, business description, logo, photos, service listings, hours of operation, and other content used to build your website
- Communications: Emails, support tickets, chat messages, and revision requests you send to us
- Intake & onboarding responses: Answers to our client questionnaires and design briefs
2.2 Payment information
We use Stripe to process all payments. Lumoweb does not collect, store, or have access to your credit card number, CVV, or banking details. Payment data is handled entirely by Stripe under their own privacy and security policies. We retain records of transaction amounts, dates, and subscription status for billing and accounting purposes.
2.3 Information collected automatically
- Usage data: Pages visited on lumoweb.ca, features accessed in your client portal, time and duration of sessions
- Device & browser data: IP address, browser type and version, operating system, referring URLs
- Cookies and similar technologies: See Section 8 for full details
3. How We Use Your Information
We use personal information only for the purposes for which it was collected or for compatible purposes that a reasonable person would expect. Our primary purposes include:
- Service delivery: Building, hosting, and maintaining your website; providing access to your client portal; responding to support requests and revision notes
- Billing and account management: Processing payments, issuing invoices, managing subscription renewals, and maintaining financial records
- Client communication: Sending approval requests, site-ready notifications, revision confirmations, and support responses โ these are transactional messages that do not require separate consent under CASL
- Service improvement: Analyzing aggregated, anonymized usage data to improve our platform and templates
- Marketing communications: With your express consent, sending newsletters, product updates, and promotional offers. You may withdraw consent at any time. See Section 7 (CASL).
- Legal and regulatory compliance: Retaining records as required by applicable law, responding to lawful requests from government authorities
4. Sharing and Disclosure
We do not sell, rent, or trade your personal information to any third party.
We share information only in the following limited circumstances:
4.1 Service providers (processors)
We use trusted third-party service providers to operate our business. These providers act as data processors under our direction and are bound by contractual privacy obligations:
- Stripe โ Payment processing (stripe.com/privacy)
- Cloudflare / Vercel โ Website hosting, CDN, and DNS management
- Google Analytics โ Aggregated usage analytics (analytics data is anonymized)
- Email service provider โ Transactional and marketing email delivery
4.2 Legal requirements
We may disclose personal information if required to do so by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Lumoweb, our clients, or the public.
4.3 Business transfers
In the event of a merger, acquisition, or sale of all or part of our assets, personal information may be transferred to the successor entity. We will notify affected individuals and provide the opportunity to opt out of any material change in how their data is used.
5. Data Retention
We retain personal information only as long as necessary to fulfil the purposes for which it was collected, or as required by law:
- Active client accounts: For the duration of the service relationship plus 2 years after account closure
- Billing and transaction records: 7 years (as required by the Canada Revenue Agency)
- Support communications: 3 years from the date of last interaction
- Website analytics: 26 months (standard Google Analytics retention)
- Marketing consent records: Duration of consent plus 3 years
- Prospect information (pre-signup): 12 months from initial contact unless a service relationship commences
When personal information is no longer needed, we securely delete or anonymize it in accordance with industry best practices.
6. Your Rights Under PIPEDA
PIPEDA grants you the following rights regarding your personal information held by Lumoweb:
- Right of access: You may request a copy of the personal information we hold about you, and we will respond within 30 days
- Right of correction: If information is inaccurate or incomplete, you may request that we correct it
- Right to withdraw consent: You may withdraw consent to non-essential uses of your information at any time, subject to legal or contractual restrictions. Withdrawal will not affect services that require the information to function
- Right to complain: If you believe we have not complied with PIPEDA, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca
To exercise any of these rights, contact our Privacy Officer at [email protected] or by mail at the address in Section 11.
7. CASL โ Marketing Communications
Canada's Anti-Spam Legislation (CASL) governs commercial electronic messages (CEMs) sent to Canadian recipients. We comply with CASL as follows:
- Consent: We send marketing emails only to individuals who have provided express consent, or where implied consent applies (e.g., existing business relationship within the past 2 years)
- Identification: Every email we send clearly identifies Lumoweb as the sender, including our mailing address
- Unsubscribe mechanism: Every marketing email contains a clear, functional unsubscribe link. Opt-out requests are processed within 10 business days
- Transactional messages: Service notifications (site ready, billing receipts, revision confirmations) are not marketing messages and do not require consent under CASL
To unsubscribe from Lumoweb marketing emails, click the unsubscribe link in any email, or contact us at [email protected].
8. Cookies and Tracking Technologies
We use cookies and similar technologies on lumoweb.ca. You can manage your cookie preferences at any time using the cookie consent tool on our website.
| Category | Purpose | Can be declined? | Examples |
|---|---|---|---|
| Essential | Required for the website and client portal to function. Includes session management, authentication, and security tokens. | No โ required | Session cookies, CSRF tokens |
| Analytics | Helps us understand how visitors use lumoweb.ca. Data is aggregated and anonymized. | Yes | Google Analytics (_ga, _gid) |
| Marketing | We do not currently use marketing or advertising cookies on lumoweb.ca. | N/A โ not used | โ |
Cookies set on client websites we build and host are governed by the respective client's privacy policy, not this one.
9. Data Security
We implement industry-standard technical and organizational safeguards to protect your personal information, including:
- TLS/SSL encryption for all data in transit
- Encryption at rest for databases containing personal information
- Role-based access controls limiting staff access to personal data on a need-to-know basis
- Regular security assessments and vulnerability testing
- All service providers are required to maintain equivalent security standards
In the event of a data breach that poses a real risk of significant harm, we will notify affected individuals and the OPC as required by PIPEDA's breach notification provisions (Sections 10.1โ10.3 of PIPEDA).
10. Children's Privacy
Lumoweb services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us at [email protected] and we will promptly delete it.
11. Contact Our Privacy Officer
For all privacy inquiries, requests to exercise your PIPEDA rights, or concerns about our privacy practices, please contact:
Email: [email protected]
Mailing address: Lumoweb, [Street Address], Toronto, Ontario, Canada
Response time: Within 30 days of receipt
If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada: priv.gc.ca or 1-800-282-1376.
1. Our Commitment
Lumoweb is committed to providing accessible digital experiences for all users, including people with disabilities. This applies to:
- The Lumoweb marketing website (lumoweb.ca)
- The Lumoweb client portal
- All client websites built and hosted by Lumoweb
We design and build all web content to conform with the Web Content Accessibility Guidelines (WCAG) 2.0, Level AA, as required by the Accessibility for Ontarians with Disabilities Act (AODA), Integrated Accessibility Standards Regulation (IASR) โ Web Standards (O. Reg. 191/11).
2. Technical Standards
Our accessibility implementation is guided by the following standards and guidelines:
- WCAG 2.0 Level AA โ Primary conformance target (as required by AODA IASR)
- AODA IASR Web Standards โ Ontario Regulation 191/11, Part II, Web Content Accessibility
- WAI-ARIA 1.1 โ Used to enhance semantic structure and assistive technology compatibility
- HTML5 semantic elements โ Proper use of landmark regions, headings, lists, and form controls
All Lumoweb-built websites include the following accessibility features as standard:
| Feature | Implementation | WCAG Criterion |
|---|---|---|
| Skip navigation link | Visible on keyboard focus at top of every page | 2.4.1 โ Bypass Blocks |
| Language attribute | lang="en" on all <html> elements | 3.1.1 โ Language of Page |
| Descriptive page titles | Unique, descriptive <title> on every page | 2.4.2 โ Page Titled |
| Heading hierarchy | Single H1 per page, logical H2โH3 structure | 1.3.1 โ Info and Relationships |
| ARIA landmark roles | banner, main, navigation, contentinfo on all pages | 1.3.1 โ Info and Relationships |
| Keyboard navigation | All interactive elements reachable and operable via Tab/Enter/Space | 2.1.1 โ Keyboard |
| Visible focus indicators | High-contrast :focus-visible outlines on all interactive elements | 2.4.7 โ Focus Visible |
| Colour contrast (body text) | Minimum 4.5:1 for normal text, 3:1 for large text (18pt+) | 1.4.3 โ Contrast (Minimum) |
| Alt text for images | Meaningful alt text on informational images; alt="" on decorative images | 1.1.1 โ Non-text Content |
| Form labels | All form inputs have associated <label> elements | 1.3.1, 3.3.2 โ Labels |
| Error identification | Form validation errors identified by text, not colour alone | 3.3.1 โ Error Identification |
| Link purpose | Descriptive link text; no "click here" or "read more" without context | 2.4.4 โ Link Purpose |
| Cookie consent | PIPEDA-compliant banner with accept/decline before non-essential cookies set | Best practice / PIPEDA |
| Privacy policy link | Linked from every page footer | Best practice / PIPEDA |
3. Known Issues & Remediation
| Issue | Affects | WCAG | Priority |
|---|---|---|---|
| Decorative colour swatches in admin panel lack aria-hidden | Admin portal only | 1.1.1 | Medium |
--text3 colour (#92a898) fails 4.5:1 when used on light cream background for small text |
All client templates | 1.4.3 | High โ in remediation |
--gold (#c8943a) fails 4.5:1 on cream/white backgrounds at 12px (section labels) |
All client templates | 1.4.3 | High โ in remediation |
| Emoji used as informational icons in some templates without text alternatives | Select client templates | 1.1.1 | Medium |
| Mobile hamburger menu button lacks accessible label in some templates | Mobile viewport | 4.1.2 | Medium |
| Gallery grid items have no keyboard-accessible expansion | Templates with galleries | 2.1.1 | Medium |
4. Feedback & Accessibility Support
We welcome feedback on the accessibility of our websites. If you encounter a barrier or have difficulty accessing any content, please let us know:
Email: [email protected]
We aim to respond to all accessibility feedback within 5 business days.
For clients whose sites are hosted by Lumoweb: if a visitor reports an accessibility issue with your site, forward the report to us and we will remediate it as part of your active plan.
If you are a client and your website visitors require content in an alternative format (e.g., plain text, large print, or audio description), we can provide this on request. Contact your Lumoweb account manager or email [email protected].
5. Assessment & Review
Lumoweb assesses the accessibility of our web content through the following approaches:
- Self-evaluation: All new templates and features are reviewed against the WCAG 2.0 Level AA checklist before deployment
- Automated testing: axe-core accessibility engine integrated into our build pipeline
- Manual keyboard testing: All user flows tested with keyboard-only navigation
- Screen reader testing: Key flows tested with NVDA (Windows) and VoiceOver (macOS/iOS)
- Colour contrast verification: All colour pairings verified with WCAG contrast ratio calculator
This statement was last reviewed on April 9, 2026. We review and update this statement at minimum once per year, or whenever material changes are made to our web properties.
6. AODA Compliance โ Required Developer Patches
The following code must be included in every Lumoweb-built client site. This section serves as the internal implementation reference.