Plain-English summary
LumkoMDX builds infrastructure for sovereign healthcare data. Our customers are institutions — hospitals, ministries, research bodies — and the patients whose records they hold never become our customers and never have their identifying information enter our systems.
This policy explains the information we do handle: the operational data we need to run our company, the technical data generated when you visit our marketing site or use our developer tools, and the institutional data our customers process inside the LumkoMDX platform. It also explains the rights you have, and the contact paths for exercising them.
Who we are
LumkoMDX (Pty) Ltd ("LumkoMDX", "we", "us") is incorporated in the Republic of South Africa and operates as the data controller for the website lumkomdx.com, our developer and marketing channels, and the operational systems we use to run the company. Inside customer deployments of the LumkoMDX platform, we act as a data processor or sub-processor on behalf of the institution that runs the deployment.
- Registered office
- Johannesburg, South Africa
- Data protection contact
- dpo@lumkomdx.com
- Information regulator
- South African Information Regulator (POPIA)
What we collect
We deliberately keep the amount of personal data we collect small. There are three categories:
We do not collect special-category personal data (health information about individuals, biometric data, political or religious affiliation) through this website or any LumkoMDX-controlled property. Institutional deployments handle clinical data inside the institution's own boundary; that data is governed by the institution's own privacy policy, not ours.
How we use information
The information above is used for the following purposes, and only these:
- To run our site and developer tools. Authenticate accounts, serve documentation, debug errors, and respond when you ask us a question.
- To improve the platform. Anonymous usage signals help us understand which APIs are used most, where docs need work, and where the platform is slow.
- To meet legal and contractual obligations. Tax invoices, audit reports back to customer institutions, and incident notifications under POPIA, HIPAA, and GDPR where applicable.
- To communicate with you. If you've asked to be contacted, or there is a security or service-critical update we need to share. You can opt out of non-essential email at any time from the link in any email.
We do not sell personal data, ever. We do not train large models on customer data, ever. We do not use customer data for marketing.
Legal basis for processing
Different jurisdictions frame this differently; the substance is the same.
- POPIA (South Africa)
- Consent for marketing communications. Performance of a contract for paid services. Legitimate interest for operational logs and security monitoring.
- GDPR (EU / EEA)
- Articles 6(1)(a), 6(1)(b) and 6(1)(f). For special-category data, Article 9(2)(h) applies inside institutional deployments under the institution's lawful basis — not ours.
- HIPAA (United States)
- Where LumkoMDX is engaged as a Business Associate, processing is governed by the Business Associate Agreement signed with the covered entity.
How long we keep things
- Site analytics
- 26 months, then automatically purged.
- Demo enquiries
- 24 months, unless a contract is signed.
- Account data
- For the life of the account plus 90 days after deletion, except where a longer period is required by law (e.g. financial records: 5 years).
- Operational logs
- 90 days hot, 13 months cold, then purged. Security-incident logs are retained for 24 months.
- Patient data inside customer deployments
- Governed by the customer's retention schedule, not ours. The LumkoMDX platform never holds copies of patient records.
International transfers
Our default position is to keep data in the region of origin. Marketing site data is hosted in South Africa with EU failover. Customer deployments are hosted in the region the customer selects; we will not transfer customer data out of that region without contractual permission.
Where transfers do occur — for example, when an EEA-based customer engages our South African support team — they are governed by Standard Contractual Clauses and the supplementary measures required by recent EDPB guidance.
Your rights
You have the right to:
- Know what personal data we hold about you, and ask for a copy.
- Correct anything that's wrong or out of date.
- Ask us to delete your account and the personal data attached to it, subject to legal retention requirements.
- Object to processing based on our legitimate interest.
- Lodge a complaint with the South African Information Regulator (or your local supervisory authority) if you think we've handled your data incorrectly.
To exercise any of these rights, email dpo@lumkomdx.com. We respond inside 30 days. If you ask us about patient data held by an institution that uses LumkoMDX, we will route your request to that institution — they are the data controller for those records.
Security
Sovereignty is the architecture; security is its enforcement. A summary of our operational security posture:
- All data in transit is encrypted with TLS 1.3.
- All data at rest is encrypted with AES-256, with keys held in HSM-backed key management.
- Access to production systems is gated by hardware-key MFA, role-based access, and time-bounded just-in-time elevation.
- We do quarterly third-party penetration testing and continuous vulnerability scanning.
- Operational logs are signed and immutable; consent verification is enforced at query time, not just at sign-up.
Our full security overview is at security. The architectural detail behind our privacy guarantees lives at trust & architecture.
Children
Our website and developer tools are not directed at children under 18. We do not knowingly collect personal data from minors through any LumkoMDX-controlled property. Where customer institutions process paediatric patient data inside their own deployment, the institution's privacy policy and lawful basis apply, not ours.
Changes to this policy
We will post a new effective date at the top of this page when this policy materially changes, and we will email registered users at least 14 days before the change takes effect. Older versions are kept in our policy archive — email dpo@lumkomdx.com for access.