# LumisCare Privacy Terms Readiness Options — 2026-05-24 # LumisCare Privacy/Terms readiness options Date: 2026-05-24 Status: implementation drafted after CEO direction on 2026-05-24; final legal review still recommended before treating as full SaaS legal package. ## Current live gap `landing/index.html` footer currently renders: - `Privacy` with `href="#"` - `Terms` with `href="#"` - `Contact` with `mailto:hello@lumiscare.com` Mail contact is verified separately, but Privacy/Terms remain unresolved public-readiness blockers because the public landing page promotes care-management software and repo documentation references regulated healthcare/care contexts. ## Existing product/compliance context found in repo Relevant repo context to review before approving legal pages: - `docs/FAMILY-PORTAL-INDUSTRY-GUIDE.md` references UK care/CQC/GDPR-oriented family portal expectations. - `docs/INFRASTRUCTURE-DOCUMENTATION-REVIEW.md` flags US healthcare/HIPAA documentation as a critical gap. - `docs/design/SAFETY-COMPLIANCE-FEATURES-DESIGN.md` references GDPR/CCPA/HIPAA considerations for safety/compliance features. - `docs/design/MEDICATION-VITALS-DESIGN.md` references HIPAA Security Rule considerations. These docs are product/engineering context only; they do not constitute approved public legal policy. ## Decisions required before publishing final legal pages 1. **Legal entity/controller** - Which company is the contracting/provider entity for LumisCare? - Registered address and contact email for privacy requests. 2. **Geography and market scope** - UK only, US only, EU/EEA, Norway, or multi-region? - Whether public copy should mention CQC/DSCR/HIPAA/GDPR commitments now or only after compliance sign-off. 3. **Data roles** - Is LumisCare a processor/vendor for agencies, a controller for demo leads, or both? - Are family/care-recipient data flows live today or only planned? 4. **Data collected by the landing page** - Current landing CTA uses mailto, not a web form. - Confirm whether analytics, cookies, Application Insights, CRM ingestion, or tracking pixels are enabled on public landing. 5. **Healthcare/sensitive data posture** - Confirm whether visitors should be warned not to send patient/PHI/sensitive care data via email demo contact. - Confirm breach/contact escalation wording. 6. **Terms scope** - Public marketing-site Terms only, or SaaS subscription Terms as well? - If SaaS Terms: pricing, trial, cancellation, acceptable use, support SLA, liability limits, DPA/BAA references need legal approval. ## Safe implementation options ### Option A — Minimal blocker acknowledgement, no public legal pages yet Keep Privacy/Terms as known blockers in readiness docs. Do not claim full public readiness. Pros: - No fabricated legal policy. - Lowest legal risk. Cons: - Live footer has dead `href="#"` links. - Not ideal for public launch/trust. ### Option B — Publish “review pending” placeholder pages Create `/privacy.html` and `/terms.html` that clearly state legal documents are pending review and provide `hello@lumiscare.com` contact. Pros: - Removes dead links. - Honest about status. Cons: - Placeholder legal pages may still look unprofessional. - Does not satisfy full compliance/legal-readiness. ### Option C — Publish approved marketing-site Privacy/Terms only Legal/CEO approves narrow pages covering: - demo/contact email handling, - no patient data via email, - no cookies/analytics or explicit cookie disclosure if present, - controller/contact details, - user rights by target geography, - marketing site usage terms. Pros: - Best near-term public landing readiness. - Avoids premature SaaS/PHI commitments. Cons: - Requires legal/entity decisions above. ### Option D — Publish full SaaS Privacy, Terms, DPA/BAA package Full legal suite for production SaaS and regulated healthcare data. Pros: - Best long-term enterprise readiness. Cons: - Highest legal workload. - Should not be generated or published without legal review. ## CEO direction received 2026-05-24 - Responsible legal/operator entity for LumisCare public site: Snowit. - Market posture: EU-first and US-aware. - Option C approved: narrow marketing-site Privacy/Terms first. - Footer links may be updated to `/privacy.html` and `/terms.html` after pages are added. ## Implemented draft Implemented narrow marketing-site pages: - `landing/privacy.html` - `landing/terms.html` The pages intentionally do not claim to be a full SaaS legal package, DPA, BAA, or customer contract. They cover the public marketing website and demo enquiries, and warn visitors not to send patient/care-recipient/PHI/sensitive care data by email. Remaining legal hardening recommended later: 1. Confirm exact registered Snowit legal name, registration number, and address for formal insertion. 2. Confirm cookie/analytics status if tracking is added later. 3. Add full SaaS Terms, DPA, and BAA package before regulated production customer onboarding. --- ## Deployment verification summary # LumisCare PR #2 legal pages deploy verification Date: 2026-05-24 UTC ## Merge/deploy - PR #2: https://github.com/johnatbasicas/vivacare/pull/2 - Merge commit: `ce71a014803d9de18227989c8e57d31155812dce` - GitHub Actions run: https://github.com/johnatbasicas/vivacare/actions/runs/26372435887 - Workflow conclusion: `success` - Jobs passed: - Deploy: landing (lumiscare.com) - Deploy: backoffice (app.lumiscare.com) - Deploy: admin (admin.lumiscare.com) - Deploy: family-portal (family.lumiscare.com) - Smoke Test: verify all portals Evidence: - `/tmp/alai/lumiscare-legal-live-verify-20260524T205500Z/gh-run-view-26372435887-final.json` - `/tmp/alai/lumiscare-live-verify-20260524T195900Z/gh-run-watch-26372435887.txt` ## Live browser verification Verdict: `PASS` Verified on `https://lumiscare.com`: - `/` returns HTTP/browser 200. - `/privacy.html` returns HTTP/browser 200. - `/terms.html` returns HTTP/browser 200. - Footer links point to `/privacy.html` and `/terms.html`. - No remaining `href="#"` links on landing. - No browser page errors detected. - Tailwind CDN/config runtime issue remains absent. - Live page hashes match `origin/full-production` for landing, privacy, and terms pages. - Screenshots captured for all three pages. Evidence: - `/tmp/alai/lumiscare-legal-live-verify-20260524T205500Z/live-legal-browser-verification.json` - `/tmp/alai/lumiscare-legal-live-verify-20260524T205500Z/live-home.png` - `/tmp/alai/lumiscare-legal-live-verify-20260524T205500Z/live-privacy.png` - `/tmp/alai/lumiscare-legal-live-verify-20260524T205500Z/live-terms.png` ## Scope note The published pages are narrow marketing-site Privacy Notice and Website Terms for demo/contact enquiries. They are not a full SaaS legal package, DPA, BAA, or regulated production customer contract set.