Trust & Transparency

Privacy policy

This policy explains what personal data Lumora collects when you use our website and journals, why we collect it, how long we keep it, who we share it with, and the rights you have over it.

The short version. We collect only what we need to run a scholarly publisher: your account details, your submissions, and minimal, privacy-preserving usage statistics. We use no advertising trackers, our analytics store only hashed IP addresses, and we never sell personal data. We comply with the Saudi Personal Data Protection Law (PDPL) and follow GDPR principles.

Who we are

Lumora is a scholarly open-access publisher based in Riyadh, Saudi Arabia, registered with the Saudi Ministry of Media. Lumora is the controller of the personal data described in this policy. For any privacy question or request, contact Support@lumora.sa — we respond within 24 hours.

What data we collect

Account data

When you create a Lumora account, our authentication provider (Supabase) processes your name, email address, and encrypted credentials. We use this to sign you in, secure your account, and connect you to your submissions.

Submission and editorial data

When you submit a manuscript, act as a reviewer, or serve as an editor, our journal management system (built on Open Journal Systems, OJS) processes the data needed for editorial work: names, email addresses, affiliations, ORCID iDs, manuscript files, cover letters, review reports, editorial correspondence, and declarations (such as conflicts of interest and funding). Published articles include the author information the authors themselves provide for publication.

Usage data (analytics)

We run first-party, privacy-preserving analytics to understand how the site is used. This records the page visited, referrer, language, approximate screen size, and time zone. IP addresses are stored only in hashed (one-way, irreversible) form and are never stored raw. We do not build individual visitor profiles, we do not track you across other websites, and we use no third-party analytics or advertising networks.

Newsletter data

If you subscribe to our newsletter, we store your email address with our email service provider (Brevo) and use it only to send you the newsletter you asked for. Every issue contains a one-click unsubscribe link.

Correspondence

When you email us, we keep the correspondence (processed through Google Workspace) for as long as needed to handle your inquiry and maintain a record of editorial and support decisions.

Why we process your data, and on what basis

  • Operating your account and processing submissions — performance of our agreement with you (PDPL: processing necessary for a contract; GDPR principle: contractual necessity).
  • Peer review, editorial decisions, and preservation of the scholarly record — our legitimate interests in operating credible journals, and compliance with publishing-ethics obligations. The integrity of the published record means author names on published articles are retained permanently.
  • Newsletter — your consent, which you can withdraw at any time by unsubscribing.
  • Analytics and site security — our legitimate interest in understanding aggregate usage and keeping the site secure, implemented in the least intrusive way we could design (hashed IPs, no cross-site tracking).
  • Legal obligations — where Saudi law or another applicable law requires us to retain or disclose information.

Cookies

We use session cookies only — the minimum needed to keep you signed in and secure while you use your account. We set no advertising or cross-site tracking cookies, and our analytics work without tracking cookies. Because we use only strictly necessary cookies, no cookie consent banner is required; if that ever changes, this policy and the site will be updated first.

Who we share data with

We never sell personal data. We share it only with the service providers that make the site work, each bound by contractual data-protection terms:

  • Supabase — account authentication and user database.
  • Brevo — newsletter delivery (email address only).
  • Google Workspace — email hosting for editorial and support correspondence.

Editorial data is shared within the review process itself as our Peer Review Policy describes — for example, anonymized manuscripts are sent to reviewers. We may also disclose data where required by law or to investigate misconduct under our Publication Ethics policy. Some providers process data outside Saudi Arabia; where they do, we rely on their contractual safeguards and transfer data in accordance with the PDPL's cross-border transfer provisions.

How long we keep data

  • Account data: for as long as your account exists. You may request deletion at any time.
  • Submission and editorial records: retained for the life of the journal, because the integrity of the scholarly record depends on being able to verify who submitted, reviewed, and decided what. Rejected-manuscript files are retained only as long as needed for editorial record-keeping and any appeal or ethics process.
  • Published articles: permanent — author names and affiliations on published work are part of the scholarly record and are preserved under our Archiving Policy.
  • Analytics data: aggregate statistics are kept indefinitely; they contain no raw identifiers.
  • Newsletter emails: until you unsubscribe or ask us to delete them.

Your rights

Under the Saudi PDPL — and consistent with GDPR principles for our international users — you have the right to:

  • Know what personal data we hold about you and how we process it;
  • Access and obtain a copy of your data;
  • Correct inaccurate or incomplete data;
  • Delete your data, subject to the scholarly-record and legal-retention limits described above;
  • Withdraw consent where processing is based on consent (for example, the newsletter);
  • Object to processing based on legitimate interests, which we will honor unless publishing-integrity or legal obligations prevail.

To exercise any of these rights, email Support@lumora.sa from the address associated with your account. We respond within 24 hours and resolve requests without undue delay. If you believe we have not handled your data lawfully, you may lodge a complaint with the Saudi Data & AI Authority (SDAIA) or your local data protection authority.

Security

We protect personal data with encryption in transit, encrypted credential storage, access controls that limit editorial data to those who need it, and reputable infrastructure providers. No system is perfectly secure; if a breach ever puts your rights at risk, we will notify the competent authority and affected users as the PDPL requires.

Children

Our services are directed at researchers and professionals. We do not knowingly collect personal data from children; if you believe a child has provided us data, contact us and we will delete it.

Changes to this policy

If we materially change how we handle personal data, we will update this page and revise the date below before the change takes effect. Continued use of the site after an update constitutes acceptance of the revised policy.

Last updated: July 2026 · Related: Publication Ethics, Peer Review Policy, Archiving Policy, All Policies