Privacy Policy

Last updated: 2025-11-21

This Privacy Policy explains how Lumentir (“Lumentir”, “we”, “our”, “us”, “Company”) collects, uses, stores, discloses, and protects personal data when you use our Service. We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and all applicable European and national privacy laws.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.

1. Who We Are (Data Controller)

• Lumentir
• Address: Verdunplein 17, Unit C2671, 5627 SZ Eindhoven, The Netherlands
• Email: [email protected]
• Data Protection Officer (DPO): Yes — reachable via [email protected]
• Lumentir is the data controller for all processing activities described in this Privacy Policy.

2. Personal Data We Collect

We only collect the data necessary to operate and secure our Service. We process the following categories of personal data:

• 2.1 Account Information
  • Email address
  • Password (hashed)
  • Name
• 2.2 User-Generated Content
  • Prompts you enter into our platform
  • Website URLs you provide for analysis
  • AI-generated output (stored for 3 months unless required otherwise)
• 2.3 Technical & Log Data
  • IP address
  • Timestamp of requests
  • Browser and device information
  • Diagnostic, performance, and error logs
• 2.4 Payment & Billing
  We do not process payment details directly. All payment information is processed exclusively by Stripe.
• 2.5 Cookies and Tracking
  • Google Analytics 4 (GA4)
  • Marketing cookies (if consented)
  • Tracking pixels (if enabled by user consent)
  A detailed cookie notice is provided in our Cookie Policy.

3. Legal Bases for Processing

We process personal data under the following legal bases:

• Contractual necessity (GDPR Art. 6(1)(b)) — Account creation, delivering the Service, operational logs.
• Legitimate interest (GDPR Art. 6(1)(f)) — Security, fraud detection, Service improvement, preventing abuse.
• Legal obligation (GDPR Art. 6(1)(c)) — Financial administration and mandatory tax compliance (7 years).
• Consent (GDPR Art. 6(1)(a)) — Analytics cookies, marketing cookies, certain tracking technologies.

We do not use AI analysis or prompts processing as a separate purpose because it is necessary to deliver the Service requested by the user (contractual necessity).

4. Purposes of Processing

• Managing user accounts and authentication
• Operating and maintaining the Service
• Handling customer support requests
• Improving functionality, stability, and security
• Conducting analytics (GA4)
• Sending transactional emails
• Billing and subscription management through Stripe
• Maintaining accurate financial/administrative records (legal obligation)
• Fraud prevention and platform abuse detection

We do not use your personal data to train AI models.

5. AI Processing & User Prompts

5.1 Data Sent to AI Providers
To analyze AI responses, we use:

• OpenAI — via API

Only the minimum required data is submitted.

5.2 AI Output Storage
AI-generated responses are stored for 3 months by default. Users may delete content earlier via their account or request deletion.

6. Sub-processors and Third-Party Services

We use the following sub-processors:

Cloud Infrastructure & Hosting

• AWS
• Cloudflare

AI Services

• OpenAI
• DataForSEO

Payments

• Stripe

Email

• Google Workspace

Analytics & Tracking

• Google Analytics 4 (GA4)
• Smilejet (contact & feedback forms, session recordings & UX detection)

All sub-processors operate under GDPR-compliant DPAs.

7. International Data Transfers

Some sub-processors are outside the EEA. To ensure GDPR compliance:

• 7.1 Standard Contractual Clauses (SCCs) — All transfers rely on EU-approved SCCs.
• 7.2 Transfer Impact Assessments (TIAs) — Conducted for all US-based providers.
• 7.3 Supplemental Technical Measures
  • Encryption at rest & in transit
  • Restricted access controls
  • Pseudonymization where possible
  • EU data residency when supported

8. Data Retention (default)

• AI outputs: 3 months
• Logs: up to 12 months
• Account data: kept until deletion
• Financial data: 7 years
• Support emails: up to 12 months after resolution

Users may request deletion at any time.

9. Data Security

We implement strong technical and organizational measures:

• Encryption (at rest & in transit)
• Network isolation
• Firewall and DDoS protection
• Secure password hashing
• Access controls and logging
• Regular vulnerability assessments
• Principle of least privilege

No system can guarantee absolute security.

10. Your Rights Under GDPR

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction
• Right to data portability
• Right to object
• Right to withdraw consent
• Right not to be subject to automated decision-making (not applicable)

Requests: [email protected]
Max. response time: 30 days (extendable to 90 days).

11. Children's Privacy

• The Service is not intended for individuals under 18.
• We do not knowingly collect data from minors.
• Any such data discovered will be deleted immediately.

12. Sharing of Personal Data

We do not sell personal data.

We only share with:

• Sub-processors listed above
• Regulators when legally required
• Stripe for payments
• Professional advisors (legal, accounting)

13. Cookies and Tracking Technologies

We use cookies for:

• Essential functionality
• Analytics (GA4)
• Performance monitoring
• Marketing (only with consent)

Cookie preferences can be managed via the cookie banner.

14. Automated Decision-Making

• We do not use automated decision-making with legal or significant effects.

15. Changes to This Privacy Policy

• We may update this Policy as needed.
• Significant changes will be announced with reasonable notice.

16. Contact Us

• Email: [email protected]
• You may lodge a complaint with your national data protection authority.