Privacy Policy
Last Updated: December 3, 2025
Effective Date: December 3, 2025
Version: 1.2.0
At Lumenus, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our mobile application and services (the "Service").
Our Commitment: We will never sell your personal data to third parties. We collect only the minimum information necessary to provide and improve our Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address (required for authentication and communication)
- Nickname (displayed in the app)
- Profile picture (optional, if you choose to upload one)
1.2 Content Data
When you use the Service, we store:
- Text content you create or upload
- Images you upload
- Audio recordings and their transcriptions
- AI-generated analysis results (summaries, tags, key points)
- Organizational metadata (titles, tags, domains, relationships between content)
1.3 Automatically Collected Information
When you use the Service, we automatically collect:
- Device information: device model, operating system version, unique device identifiers
- Usage data: features used, actions performed, timestamps
- Log data: IP address, access times, error reports
- Performance data: app crashes, loading times, API response metrics
We do NOT collect:
- Precise geolocation data
- Contact lists or address books
- Data from other apps on your device
- Biometric information (fingerprints, facial recognition data)
2. How We Use Your Information
2.1 Service Provision
We use your information to:
- Authenticate your identity and manage your account
- Store and organize your content
- Process your content through AI analysis services
- Synchronize your data across devices
- Provide search and retrieval functionality
2.2 Service Improvement
We may use aggregated, anonymized data to:
- Analyze usage patterns and improve features
- Identify and fix technical issues
- Develop new functionality based on user needs
- Optimize app performance and reliability
2.3 Communication
We may use your email address to send:
- Important service announcements and updates
- Security alerts and account notifications
- Responses to your support requests
- Changes to our Terms of Service or Privacy Policy
We will NOT send:
- Marketing emails or promotional content (unless you explicitly opt-in)
- Third-party advertisements
- Spam or unsolicited communications
2.4 Legal Compliance
We may use or disclose your information when required to:
- Comply with applicable laws, regulations, or court orders
- Protect our rights, property, or safety
- Prevent fraud, security threats, or illegal activities
- Enforce our Terms of Service
3. Third-Party Services and Data Sharing
Important: Lumenus relies on trusted infrastructure and AI partners to deliver the Service. When a feature requires an external provider, we only transmit the minimum data needed, but each partner maintains its own privacy practices as outlined below.
3.1 AI Service Providers
We partner with enterprise AI platforms to transcribe recordings, understand images, and generate structured summaries.
| Service |
Provider |
Purpose |
Data Shared |
| Speech Recognition & Audio Understanding |
Alibaba Cloud Tongyi Qianwen (Singapore region) |
Convert uploaded audio into transcripts and extract key topics |
Audio files and optional language hints |
| Text & Multimodal Analysis |
Google Gemini 2.5 Flash (Vertex AI, Google Cloud) |
Generate summaries, tags, and structured knowledge from text, transcripts, and images |
Text content, AI transcripts, uploaded images |
Third-Party Privacy Policies:
AI Processing Disclosures:
- Providers may retain short-term logs for abuse detection or troubleshooting; their policies govern retention.
- Enterprise contracts require that your prompts are not used to train public models, but we cannot guarantee the actions of third parties.
- If you do not want external AI services to process certain information, please do not upload it to Lumenus.
3.2 Infrastructure, Storage, and Communications
Our production API servers run on self-managed infrastructure hosted in the United States (SpeedyPage VPS). We also depend on the following providers:
- Google Cloud Storage (GCS): Stores uploaded images, audio, and AI outputs. Objects reside in US multi-regional buckets and are encrypted at rest. Access is limited to Lumenus service accounts.
- PostgreSQL Database: Account data lives on encrypted disks attached to our SpeedyPage-managed PostgreSQL cluster. Encrypted TLS connections are enforced.
- Resend (Transactional Email): Sends verification codes and service notices. We share your email address and delivery metadata solely for transactional messaging.
- Cloudflare Email Routing + Gmail: Messages sent to support@lumenus.app pass through Cloudflare’s routing service and are delivered to our Gmail inbox. Email is not an end-to-end encrypted channel; avoid sending highly sensitive data.
Each provider maintains independent SLAs and privacy terms. Outages or breaches affecting these services may impact Lumenus. If a provider incident occurs, your sole remedy is to stop using the Service and notify us at support@lumenus.app.
3.3 No Data Sales
We do NOT:
- Sell your personal information to third parties
- Share your data with advertisers
- Use your content to train our own AI models
- Provide your data to data brokers or analytics companies
4. Data Security
4.1 Security Measures
We implement industry-standard security measures to protect your data:
- Encryption in transit: All data transmitted between your device and our servers uses HTTPS (TLS 1.3)
- Encryption at rest: Data stored in Google Cloud Storage and our managed PostgreSQL cluster is encrypted using AES-256
- Authentication: JWT-based secure authentication with bcrypt password hashing
- Access controls: Role-based access restrictions on our backend systems
- Regular security audits: Periodic review of our security practices
4.2 Security Limitations
No system is 100% secure. Despite our best efforts, we cannot guarantee absolute security against all potential threats, including:
- Sophisticated cyber attacks or zero-day exploits
- Unauthorized access due to compromised credentials
- Network interception by malicious actors
- Hardware or software vulnerabilities beyond our control
You can help protect your account by:
- Using a strong, unique password
- Not sharing your login credentials
- Logging out from shared devices
- Reporting any suspicious activity immediately
5. Data Retention and Deletion
5.1 Active Accounts
We retain your data as long as your account is active to provide the Service. Specifically:
- Account information: Retained while account exists
- Content data: Retained until you manually delete it
- Log data: Retained for 90 days for security and troubleshooting purposes
5.2 Account Deletion
When you delete your account:
- Your account information and content will be permanently deleted within 30 days
- Some data may be retained in backup systems for up to 90 days before permanent deletion
- Anonymized usage data may be retained for analytics purposes
- We may retain certain information if required by law or to resolve disputes
5.3 Inactive Accounts
If you do not log in for 24 months, we may consider your account inactive and send you a notification. If you do not respond within 90 days, we may delete your account and associated data.
6. Your Privacy Rights
6.1 Access and Portability
You have the right to:
- Access your data: View all personal information we hold about you
- Export your data: Download your content in a portable format (JSON/HTML)
- Request a data report: Receive a comprehensive report of data we've collected
6.2 Correction and Deletion
You can:
- Edit your profile: Update your nickname and profile picture anytime
- Delete content: Remove any content you've uploaded
- Delete your account: Permanently remove your account and all associated data
6.3 Withdraw Consent
You can withdraw consent for data processing at any time by:
- Deleting your account (this will stop all data processing)
- Contacting us to request specific data processing restrictions
Note: Withdrawing consent may limit or prevent your ability to use the Service.
6.4 How to Exercise Your Rights
To exercise any of these rights, contact us at:
We will respond to your request within 30 days.
7. Children's Privacy
The Service is not intended for children under 13 years of age (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children.
If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information immediately.
If you believe we have inadvertently collected information from a child, please contact us at support@lumenus.app.
8. Cross-Border Data Transfers
8.1 International Transfers
Your data may be transferred to and stored on servers located outside your country of residence, including:
- United States: SpeedyPage VPS infrastructure (API servers and PostgreSQL database) and Google Cloud Storage/Vertex AI.
- Singapore: Alibaba Cloud Tongyi Qianwen for audio transcription and fallback AI processing, plus regional Google Cloud caching.
- Other regions as needed: Email messages routed through Cloudflare and Gmail follow their respective data center policies.
8.2 Data Protection Measures
When transferring data internationally, we ensure:
- Data is encrypted during transmission and storage
- Third-party providers comply with applicable data protection laws (GDPR, CCPA)
- Standard contractual clauses are in place where required
8.3 China Data Localization
If you are a user in China, please note:
- We currently run Alibaba Cloud Tongyi workloads in Singapore, but Alibaba may route traffic through mainland China data centers if legally required.
- This processing complies with China's Personal Information Protection Law (PIPL) and is limited to transient AI analysis.
- Persistent account data remains on our U.S. infrastructure (SpeedyPage PostgreSQL + Google Cloud Storage).
9. Cookies and Tracking
9.1 Our Practices
Lumenus is a native mobile application and does not use cookies or web tracking technologies for advertising or analytics.
9.2 Authentication Tokens
We use JWT (JSON Web Tokens) stored locally on your device to maintain your login session. These tokens:
- Are stored securely on your device
- Expire after a set period for security
- Are not shared with third parties
- Can be cleared by logging out or deleting the app
9.3 Third-Party Tracking
We do NOT integrate:
- Google Analytics or similar web analytics
- Facebook Pixel or social media tracking
- Advertisement tracking SDKs
- Third-party behavioral analytics tools
10. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You can request details about the personal information we collect, use, and disclose
- Right to Delete: You can request deletion of your personal information
- Right to Opt-Out: We do not sell personal information, so no opt-out is necessary
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
To exercise these rights, contact us at support@lumenus.app.
11. European Privacy Rights (GDPR)
If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):
- Legal Basis: We process your data based on consent, contract performance, and legitimate interests
- Right to Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate personal data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to certain types of data processing
- Right to Lodge a Complaint: File a complaint with your local data protection authority
To exercise these rights, contact us at support@lumenus.app.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify you via email or in-app notification at least 30 days before changes take effect
- We will request your renewed consent if required by law
Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Email: support@lumenus.app
(Messages route through Cloudflare Email Routing to our Gmail inbox; avoid sending highly sensitive information over email.)
We will respond to all requests within 30 days.
© 2025 Lumenus. All rights reserved.