Lumiora

Privacy Policy

Last updated: April 2026

1. Who We Are

Lumiora is a brand of Tecdam Innovations SLU, a company registered in Valencia, Spain, with CIF ESB01742139. When this policy refers to “Lumiora”, “we”, “us”, or “our”, it refers to Tecdam Innovations SLU as the data controller.

We are committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains what data we collect, how we use it, the legal basis for that processing, and what rights you have under the General Data Protection Regulation (GDPR) and applicable Spanish and EU data protection law.

By using the Service, you acknowledge that you have read and understood this policy.

2. Data We Collect

We collect the following categories of personal data:

  • Account information: your name, email address, and a securely hashed version of your password. We never store your password in plain text.
  • Profile information: optional details such as your company name and phone number, which you may provide in your account settings.
  • Event data: event names, dates, locations, and configuration settings you create within the Service.
  • Photos and media: images, videos, and other files you upload to your event galleries.
  • Payment information: billing is processed entirely by Stripe. We do not store your card details; we only receive a customer reference and subscription status from Stripe. Purchases made via Apple In-App Purchase are processed by Apple according to their own terms.
  • Technical data: IP address, browser type, and error logs collected for security and service reliability purposes.

3. Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): processing your account information, event data, and payment details is necessary to provide the Service you have subscribed to.
  • Legitimate interests (Art. 6(1)(f)): we process technical data such as error logs and IP addresses to maintain the security and reliability of the Service.
  • Consent (Art. 6(1)(a)): where you have opted into optional features such as AI processing or analytics cookies, we process your data on the basis of your explicit consent. You may withdraw your consent at any time.
  • Legal obligation (Art. 6(1)(c)): we may retain certain data where required by applicable law, such as invoicing and tax records.

4. How We Use Your Data

We use the data we collect to:

  • Create and maintain your account and provide the Service.
  • Process subscription payments and manage your billing relationship.
  • Send transactional emails, such as account confirmations, password resets, and subscription notifications.
  • Respond to support requests sent to support@lumiora.app.
  • Detect and prevent fraud, abuse, or security incidents.
  • Improve the platform using aggregated, anonymised usage data.
  • When you explicitly enable AI features, process your photos to generate AI-enhanced results.

We do not sell your personal data to third parties, and we do not use it for direct marketing without your prior consent.

5. Data Storage & Processing Location

All primary servers are hosted within the European Union — specifically on DigitalOcean infrastructure in Amsterdam, Netherlands. Your database and uploaded files are stored exclusively within EU data centres.

Certain third-party service providers (listed in Section 6) may process data outside the EEA. Where this occurs, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or participation in the EU-US Data Privacy Framework.

6. AI Processing

When you use AI-powered features, your photos are sent to Google Gemini AI for processing. Google processes this data according to their own privacy policy and terms of service, which we encourage you to review. AI features are entirely optional and only activated when you explicitly enable them for an event. No photos are ever sent to third-party AI services without your deliberate action.

7. Third-Party Service Providers

We work with the following sub-processors to deliver the Service:

  • Stripe (payment processing) — US-based, certified to the EU-US Data Privacy Framework, with EU processing capabilities.
  • Apple (iOS in-app purchases) — processes payments for subscriptions purchased through the App Store.
  • Resend (transactional email) — used to deliver account and system emails on our behalf.
  • Google Gemini (AI image processing) — only used when AI features are explicitly enabled by you.
  • DigitalOcean (cloud hosting and file storage) — EU region (Amsterdam, Netherlands) for all infrastructure and stored files.

Each of these providers is bound by data processing agreements and is only permitted to process your data for the purposes we have specified.

8. Cookies

We use essential session cookies required for authentication and to keep you logged in. We do not use advertising cookies or any third-party cookies for marketing purposes.

With your consent, we also use Google Analytics cookies to collect anonymous usage data such as page views, visit duration, and general traffic patterns. This helps us understand how the Service is used and how we can improve it. Google Analytics data is aggregated and does not personally identify you.

When you first visit our site, a cookie consent banner will ask for your permission before any analytics cookies are set. You can accept or decline at any time. If you wish to reset your preference, clearing your browser's site data will cause the consent banner to appear again on your next visit.

You can also disable cookies entirely in your browser settings, though this may affect your ability to log in to the Service.

9. Data Retention

We retain your account data for as long as your account is active. Event data and gallery files are subject to the retention limits of your subscription plan. When you delete your account, all associated personal data is permanently deleted within 30 days, unless we are required to retain it for longer by applicable law (for example, invoicing records may be retained for the period required by Spanish tax law).

10. Your Rights (GDPR)

As a data subject under the GDPR, you have the following rights:

  • Right to access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data (“right to be forgotten”).
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: object to certain types of processing, including direct marketing.
  • Right to restrict processing: request that we limit how we use your data in certain circumstances.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at info@lumiora.app. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish data protection authority (Agencia Española de Protección de Datos — AEPD, www.aepd.es) or the supervisory authority in your country of residence.

11. Data Security

We take data security seriously. All data is encrypted in transit using TLS 1.2 or higher. Passwords are stored as secure hashes using bcrypt with an appropriate cost factor. File storage uses server-side encryption at rest. Access to production systems is restricted to authorised personnel only.

While we implement these safeguards, no method of transmission over the internet is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay as required by the GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. For material changes, we will notify you via email to the address associated with your account at least 14 days before the changes take effect. The updated policy will always be available at this URL. The date at the top of this page indicates when it was last revised.

13. Contact & Data Controller

The data controller responsible for your personal data is:

Tecdam Innovations SLU
Trading as Lumiora
CIF: ESB01742139
Registered in Valencia, Spain
Email: info@lumiora.app

For support-related queries, you may also reach us at support@lumiora.app.