Lumiora

Privacy Policy

Last updated: February 2026

1. Introduction

Lumiora (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains what data we collect, how we use it, and what rights you have in relation to it. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Data We Collect

We collect the following categories of personal data:

  • Account information: your name, email address, and a securely hashed version of your password (we never store your password in plain text).
  • Event data: event names, dates, locations, and configuration settings you create within the Service.
  • Photos and media: images and files you upload to your event galleries.
  • Usage analytics: basic usage data to help us improve the platform, such as feature interactions and error logs.
  • Payment information: billing is handled entirely by Stripe. We do not store your card details; we only receive a customer reference and subscription status from Stripe.

3. How We Use Your Data

We use the data we collect to provide and maintain the Service, process your subscription payments, and send transactional emails (such as account confirmations and password resets). We may also use aggregated, anonymised usage data to improve the platform and fix issues. When you opt into AI features, your photos are processed to generate the AI-enhanced results you requested.

4. Data Storage & Processing

All servers are hosted in the European Union — specifically on DigitalOcean infrastructure in Amsterdam, Netherlands. All data processing, including your database and uploaded files, occurs exclusively within EU data centres. We do not transfer your personal data to countries outside the European Economic Area, except as described in the Third-Party Services section below.

5. AI Processing

When you use AI-powered features, your photos are sent to Google Gemini AI for processing. Google may process this data according to their own privacy policy and terms of service, which we encourage you to review. AI features are entirely optional and are only activated when you explicitly enable them for your event. No photos are ever sent to third-party AI services unless you choose to use AI features.

6. Third-Party Services

We work with the following third-party service providers:

  • Stripe (payments) — US-based, with EU processing capabilities. Stripe is certified to the EU-US Data Privacy Framework.
  • Resend (transactional email) — used to send account and system emails on our behalf.
  • Google Gemini (AI features) — used only when AI features are explicitly enabled by you.
  • DigitalOcean (hosting and file storage) — EU region (Amsterdam, Netherlands) for all infrastructure.

7. Cookies

We use only essential session cookies required for authentication and to keep you logged in. We do not use tracking cookies, advertising cookies, or any third-party cookies for analytics or marketing purposes. You can disable cookies in your browser settings, though this may affect your ability to log in to the Service.

8. Data Retention

We retain your account data for as long as your account is active. Event data and gallery files are subject to the retention limits of your subscription plan. When you delete your account, we will permanently delete all associated personal data within 30 days, unless we are required to retain it for longer by applicable law.

9. Your Rights (GDPR)

As a data subject under the GDPR, you have the following rights:

  • Right to access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data (“right to be forgotten”).
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: object to certain types of processing, including direct marketing.
  • Right to restrict processing: request that we limit how we use your data in certain circumstances.

To exercise any of these rights, please contact us at info@lumiora.app. We will respond within 30 days.

10. Data Security

We take data security seriously. All data is encrypted in transit using TLS. Passwords are stored as secure hashes using bcrypt with an appropriate cost factor. Access to production systems is restricted to authorised personnel only. While we implement these safeguards, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. For material changes, we will notify you via email to the address associated with your account at least 14 days before the changes take effect. The updated policy will always be available at this URL.

12. Contact Us

Lumiora is the data controller responsible for your personal data. If you have any questions, concerns, or requests regarding this Privacy Policy or your data, please contact us at info@lumiora.app.