Privacy Policy

LumaSR (“LumaSR,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains our practices regarding information that identifies or can reasonably be associated with you (“personal information”) when you access or use the Services.

By using the Services, you acknowledge that you have read this Privacy Policy. If you do not agree, please discontinue use of the Services.

We may update this policy from time to time. We will post the revised version on this page and revise the “Effective date” above. Material changes may be communicated through the Services or by email where appropriate.

• Account means the registered profile you create to access certain features.
• Device information includes technical data sent by your browser or app (such as IP address, device type, operating system, and approximate location derived from IP).
• Usage data means information about how you interact with the Services (for example, pages viewed, features used, timestamps, and diagnostic logs).

We collect information in the following categories, depending on how you use the Services:

• Account and profile data. Name, email address, authentication identifiers (including when you sign in with a third-party provider such as Google), profile preferences, subscription or plan status, and similar account fields you provide or we receive from your identity provider.
• Learning activity. Study progress, decks, reviews, statistics, notes, flags, and other content you create or generate while using the Services.
• Usage and analytics. Events and metrics that help us understand product performance, reliability, and aggregate usage patterns.
• Communications and support. Messages you send to us (for example, support requests) and related metadata.
• Cookies and similar technologies. We and our service providers may use cookies, local storage, and similar technologies for authentication, security, preferences, and analytics as described in this policy.

We do not require you to provide sensitive categories of personal information (such as health data) to use core learning features. Please do not upload such information unless a feature explicitly calls for it and you choose to provide it.

We use personal information for purposes including:

• Providing, operating, and improving the Services;
• Creating and maintaining your Account and authenticating access;
• Personalizing content, recommendations, and study workflows;
• Processing transactions, subscriptions, and billing where applicable;
• Communicating with you about the Services, security alerts, and policy updates;
• Detecting, preventing, and responding to fraud, abuse, and security incidents;
• Complying with legal obligations and enforcing our terms and policies;
• Conducting research and analytics in aggregated or de-identified form where permitted.

Where the GDPR or UK GDPR applies, we rely on one or more of the following legal bases:

• Contract — to perform our agreement with you and deliver the Services you request;
• Legitimate interests — to secure and improve the Services, understand usage in aggregate, and communicate operational messages, balanced against your rights;
• Consent — where we ask for consent (for example, certain cookies or marketing), you may withdraw consent at any time without affecting prior processing;
• Legal obligation — where processing is necessary to comply with applicable law.

We do not sell your personal information. We may share information with:

• Infrastructure providers (for example, cloud hosting and database services) that process data on our behalf under contractual safeguards and instructions;
• Authentication providers when you choose to sign in through a third party (subject to that provider's policies);
• Payment processors if you purchase a paid plan, to the extent needed to complete transactions;
• Professional advisors (such as auditors or counsel) where bound by confidentiality; and
• Authorities when required by law, legal process, or to protect the rights, safety, and security of users, LumaSR, or the public.

Our Services may use Supabase or comparable providers for authentication and data storage. Their processing is governed by our agreements with them and their publicly available documentation and terms.

We may process and store information in the United States and other countries where we or our subprocessors operate. Where required, we implement appropriate safeguards (such as standard contractual clauses approved by regulators) for transfers from the EEA, UK, or Switzerland.

We retain personal information for as long as necessary to fulfill the purposes described in this policy, unless a longer period is required or permitted by law. Retention periods may depend on whether you maintain an Account, whether data is needed for security or dispute resolution, and whether we must comply with tax, accounting, or regulatory requirements.

When retention periods expire, we delete or de-identify information in accordance with our internal procedures, subject to technical and backup constraints.

We implement administrative, technical, and organizational measures designed to protect personal information against unauthorized access, loss, alteration, or disclosure. These measures may include encryption in transit, access controls, logging, and vendor security reviews.

No method of transmission or storage is completely secure. If you believe your Account has been compromised, contact us promptly using the information below.

Depending on your location, you may have rights to access, correct, delete, or export your personal information; to object to or restrict certain processing; to withdraw consent where processing is based on consent; and to lodge a complaint with a supervisory authority.

California residents (CPRA / CCPA). You may have the right to know, delete, and correct personal information, and to opt out of “sale” or “sharing” as defined under California law. We do not sell personal information for monetary consideration. You may designate an authorized agent where permitted by law. We will not discriminate against you for exercising these rights.

To exercise rights, contact us as set out in Section 15. We may need to verify your request before responding and will respond within the timeframe required by applicable law.

We may use automated systems to support features such as scheduling, spaced repetition, and product analytics. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without human review where such review is required by law.

The Services are not directed to children under 13 (or the age required by local law), and we do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will take appropriate steps to delete it.

The Services may contain links to third-party websites or integrations. This policy does not apply to those services. We encourage you to read the privacy policies of every third-party service you use.

We may modify this Privacy Policy to reflect changes in our practices, technology, legal requirements, or the Services. When we make material changes, we will provide notice as required by law, which may include a notice within the Services or by email.

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to reach our privacy team, please contact us through the contact method published on our website or within the Services (for example, an in-app support or feedback channel).

For EU/UK data protection inquiries, you may also contact the supervisory authority in your country of residence.