← Lumi

Privacy Policy

Last updated: 2026-06-03

⚠️ Draft — not legal advice. This placeholder content must be reviewed and finalized by qualified legal counsel before launch.

1. Data controller

The controller responsible for the processing of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and other applicable data protection laws is:

[TODO: legal entity name, legal form, address]

[TODO: controller contact e-mail]

2. What data we collect

We collect and process the following categories of personal data when you use Lumi:

  • Account information (e.g. e-mail address, password hash, authentication identifiers).
  • Profile and onboarding data (e.g. age band, school year, subjects, learning preferences you provide during onboarding).
  • Tutoring messages and conversation content you exchange with the AI tutor.
  • Payment data processed through our payment provider Stripe (we do not store full card numbers ourselves).
  • Usage and technical data, including token consumption, feature usage, session timestamps, and limited device or log data.

3. Purposes & legal bases

We process personal data for the following purposes:

  • Providing and operating the tutoring service and your account (performance of a contract, Art. 6(1)(b) GDPR).
  • Processing payments and managing subscriptions (performance of a contract and legal obligation, Art. 6(1)(b) and (c) GDPR).
  • Securing the service, preventing abuse, and improving reliability (legitimate interests, Art. 6(1)(f) GDPR).
  • Complying with legal and tax obligations (Art. 6(1)(c) GDPR).
  • Any optional processing based on your consent, which you may withdraw at any time (Art. 6(1)(a) GDPR).

4. AI processing

To generate tutoring responses, the content of your messages and relevant context is transmitted to OpenAI, which acts as a data processor on our behalf. OpenAI processes this data solely to return a response to us and under the terms of a data processing agreement. AI output is generated automatically and may be inaccurate; it should always be verified.

5. Children's data

Lumi is intended for use by minors as a learning tool. Because the service is directed at children, additional protections apply. A parent or legal guardian must review this policy and provide consent before a minor uses the service, and is responsible for supervising that use.

[TODO: confirm with counsel the minimum age, the verifiable parental consent mechanism, and applicable children's privacy obligations such as COPPA (US) and Art. 8 GDPR digital-consent ages per Member State.]

6. Retention

We retain personal data only for as long as necessary for the purposes described above or as required by law. Account and tutoring data are kept while your account is active and deleted or anonymised within a reasonable period after account closure; billing records are retained for statutory tax and accounting periods.

[TODO: confirm concrete retention periods with counsel.]

7. Sharing & sub-processors

We do not sell your personal data. We share data with carefully selected service providers acting as processors on our instructions:

  • Supabase — database, authentication, and hosting infrastructure.
  • Stripe — payment processing and subscription management.
  • OpenAI — AI model processing of tutoring messages.

[TODO: maintain a complete and current list of sub-processors.]

8. International transfers

Some of our processors may process data outside the EU/EEA or your country of residence. Where this occurs, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision.

[TODO: confirm transfer mechanisms and processor locations.]

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration, including encryption in transit, access controls, and the use of reputable infrastructure providers. No method of transmission or storage is completely secure.

10. GDPR (EU / Germany)

If you are located in the European Union, you have the following rights regarding your personal data:

  • Right of access to your personal data (Art. 15 GDPR).
  • Right to rectification of inaccurate data (Art. 16 GDPR).
  • Right to erasure ("right to be forgotten", Art. 17 GDPR).
  • Right to data portability (Art. 20 GDPR).
  • Right to object to certain processing (Art. 21 GDPR).
  • Right to restrict processing (Art. 18 GDPR).
  • Right to withdraw consent at any time, without affecting prior processing.

You also have the right to lodge a complaint with a supervisory authority. In Germany this is the competent state data protection authority for the controller's seat.

[TODO: name the competent German supervisory authority.]

11. LGPD (Brazil)

If you are located in Brazil, the Lei Geral de Proteção de Dados (Lei 13.709/2018) applies. As a data subject (titular) you have rights including:

  • Confirmation of the existence of processing and access to your data.
  • Correction of incomplete, inaccurate, or outdated data.
  • Anonymisation, blocking, or deletion of unnecessary or excessive data.
  • Data portability to another provider.
  • Deletion of personal data processed with your consent.
  • Information about with whom data has been shared.
  • Withdrawal of consent.

[TODO: appoint and name a data protection officer (encarregado / DPO) and provide their contact.]

You may also contact the Brazilian National Data Protection Authority (ANPD) regarding the processing of your personal data.

12. Contact

For any privacy request or question, please contact us at [TODO: privacy contact e-mail].

Lumi AI — your curriculum-aligned tutor