Privacy Policy

1. Introduction

Luma ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our photo and video sharing platform.

By using Luma, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use the Service.

2. Information We Collect

2.1 Information You Provide

Account Information: When you register, we collect your email address, password (encrypted), and optional profile information like your name.

Event Information: Event titles, descriptions, dates, QR codes, passwords, theme settings, and custom branding.

Payment Information: Payment details are processed by our payment provider, Lemon Squeezy. We do not store credit card information on our servers.

User Content: Photos, videos, captions, and messages uploaded by you or your event guests.

2.2 Information Collected Automatically

Usage Data: IP addresses, browser type, device information, pages visited, time spent on pages, and referring websites.

Cookies and Tracking: We use cookies and similar technologies to maintain sessions, analyze usage, and improve our Service. You can control cookie settings in your browser.

Analytics: We use analytics tools to understand how users interact with our Service and improve user experience.

3. How We Use Your Information

We use collected information for the following purposes:

• Provide Services: Create and manage events, store and display media, facilitate uploads and downloads
• Process Payments: Handle transactions and billing through our payment processor
• Customer Support: Respond to inquiries, troubleshoot issues, and provide assistance
• Improve Service: Analyze usage patterns, develop new features, and enhance user experience
• Communications: Send transactional emails (confirmations, receipts, event notifications) and optional marketing emails
• Security: Detect fraud, prevent abuse, and protect against unauthorized access
• Legal Compliance: Comply with legal obligations and enforce our Terms of Service

4. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

4.1 Service Providers

We work with third-party service providers who perform services on our behalf:

• Supabase: Database and authentication services
• Cloudflare R2: Cloud storage for photos and videos
• Lemon Squeezy: Payment processing
• Email Services: Transactional and marketing email delivery

These providers have access only to the information necessary to perform their functions and are obligated to maintain confidentiality.

4.2 Event Participants

Photos and videos uploaded to your events are visible to anyone with access to the event (via QR code or link). If your event is password-protected, only those with the password can view content.

4.3 Legal Requirements

We may disclose information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect the rights, property, or safety of Luma, our users, or the public
• Prevent fraud or illegal activities
• Enforce our Terms of Service

5. Data Storage and Retention

Storage Location: Your data is stored on secure servers provided by Supabase (database) and Cloudflare R2 (media files).

Retention Period: Event data and uploaded media are retained for the duration specified by your plan:

• Essential: 1 month
• Premium: 6 months
• Deluxe: 1 year

After the retention period expires, event data and media are permanently deleted from our servers.

Account Information: If you delete your account, we retain basic account information for up to 90 days for fraud prevention and legal compliance, then permanently delete it.

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data transmitted between your device and our servers is encrypted using HTTPS/TLS
• Password Security: Passwords are hashed and salted using bcrypt
• Access Controls: Strict access controls limit who can access user data
• Regular Audits: We regularly review our security practices and update them as needed

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Privacy Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Data Portability: Request a copy of your data in a machine-readable format
• Opt-Out: Unsubscribe from marketing emails (transactional emails cannot be opted out)
• Object: Object to processing of your personal information in certain circumstances

To exercise these rights, contact us at hello@luma.events. We will respond within 30 days.

8. Children's Privacy

Luma is not intended for children under 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us immediately, and we will delete the information.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. These countries may have different data protection laws. By using Luma, you consent to the transfer of your information to these countries. We take steps to ensure your data receives adequate protection.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact hello@luma.events with "CCPA Request" in the subject line.

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR), including:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time

Our lawful basis for processing your data includes: performance of contract, legitimate interests, and your consent. To exercise your rights, contact hello@luma.events.

12. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Required for the Service to function (authentication, session management)
• Analytics Cookies: Help us understand how users interact with the Service
• Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings. Disabling essential cookies may affect Service functionality.

13. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to review their privacy policies before providing any information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice on our Service. Your continued use after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us: