Privacy Policy

Lumesce uses two passwordless sign-in methods. We do not store passwords for either.

• Email magic link.Your email address is held by our authentication provider (Supabase) so we can send one-tap sign-in links. We never see your password because there isn’t one.
• Sign in with Apple. Apple supplies an opaque identifier scoped to Lumesce; the first time you sign in, Apple also forwards your name and email only if you permit it. If you use Apple’s private email relay, your email reaches us as …@privaterelay.appleid.com and Apple forwards messages from us to your real inbox.

Profile: you supply a username, an optional display name, an optional bio, and an optional avatar. These are visible to other Lumesce users by design (Lumesce is a social app).

Lawful basis: performance of the contract we have with you (GDPR Article 6(1)(b)) — we cannot give you an account without holding the information needed to identify you across sign-ins.

This covers everything you create inside the app:

• Photos. Uploaded as HEIC into our public photo bucket on Supabase Storage. EXIF metadata is stripped before upload, so the file we store does not contain GPS coordinates, capture timestamp, camera serial, lens metadata, or any other embedded photo metadata.
• Captions and structured tags. Tags are picked from curated lists (camera brand, camera model, lens, editing app, location). No free-form hashtags.
• Comments.Text replies to other people’s photos.
• Reports. When you report a photo or comment, we keep the reason you picked and any optional details so an admin can review it.
• Blocks. When you block another user, we record the pair so neither of you sees the other.

Lawful basis: performance of contract (Article 6(1)(b)) — this content is the service. Reports and blocks additionally rely on our legitimate interest in operating a safe platform (Article 6(1)(f)).

Lumesce keeps engagement intentionally light. We do not display public like counts, view counts, or engagement scores anywhere.

• Likes. Asymmetric visibility by design: only the photo’s owner can see who liked their photo and the total count. Everyone else sees only their own heart state — whether you liked a photo. There is no public like count.
• Follows. Who you follow and who follows you.
• Contact requests. When another user requests to contact you and you approve, your account email is shared with them so they can reach you by email outside the app. Declines are silent. We do not provide an in-app revoke for a previously-shared email — control that through your inbox or, for Apple private relay, your Apple ID Settings.
• In-app notifications. Likes, follows, comments, and contact-request approvals appear on the Activity tab inside the app. We do not send push notifications.

Lawful basis: performance of contract (Article 6(1)(b)).

We count how many users open the app, view a screen, or see a promotional card on a given day. Tier 1 events are authenticated (to prevent abuse) but the row we store does not contain your user ID. We cannot tell which user generated which event — only how many events of a kind happened per day, broken down at most by country.

Tier 1 is on for everyone. Disabling it would mean we cannot operate the service responsibly (e.g. detect outages, measure adoption). The data we hold at this tier is genuinely aggregate and is not personal data once stored.

Lawful basis: legitimate interest (Article 6(1)(f)) — operating, securing, and improving the service. Because the stored data is non-identifying, this processing does not impair your privacy.

Tier 2 events are a per-user behavioural telemetry stream — separate timestamped records of actions you take in the app (tapping a heart, following someone, opening a promotion, viewing a screen, posting a comment). They are off by default. We ask once on first sign-in; you can change your answer at any time via Profile → Privacy inside the app.

These telemetry records sit alongside, not instead of,the underlying app data. The fact that you liked a photo is recorded in our likes table regardless of your Tier 2 setting — that’s how the heart fill state, the photo owner’s likers list, and the notifications you receive all work (covered in section 3 under contract performance, Article 6(1)(b)). Tier 2 just adds a parallel record of the tap action for aggregate behavioural analytics. If you opt out, we stop creating those telemetry records and the social features keep working exactly the same.

When Tier 2 is on, we also collect your iOS region setting (for example “US”, “IE”, “JP”) so promotional content can be delivered to the right country and so our aggregate metrics can be broken down geographically. This is the value you set in iOS Settings, not a measurement of where your device is. We do not read GPS, Core Location, or any sensed location signal.

You can wipe every Tier 2 event we hold for you at any time via Profile → Privacy → Delete my analytics data. This is separate from opt-out: opting out stops further collection; deletion removes past events.

Lawful basis: your consent (Article 6(1)(a)). You have the right to withdraw consent at any time; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Lumesce shows sponsored content in three places: the Billboard section on the Discover tab (a clearly-labelled horizontal strip of brand-supplied cards), occasionally interleaved between photos in the main feed (default cadence: one card after every eight to thirteen photos, capped at once per local day per promotion), and — when a campaign is running — a single clearly-labelled sponsored row at the top of your Activity tab. All three surfaces share the same first-party model:

• Lumesce decides what appears. Brands provide content; we curate and place it. There is no auction, no bidding, no real-time exchange.
• No third-party ad SDK or ad network. No advertising identifier (we do not read Apple’s IDFA), no cross-app tracking, no behavioural targeting, no Apple App Tracking Transparency prompt.
• Country targeting only. A given sponsored card may be configured to show only to users with a particular iOS region setting (the same setting referenced in section 5 — not a sensed location). Within the targeted countries, the same set of cards is eligible for everyone; the order in which they appear is determined by a fixed, deterministic rotation that varies between accounts and from day to day, and uses only your account identifier and the current date — no behavioural signal goes into the ordering.

To run the feed sponsored cards responsibly we record two narrow pieces of data per user:

• Frequency cap.When a feed sponsored card is visible for at least half a second (a “qualified view”), we write a row tying your account to that specific promotion for the current local date. The next time our system considers showing you that same promotion on the same day, the row is consulted and the card is skipped — so you do not see the same promotion twice in one day. Rows are deleted automatically after about seven days; they exist purely to enforce the daily cap.
• Reach measurement. Across the lifetime of a promotion, we record which accounts had a qualified view of it at least once. This lets us tell a brand, honestly, how many distinct people saw their card — the metric that replaces the per-click profiling typical of third-party ad networks. While the promotion is running, the reach record is a row per (account, promotion). Within two days of the promotion’s end date, every per-account row is deleted and replaced with a single anonymous statistic — the total number of distinct accounts that saw the card, with no link back to any individual. The anonymous total is retained indefinitely as a per-campaign statistic.

Beyond these two per-user records, we do not collect anything about your interaction with sponsored content. How often a card was rendered into a feed slot, how many times it was tapped, and how many times its “Learn more” link was followed out of the app are kept as aggregate counters with no user identifier: we know the total per day, not who tapped it.

The Activity-tab sponsored row is lighter still: we store nothing about you for it on our servers. While a campaign is running, the row appears at the top of your Activity tab; your device keeps a small local note of which sponsored row it has already shown you, so you are not repeatedly alerted about the same one — and that note never leaves your phone. The only server-side data is the same kind of aggregate counter described above (how many times the row was shown and tapped in total, with no user identifier).

When you tap any sponsored item and we open the advertiser’s website, the outbound link may carry a fixed marker identifying Lumesce as the source of the visit — for example, utm_source=lumesce. This marker is the same for everyone: it contains no information about you and cannot be used to recognise you across apps or websites. What the advertiser’s own website does once you arrive is governed by their privacy policy, not ours.

Lawful basis: our legitimate interest under GDPR Article 6(1)(f), specifically in (a) operating an advertiser-supported service so that Lumesce can stay free of subscription paywalls, (b) capping how often any one account sees the same promotion so the feed is not spammed, and (c) providing brands with honest aggregate reach figures so they can decide whether their spend was worthwhile. We have completed the three-part assessment required by GDPR (purpose, necessity, balancing test) and concluded that this processing — narrowly scoped, bounded in time, using only your existing Lumesce account identifier, and free of any cross-app or advertising identifier — does not override your rights and freedoms. Our full Legitimate Interest Assessment is available on request from hi@lumesce.app.

Right to object (Article 21). You can object to the sponsored-card data processing described above at any time by emailing hi@lumesce.app. Within 30 days of receiving your request (the GDPR Article 12 baseline), we will stop writing frequency-cap and reach rows for your account. Sponsored cards are part of how Lumesce stays free, so they may continue to appear in your feed — but we will no longer record which ones you saw, count you in any campaign’s reach figure, or be able to enforce the once-per-day cap on your account (so you may occasionally see the same card more than once a day). Deleting your account erases both rows automatically.

For complete clarity, none of the following happen in Lumesce. We list them explicitly because absence is harder to verify than presence.

• No measurement of your physical location. No GPS, no Core Location, no IP-based geolocation. The iOS region setting referenced in section 5 is from Settings, not measured.
• No advertising identifier.We do not read Apple’s IDFA. Because we do not track you across apps or websites, Lumesce does not trigger Apple’s App Tracking Transparency prompt.
• No cross-app tracking.We don’t correlate your Lumesce activity with anything you do in other apps or websites.
• No browsing or web history. We don’t see what websites you visit.
• No contact lists.We don’t read your phone’s address book.
• No photo metadata after upload. EXIF is stripped before upload — the file we store cannot be inspected for capture location, camera serial, or timestamps.
• No push notifications. Activity surfaces inside the Lumesce app only.
• No third-party analytics SDKs. Analytics run on our own infrastructure (Supabase); see Section 12 for the service providers we use.
• No third-party ad SDK, no ad network, no data broker, no auction, no behavioural targeting, no advertising identifier. All Lumesce sponsored content is first-party, country-targeted at most, and operates within the narrow scope described in section 6.

Lumesce is intended for users 16 years of age and older. On first sign-in, we ask you to confirm you are 16 or older before either sign-in path becomes available. Sign in with Apple users are additionally age-verified server-side by Apple as part of their Apple ID terms, though Apple’s minimum (~13) is below ours — the in-app affirmation is the authoritative gate.

We chose 16 (rather than the 13 minimum permitted by UK GDPR) to align with Ireland’s threshold for children’s-data consent under GDPR Article 8 (Ireland is our controller jurisdiction) and with the wider regulatory trend toward 16+ social-media access in the EU and elsewhere. As a consequence, none of the processing described in this policy is processing of children’s data within the meaning of GDPR Article 8.

We do not knowingly collect personal data from anyone under 16. If you believe we may have collected information from a child under 16, contact hi@lumesce.app and we will delete it.

• Sign-in credentials (email or Apple identifier) — until you delete your account.
• Profile fields (username, display name, bio, avatar) — until you change or delete them, or you delete your account.
• Photos, captions, tags, comments, likes, follows, contact-request approvals — until you delete them individually or delete your account.
• Blocks — until you unblock or you delete your account.
• Reports you submit — deleted with your account. If you want a report you submitted to persist for moderation continuity after you leave, contact us at hi@lumesce.app before deleting your account so we can capture the relevant context.
• Tier 1 aggregate counters — retained indefinitely. They contain no personal identifier.
• Tier 2 events — retained on a three-year rolling window. Events older than three years are purged automatically.
• Sponsored-card frequency-cap rows (section 6) — purged automatically about seven days after they are written. Their only purpose is to enforce the once-per-day-per-promotion cap.
• Sponsored-card reach rows(section 6) — per-account rows are kept only while the promotion is running, and are deleted within two days of the promotion’s end date. They are replaced with a single anonymous per-campaign count that no longer identifies anyone.
• Aggregated rollup metrics (e.g. impressions per day, anonymous per-campaign reach count) — retained indefinitely once aggregated; they no longer identify anyone.

Under GDPR and equivalent regulations, you have the following rights. Most can be exercised directly in the Lumesce app; for the rest, write to hi@lumesce.app and we will respond within 30 days as required by GDPR Article 12.

• Access. Request a copy of the personal data we hold about you. We will send you a machine-readable export.
• Rectification. Correct inaccurate or incomplete data. Profile fields can be edited directly in the app; for anything else, email us.
• Erasure. Delete your account from Profile → Delete account. Account deletion cascades through every table that references you (photos, comments, likes, follows, blocks, contact requests, reports you submitted, in-app notifications, Tier 2 analytics events, sponsored-card frequency-cap rows, and sponsored-card per-account reach rows), and your storage files (uploaded photos and avatar) are purged. The anonymous per-campaign reach count survives, but it no longer identifies you. For erasure of specific items rather than the whole account, delete the item in the app or email us.
• Restriction. Ask us to pause processing of your data while a dispute or correction is resolved. Email us with the request.
• Portability. Receive your data in a structured, commonly used, machine-readable format. In-app via Profile → Privacy → Export my data: bundles your account, photos, comments, likes, follows, contact requests, in-app notifications, Tier 2 analytics events, sponsored-card frequency-cap rows, and sponsored-card per-account reach rows into a single .zip containing a pretty-printed data.json plus your photo files. (GDPR Article 20 does not strictly require the legitimate-interest items — Tier 1/Tier 2 analytics, sponsored-card processing — to be portable; we include them anyway for transparency.) Reports filed against you are not included (GDPR Recital 63: access shall not adversely affect the rights and freedoms of others — the reporter’s identity is the others’ data).
• Objection. Object to processing that relies on legitimate interest — Tier 1 analytics, reports/blocks operational data, and sponsored-card processing (section 6). Email hi@lumesce.app with the basis for your objection; for sponsored-card processing we will stop within 30 days of receiving the request.
• Withdraw consent. For Tier 2 analytics, flip the toggle off via Profile → Privacy. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Complain to a supervisory authority. You have the right to lodge a complaint with the data protection authority in your EU member state of residence, or any other competent EU supervisory authority. A directory is at edpb.europa.eu. We’d also appreciate the chance to address your concern directly first — write to us at hi@lumesce.app.

• Residency. Your stored Lumesce data — photos, profiles, comments, likes, follows, contact requests, notifications, analytics — resides in the European Union region of our database and storage provider (Supabase), and we do not replicate or back it up outside the EU. As noted in Section 12, a few providers process limited data outside the EU — notably email delivery from the United States — under Standard Contractual Clauses.
• Encryption in transit.All client traffic uses TLS (HTTPS). Sign-in over Apple’s relay is similarly TLS-protected end to end.
• Encryption at rest. The database and storage layers are encrypted at rest by our provider as part of their standard managed service.
• Row-level access control.Every database table enforces row-level security policies — by default you can read your own data plus content explicitly marked public; you cannot query for others’ private data. This is the primary defence against bugs in our own application code.
• No password storage. Lumesce is passwordless (magic link or Sign in with Apple). A password breach is not a failure mode that exists for us.

Lumesce keeps a deliberately small set of service providers. Except where noted, each processes personal data only on our instructions, under a written data-processing agreement (GDPR Article 28), and only to provide the function described:

• Supabase (Supabase, Inc.) — our core infrastructure: the managed Postgres database, object storage for your photos, and authentication. Your Lumesce account, photos, comments, and activity are stored in Supabase’s EU region. Supabase processes data under its Data Processing Agreement, which incorporates the EU Standard Contractual Clauses for any incidental transfer outside the EU (for example when its engineering support team accesses infrastructure to troubleshoot).
• Vercel(Vercel, Inc.) — hosts our web application and the serverless functions that run it, including the automated content-moderation worker. When that worker screens a newly uploaded photo (see Amazon Web Services, next), the image is handled in memory in Vercel’s EU (Frankfurt) region and is not stored by Vercel. Vercel processes data under its Data Processing Agreement and the EU Standard Contractual Clauses.
• Amazon Web Services(AWS) — provides the automated image-moderation model (Amazon Rekognition) that screens newly uploaded photos for content that may violate our guidelines. Each image is sent to Amazon Rekognition in an EU region for classification shortly after upload, and Rekognition returns only category labels (for example, whether an image appears to contain explicit or graphically violent content). AWS processes this data under the AWS Data Processing Addendum and the EU Standard Contractual Clauses. We have opted out of AWS’s AI-services data usage, so AWS does not store or use the images to improve its own services.
• Postmark— our transactional-email provider, used to deliver our authentication emails (principally the sign-in “magic link”). To send an email it processes the recipient address and the message itself, and receives none of your other Lumesce data. Email is delivered from the United States under Postmark’s Data Processing Agreement and the EU Standard Contractual Clauses.
• Apple Inc. — not a processor acting on our behalf, but an independent controller for Sign in with Apple. When you use it, Apple handles the authentication exchange under its own privacy policy; it tells us only that you signed in successfully, and we do not tell Apple what you do inside Lumesce. Crash reports from the iOS app, if you opt in to share them with developers, are handled by Apple under its separate policy and reach us de-personalised.

We do not use any third-party analytics SDK (no PostHog, Mixpanel, Amplitude, Firebase, Google Analytics, etc.). We do not use ad networks. We do not sell or share data with data brokers.

We contractually require all third parties listed above to provide the same or equivalent protection of your personal data as set out in this policy and as required by applicable law. If we ever introduce a new processor that cannot meet this standard, we will not use it.

We may update this policy as Lumesce evolves. The “Last updated” date at the top of the page reflects the most recent change.

For material changes — new categories of personal data, new processors, or changes to the lawful basis on which we process — we will notify you by email at the address on your account before the change takes effect. Where the law requires renewed consent (for example, a change that depends on Article 6(1)(a) consent), we will obtain it before applying the change to your data.