Privacy Policy

Last updated: March 4, 2026

This Privacy Policy explains how LUMA ("we", "us", "our") collects, uses, and protects your personal data when you use our website and AI photo editing tools at lumatools.co (the "Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Data Controller

LUMA is the data controller responsible for your personal data. If you have questions about this policy or your data, contact us at privacy@lumatools.co.

2. What Data We Collect

2.1 Data You Provide

  • Account information: Email address, name, and authentication credentials when you create an account.
  • Payment information: When you subscribe to a paid plan, payment is processed by Stripe. We do not store your full credit card number. We receive your billing name, email, last four digits of your card, and subscription status from Stripe.
  • Images you upload: Photos you submit for editing are uploaded temporarily for processing. See Section 5 for our image data practices.

2.2 Data Collected Automatically

  • Usage data: Which tools you use, number of edits performed, and timestamps. Used for rate limiting (3 free edits/day) and service improvement.
  • Device and browser information: Browser type, operating system, screen resolution, and device type. Collected via standard HTTP headers.
  • IP address: Used for rate limiting of anonymous users and fraud prevention. We do not use IP addresses for marketing or profiling.
  • Cookies: We use strictly necessary cookies for authentication and session management. See Section 7.

2.3 Data We Do Not Collect

  • We do not use tracking pixels or third-party advertising cookies.
  • We do not build advertising profiles from your data.
  • We do not sell your personal data to third parties.

3. How We Use Your Data

We process your data for the following purposes and legal bases:

| Purpose | Legal Basis (GDPR Art. 6) | |---------|--------------------------| | Provide and operate the Service | Performance of contract (Art. 6(1)(b)) | | Process payments and manage subscriptions | Performance of contract (Art. 6(1)(b)) | | Rate limiting and abuse prevention | Legitimate interest (Art. 6(1)(f)) | | Send transactional emails (receipts, account changes) | Performance of contract (Art. 6(1)(b)) | | Improve and develop the Service | Legitimate interest (Art. 6(1)(f)) | | Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |

4. Third-Party Processors

We share data with the following third-party processors, all of whom are contractually bound to protect your data:

| Processor | Purpose | Data Shared | Location | |-----------|---------|-------------|----------| | fal.ai | AI image processing | Uploaded images (temporarily) | USA | | Replicate | AI image processing | Uploaded images (temporarily) | USA | | Stripe | Payment processing | Email, billing info | USA | | Vercel | Hosting and infrastructure | IP address, usage data | Global (edge) |

For transfers of personal data outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) or the service provider's adequacy measures.

5. Image Data and Retention

Your privacy is central to how we handle images:

  • Temporary processing only. Images are uploaded to our AI processing providers (fal.ai, Replicate) solely to perform the requested edit. We do not store your images on our own servers.
  • No persistent storage. Processed images are available for download during your session only. We do not retain copies of your original or edited images after processing.
  • No training. Your images are never used to train AI models. Our AI providers process images under our data processing agreements and do not retain them for their own purposes.
  • Session-scoped. Once you close your browser tab or start a new edit, the previous image URLs expire. Temporary URLs generated by our processors typically expire within 24 hours.

6. Data Retention

  • Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
  • Usage data (rate limiting): Daily usage counts are retained for 90 days, then automatically purged.
  • Payment records: Retained for 7 years as required by tax and financial regulations.
  • Images: Not retained. See Section 5.

7. Cookies

We use the following cookies:

| Cookie | Purpose | Duration | Type | |--------|---------|----------|------| | Session cookie | Authentication and session management | Session / 30 days | Strictly necessary |

We do not use analytics cookies, advertising cookies, or third-party tracking cookies. Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR.

8. Your Rights

Under GDPR (EEA, UK, Switzerland)

You have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data ("right to be forgotten") (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability — receive your data in a machine-readable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time where processing is based on consent (Art. 7(3))
  • Lodge a complaint with your local Data Protection Authority

Under CCPA (California)

California residents have the right to:

  • Know what personal data is collected and how it is used
  • Delete personal data we hold about you
  • Opt out of the sale of personal data (we do not sell your data)
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, email us at privacy@lumatools.co. We will respond within 30 days (GDPR) or 45 days (CCPA).

9. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

10. Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encrypted data transmission (TLS/HTTPS)
  • Secure authentication with session tokens
  • No persistent storage of user-uploaded images
  • Access controls limiting employee access to personal data

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top indicates the most recent revision.

12. Contact Us

For privacy-related inquiries, data subject requests, or complaints:

Email: privacy@lumatools.co

If you are in the EEA and are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.