Privacy Policy

Lumesce uses two passwordless sign-in methods. We do not store passwords for either.

• Email magic link.Your email address is held by our authentication provider (Supabase) so we can send one-tap sign-in links. We never see your password because there isn’t one.
• Sign in with Apple. Apple supplies an opaque identifier scoped to Lumesce; the first time you sign in, Apple also forwards your name and email only if you permit it. If you use Apple’s private email relay, your email reaches us as …@privaterelay.appleid.com and Apple forwards messages from us to your real inbox.

Profile: you supply a username, an optional display name, an optional bio, and an optional avatar. These are visible to other Lumesce users by design (Lumesce is a social app).

Lawful basis: performance of the contract we have with you (GDPR Article 6(1)(b)) — we cannot give you an account without holding the information needed to identify you across sign-ins.

This covers everything you create inside the app:

• Photos. Uploaded as HEIC into our public photo bucket on Supabase Storage. EXIF metadata is stripped before upload, so the file we store does not contain GPS coordinates, capture timestamp, camera serial, lens metadata, or any other embedded photo metadata.
• Captions and structured tags. Tags are picked from curated lists (camera brand, camera model, lens, editing app, location). No free-form hashtags.
• Comments.Text replies to other people’s photos.
• Reports. When you report a photo or comment, we keep the reason you picked and any optional details so an admin can review it.
• Blocks. When you block another user, we record the pair so neither of you sees the other.

Lawful basis: performance of contract (Article 6(1)(b)) — this content is the service. Reports and blocks additionally rely on our legitimate interest in operating a safe platform (Article 6(1)(f)).

Lumesce keeps engagement intentionally light. We do not display public like counts, view counts, or engagement scores anywhere.

• Likes. Asymmetric visibility by design: only the photo’s owner can see who liked their photo and the total count. Everyone else sees only their own heart state — whether you liked a photo. There is no public like count.
• Follows. Who you follow and who follows you.
• Contact requests. When another user requests to contact you and you approve, your account email is shared with them so they can reach you by email outside the app. Declines are silent. We do not provide an in-app revoke for a previously-shared email — control that through your inbox or, for Apple private relay, your Apple ID Settings.
• In-app notifications. Likes, follows, comments, and contact-request approvals appear on the Activity tab inside the app. We do not send push notifications.

Lawful basis: performance of contract (Article 6(1)(b)).

We count how many users open the app, view a screen, or see a promotional card on a given day. Tier 1 events are authenticated (to prevent abuse) but the row we store does not contain your user ID. We cannot tell which user generated which event — only how many events of a kind happened per day, broken down at most by country.

Tier 1 is on for everyone. Disabling it would mean we cannot operate the service responsibly (e.g. detect outages, measure adoption). The data we hold at this tier is genuinely aggregate and is not personal data once stored.

Lawful basis: legitimate interest (Article 6(1)(f)) — operating, securing, and improving the service. Because the stored data is non-identifying, this processing does not impair your privacy.

Tier 2 events are stored under your account and let us understand individual behaviour (which photos you liked, which promotions you opened, which screens you visited). These are off by default. We ask once on first sign-in; you can change your answer at any time via Profile → Privacy inside the app.

When Tier 2 is on, we also collect your iOS region setting (for example “US”, “IE”, “JP”) so promotional content can be delivered to the right country and so our aggregate metrics can be broken down geographically. This is the value you set in iOS Settings, not a measurement of where your device is. We do not read GPS, Core Location, or any sensed location signal.

You can wipe every Tier 2 event we hold for you at any time via Profile → Privacy → Delete my analytics data. This is separate from opt-out: opting out stops further collection; deletion removes past events.

Lawful basis: your consent (Article 6(1)(a)). You have the right to withdraw consent at any time; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

For complete clarity, none of the following happen in Lumesce. We list them explicitly because absence is harder to verify than presence.

• No measurement of your physical location. No GPS, no Core Location, no IP-based geolocation. The iOS region setting referenced in section 5 is from Settings, not measured.
• No advertising identifier.We do not read Apple’s IDFA. Because we do not track you across apps or websites, Lumesce does not trigger Apple’s App Tracking Transparency prompt.
• No cross-app tracking.We don’t correlate your Lumesce activity with anything you do in other apps or websites.
• No browsing or web history. We don’t see what websites you visit.
• No contact lists.We don’t read your phone’s address book.
• No photo metadata after upload. EXIF is stripped before upload — the file we store cannot be inspected for capture location, camera serial, or timestamps.
• No push notifications. Activity surfaces inside the Lumesce app only.
• No third-party analytics SDKs. See section 11 for the only data processor we use.
• No ad networks, no data brokers, no targeted ads.Lumesce’s promotional section (Billboard) is first-party editorial content curated by our team; brands supply the content but Lumesce decides what appears, and no auction or behavioural targeting is involved.

Lumesce is intended for users 13 years of age and older. On first sign-in, we ask you to confirm you are 13 or older before either sign-in path becomes available. Sign in with Apple users are additionally age-verified server-side by Apple as part of their Apple ID terms.

We do not knowingly collect personal data from children under 13. If you believe we may have collected information from a child under 13, contact hi@lumesce.app and we will delete it.

• Sign-in credentials (email or Apple identifier) — until you delete your account.
• Profile fields (username, display name, bio, avatar) — until you change or delete them, or you delete your account.
• Photos, captions, tags, comments, likes, follows, contact-request approvals — until you delete them individually or delete your account.
• Blocks — until you unblock or you delete your account.
• Reports you submit — deleted with your account. If you want a report you submitted to persist for moderation continuity after you leave, contact us at hi@lumesce.app before deleting your account so we can capture the relevant context.
• Tier 1 aggregate counters — retained indefinitely. They contain no personal identifier.
• Tier 2 events — retained on a three-year rolling window. Events older than three years are purged automatically.
• Aggregated rollup metrics (e.g. impressions per day) — retained indefinitely once aggregated; they no longer identify anyone.

Under GDPR and equivalent regulations, you have the following rights. Most can be exercised directly in the Lumesce app; for the rest, write to hi@lumesce.app and we will respond within 30 days as required by GDPR Article 12.

• Access. Request a copy of the personal data we hold about you. We will send you a machine-readable export.
• Rectification. Correct inaccurate or incomplete data. Profile fields can be edited directly in the app; for anything else, email us.
• Erasure. Delete your account from Profile → Delete account. Account deletion cascades through every table that references you (photos, comments, likes, follows, blocks, contact requests, reports you submitted, in-app notifications, and Tier 2 analytics events), and your storage files (uploaded photos and avatar) are purged. For erasure of specific items rather than the whole account, delete the item in the app or email us.
• Restriction. Ask us to pause processing of your data while a dispute or correction is resolved. Email us with the request.
• Portability. Receive your data in a structured, commonly used, machine-readable format. We will provide a JSON export on request.
• Objection. Object to processing that relies on legitimate interest (Tier 1 analytics; reports and blocks operational data). Email us with the basis for your objection.
• Withdraw consent. For Tier 2 analytics, flip the toggle off via Profile → Privacy. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Complain to a supervisory authority. You have the right to lodge a complaint with the data protection authority in your EU member state of residence, or any other competent EU supervisory authority. A directory is at edpb.europa.eu. We’d also appreciate the chance to address your concern directly first — write to us at hi@lumesce.app.

• Residency. All Lumesce data — photos, profiles, comments, likes, follows, contact requests, notifications, analytics — resides in the European Union region of our database and storage provider (Supabase). We do not replicate or back up your data outside the EU.
• Encryption in transit.All client traffic uses TLS (HTTPS). Sign-in over Apple’s relay is similarly TLS-protected end to end.
• Encryption at rest. The database and storage layers are encrypted at rest by our provider as part of their standard managed service.
• Row-level access control.Every database table enforces row-level security policies — by default you can read your own data plus content explicitly marked public; you cannot query for others’ private data. This is the primary defence against bugs in our own application code.
• No password storage. Lumesce is passwordless (magic link or Sign in with Apple). A password breach is not a failure mode that exists for us.

Lumesce operates with a deliberately minimal third-party footprint:

• Supabase(Supabase Inc.) — the only data processor. Provides the managed Postgres database, object storage, and authentication that Lumesce runs on. All Lumesce data is stored in Supabase’s EU region. Supabase processes data on our behalf under their standard Data Processing Agreement, which incorporates the EU Standard Contractual Clauses for any incidental transfer outside the EU (for example when Supabase’s engineering support team accesses infrastructure for troubleshooting).
• Apple Inc. — when you use Sign in with Apple, Apple handles the authentication exchange under their own privacy policy. They tell us only that you successfully signed in; we do not tell Apple what you do inside Lumesce. Crash reports from the iOS app, if you have opted in to share them with developers, are handled by Apple under their separate policy and reach us de-personalised.

We do not use any third-party analytics SDK (no PostHog, Mixpanel, Amplitude, Firebase, Google Analytics, etc.). We do not use ad networks. We do not sell or share data with data brokers.

We contractually require all third parties listed above to provide the same or equivalent protection of your personal data as set out in this policy and as required by applicable law. If we ever introduce a new processor that cannot meet this standard, we will not use it.

We may update this policy as Lumesce evolves. The “Last updated” date at the top of the page reflects the most recent change.

For material changes — new categories of personal data, new processors, or changes to the lawful basis on which we process — we will notify you by email at the address on your account before the change takes effect. Where the law requires renewed consent (for example, a change that depends on Article 6(1)(a) consent), we will obtain it before applying the change to your data.