Lumina

Privacy Policy

Effective: May 2026

This is a convenience translation. In the event of any discrepancy or conflict between the German and English versions, the German version shall prevail and be legally binding.

1. Data Protection at a Glance

General Information

The following information provides a concise overview of what happens to your personal data when you visit this website. Personal data means any data by which you can be personally identified. Detailed information on data protection can be found in the full Privacy Policy set out below.

Data Collection on This Website

Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. The operator's contact details can be found in the section "Information on the Data Controller" in this Privacy Policy.

How do we collect your data?
Your data is collected, on the one hand, when you provide it to us. This may include data you enter when registering, or content you create in the app (notes, links, uploaded files). Other data is collected automatically when you visit the website (e.g. browser, operating system, time of page access).

What do we use your data for?
Some of the data is collected to ensure the error-free provision of the website. Other data is used to provide the app's features (canvases, notes, AI chat).

What rights do you have regarding your data?
You have the right at any time to obtain, free of charge, information about the origin, recipients, and purpose of your stored personal data. You also have the right to request the rectification or erasure of such data. If you have given consent to data processing, you may withdraw this consent at any time with effect for the future. You also have the right to lodge a complaint with the competent supervisory authority.

2. Hosting and Content Delivery Networks (CDN)

External Hosting (Hetzner)

This website is hosted externally by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Personal data collected on this website is stored on Hetzner's servers in Germany. This may include, in particular, IP addresses, contact requests, metadata and communication data, contract data, contact details, names, website access data, and other data generated via a website.

External hosting is carried out for the purpose of fulfilling contractual obligations towards our potential and existing users (Art. 6(1)(b) GDPR) and in the interest of a secure, fast, and efficient provision of our online services by a professional provider (Art. 6(1)(f) GDPR).

Our hosting provider will process your data only to the extent necessary to fulfil its performance obligations and in accordance with our instructions.

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

Data Processing Agreement

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract required under data protection law, ensuring that the service provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Use of Cloudflare (CDN)

We use Cloudflare (Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA; German subsidiary: Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich) as a content delivery network (CDN) and security service (reverse proxy via Cloudflare DNS) to deliver our website faster and more resiliently against attacks. Cloudflare processes in particular IP addresses and technical access and log data (request metadata).

The use of Cloudflare is based on our legitimate interest in the most error-free and secure provision of our website (Art. 6(1)(f) GDPR).

When providing the services, Cloudflare typically acts as a data processor under a Data Processing Addendum (DPA): cloudflare.com/cloudflare-customer-dpa. Information about Cloudflare's sub-processors is available at: cloudflare.com/gdpr/subprocessors. Further information can be found in Cloudflare's Privacy Policy: cloudflare.com/privacypolicy.

3. General Information and Mandatory Disclosures

Data Protection

The operator of this website takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this Privacy Policy.

Technical and Organisational Measures (TOM)

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR to protect personal data (risk-based approach).

At network level:

At application level:

At infrastructure level:

Known limits:

Complete protection cannot be guaranteed despite all measures. Please note that data transmission over the internet (e.g. communication by email) may have security vulnerabilities. Complete protection of data against access by third parties is not possible.

Data Breaches and Security Incidents

In the event of a data breach (unauthorised processing or disclosure of personal data), we will notify the competent supervisory authority within 72 hours of discovery. Affected users will be promptly informed by email if there is a high risk to their rights and freedoms. We take immediate technical measures to limit the damage.

Contact for security incidents: If you suspect a security breach, please contact us immediately at [email protected].

Information on the Data Controller

The data controller responsible for data processing on this website is:

Dennis Heinz
Eltropweg 30
48155 Münster
Germany
Telephone: +49 (0) 163 / 678 60 68
Email: [email protected]

Data Protection Officer

Note: We have not appointed a separate Data Protection Officer. For data protection inquiries, please send an email with the subject "Data Protection Inquiry" to [email protected].

Response time: We will respond to inquiries within 30 days (statutory deadline pursuant to Art. 12 GDPR).

Complaint: The competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW). Contact: www.ldi.nrw.de.

Storage Period

Unless a more specific storage period has been specified in this Privacy Policy, your personal data will remain with us until the purpose for data processing ceases to apply. If you assert a legitimate request for erasure or withdraw your consent to data processing, your data will be erased unless we have other legally permissible reasons for storing your personal data.

General Information on the Legal Bases for Data Processing

If you have given consent to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR. If your data is required for the performance of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Where necessary to protect our legitimate interests, we process your data on the basis of Art. 6(1)(f) GDPR.

Withdrawal of Consent

Many data processing operations are only possible with your explicit consent. You may withdraw consent already given at any time. The lawfulness of the data processing carried out up to the time of withdrawal remains unaffected.

Right to Object (Art. 21 GDPR)

WHERE DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT AT ANY TIME, FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION, TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA.

Right to Lodge a Complaint

In the event of infringements of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement.

Right to Data Portability

You have the right to receive data that we process on the basis of your consent or in performance of a contract in a commonly used, machine-readable format, and to have it transmitted to you or to a third party.

Right of Access, Rectification, and Erasure

Within the scope of the applicable legal provisions, you have the right at any time to obtain free information about your stored personal data, its origin and recipients, and the purpose of data processing, as well as, if applicable, a right to rectification or erasure of such data.

SSL / TLS Encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL or TLS encryption. You can recognise an encrypted connection by the change in the browser address line from "http://" to "https://" and by the lock symbol in your browser line.

4. Data Collection on This Website

Local Mode (no account)

Lumina can be used entirely without registering. In local mode, your canvases, notes, and files are stored on your own device (in your browser or in a local folder you choose); they are never transmitted to or stored on our servers.

If you use AI features in local mode, you provide your own API key for Anthropic or OpenAI ("Bring Your Own Key" / BYOK), and your requests are sent directly from your browser to the AI provider under your own contract with them — we are not a controller or processor for that data, and we do not see the content of those requests.

In local mode, the only data we process about you is the technical access data described in "Server Log Files" and "Use of Cloudflare" above.

Registration on This Website

You may register on this website in order to use additional features (e.g. saving notes, canvases, and files). The data entered for this purpose is used exclusively for the use of the respective offer or service for which you have registered. Mandatory information (email address, password) must be provided in full; otherwise, we will reject the registration.

The processing of data entered during registration is carried out for the purpose of performing the user relationship established by the registration (Art. 6(1)(b) GDPR). The data collected will be stored for as long as you are registered on this website and will be deleted thereafter.

Server Log Files

The provider of this website automatically collects and stores information in server log files, which your browser automatically transmits to us. This includes:

This data is not merged with other data sources. The collection of this data is based on Art. 6(1)(f) GDPR.

User Content (Notes, Canvases, Files)

Content you create or upload in the app (notes, canvases, nodes, files such as images or PDFs) is transmitted over an encrypted connection and stored in our database or on the server's file storage. This content is private and intended exclusively for your personal use. It will not be published or disclosed to third parties. Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Inquiries by Email

If you contact us by email, your inquiry, including all resulting personal data, will be stored and processed by us for the purpose of handling your request. We do not pass this data on without your consent.

5. AI Features / Transfer to Third-Party Providers

Lumina offers AI-powered chat and agent features. When you use these features, certain data is transmitted to external AI providers who generate the responses on our behalf as data processors.

What data is transmitted?

Providers used:

If you provide your own API keys ("Bring Your Own Key" / BYOK), the respective provider's privacy terms additionally apply to you directly.

Legal basis: Art. 6(1)(b) GDPR (performance of contract — providing the AI feature is part of the agreed service).

Transfer to third countries: Anthropic and OpenAI are based in the USA. The transfer is carried out on the basis of the EU-US Data Privacy Framework and, in addition, on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR).

Storage period: Chat histories are stored in our database for as long as you do not delete them or your account exists. At the AI provider, requests are processed in accordance with the provider's retention policies (typically 30 days for abuse monitoring).

No training on your data: We use the providers' API endpoints, which by default do not collect training data.