LUMINA — Privacy Policy

Controller: USHVIBES OÜ (Estonia)

Operated from: Vienna, Austria

Applies to: All LUMINA users worldwide

GDPR: Fully compliant

LUMINA is built on trust. We collect only what we need to make your experience genuinely personal. We never sell your data. We never show you ads. We never share your conversations with third parties except as required to deliver the service. Your data is yours — you can export or delete it at any time, instantly.

Contents

Who we are
What data we collect
How we use your data
Legal basis for processing (GDPR)
Who we share data with
How long we keep your data
Your rights
How we protect your data
Children and minors
International data transfers
AI and automated processing
Mental health data — special category
Changes to this policy
Contact and DPA

1. Who We Are

LUMINA is operated by USHVIBES OÜ, a private limited company registered in Estonia under the e-Residency programme. Our registered address is in Estonia; operations are managed from Vienna, Austria by Emmanuel Iorkase, founder.

LUMINA is a product of USHVIBES. For the purposes of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (Datenschutzgesetz, DSG), USHVIBES OÜ is the data controller. We are responsible for deciding how and why your personal data is processed.

2. What Data We Collect

Data you provide directly

Account information: Your name, email address, password (hashed — never stored in plain text), date of birth (for age verification), country, timezone, and preferred language.
Conversation content: Everything you type to LUMINA. This is how LUMINA learns about your life, your goals, and how to help you. This data is the core of the service.
Life goals and Dream Compass: The goals you set, the dreams you share, and the milestones you track.
Mood logs: Your mood check-ins and how you respond to LUMINA's questions.
Profile preferences: Notification times, language preference, briefing schedule, and feature settings.

Data collected automatically

Usage analytics: Which screens you visit, which features you use, how often — collected via Mixpanel. Anonymised where possible.
Technical logs: IP address, browser type, device type, timestamp of requests. Retained for security purposes only.
Error logs: If LUMINA crashes or encounters an error, we log technical details (never conversation content) via Sentry.

Data we do NOT collect

We do not read your emails, text messages, or contacts.
We do not access your camera, microphone, or location (unless you explicitly grant permission for a specific feature).
We do not collect biometric data.
We do not track you across other websites or apps.
We do not build advertising profiles.

3. How We Use Your Data

Purpose	Data used	Why necessary
Deliver the LUMINA service	All conversation data, profile, goals, mood logs	Core service — without this, LUMINA cannot personalise your experience
Generate Morning Illumination	Life scores, recent conversations, goals, mood data	To create a personalised daily briefing for you
LUMINA Companion proactive messages	Relationship data, goals, mood patterns, conversation history	To reach out to you with relevant, timely nudges
Life Scores calculation	Conversation content, mood logs, activity data	To compute your 8-dimension life scores
Crisis detection and safety	Conversation content (scanned in real time)	To protect your safety — this cannot be disabled
Account management	Email, name, plan, payment status	To manage your subscription and account
Payments	Payment data (handled by Stripe — we never see your card number)	To process subscriptions
Security and fraud prevention	IP address, usage patterns, request logs	To protect you and other users from attacks
Product improvement	Anonymised usage analytics	To understand how to make LUMINA better
Legal compliance	As required by applicable law	To comply with our legal obligations

4. Legal Basis for Processing (GDPR)

Under Article 6 of the GDPR, we rely on the following legal bases:

Contract performance (Art. 6(1)(b)): Processing your account information and conversation data is necessary to provide the LUMINA service you have signed up for.
Legitimate interests (Art. 6(1)(f)): Security logging, fraud prevention, and anonymised analytics are in our legitimate interests and do not override your rights.
Legal obligation (Art. 6(1)(c)): We may process data to comply with applicable laws (e.g. responding to court orders).
Consent (Art. 6(1)(a)): For any processing not covered above — including optional features — we ask for your explicit consent.

For special category data (mental health content under Art. 9 GDPR), we rely on your explicit consent, which you provide when you first use LUMINA's wellbeing features.

We never sell your data. We never share conversation content with advertisers. We share data only with the technical service providers listed below, and only to the extent necessary to deliver the LUMINA service.

Provider	Purpose	Location	Safeguards
Anthropic (Claude AI)	AI conversation processing	USA	Data Processing Agreement, Standard Contractual Clauses
ElevenLabs	Voice audio generation	USA	Data Processing Agreement
Supabase (PostgreSQL)	Database hosting	EU (Paris, France)	GDPR compliant, EU-based hosting
Auth0 (Okta)	User authentication	USA/EU	Data Processing Agreement, SCCs, EU data residency option
Stripe	Payment processing	USA/EU	PCI DSS Level 1, Data Processing Agreement
AWS S3	Audio file storage	EU (Paris, France)	EU-based region, encrypted at rest and in transit
Railway	Backend hosting	EU	GDPR compliant infrastructure
Cloudflare	DDoS protection, CDN	Global (edge)	Data Processing Agreement, GDPR compliant
Sentry	Error monitoring (technical only)	USA	Data Processing Agreement, SCCs
Mixpanel	Usage analytics (anonymised)	USA	Data Processing Agreement, SCCs, anonymisation
Firebase (Google)	Push notifications	USA/EU	Data Processing Agreement, SCCs

We may also disclose data if required by law, court order, or to protect the safety of our users or others.

6. How Long We Keep Your Data

Data type	Retention period	Reason
Account information	Until account deletion + 30 days	To allow account recovery
Conversation content	Until account deletion	Core service — LUMINA's memory depends on it
Life scores and mood logs	Until account deletion	To track your progress over time
Payment records	7 years after last transaction	Legal obligation under Austrian and Estonian tax law
Security logs (IP, request logs)	90 days	Security investigation purposes
Crisis logs	2 years	User safety and legal liability
GDPR request logs	3 years	To demonstrate GDPR compliance
Anonymised analytics	3 years	Product improvement

7. Your Rights Under GDPR

If you are in the EU or UK, you have the following rights. We will respond within 30 days (usually much faster):

Right of access (Art. 15): Request a copy of all data we hold about you. Available instantly via Settings → Export My Data.
Right to rectification (Art. 16): Correct inaccurate personal data. Available via Settings → Edit Profile.
Right to erasure (Art. 17 — "right to be forgotten"): Delete your account and all data permanently. Available instantly via Settings → Delete Account.
Right to data portability (Art. 20): Receive your data in a machine-readable format (JSON). Available via Settings → Export My Data.
Right to restrict processing (Art. 18): Ask us to pause processing while a dispute is resolved. Contact privacy@ushvibes.com.
Right to object (Art. 21): Object to processing based on legitimate interests. Contact privacy@ushvibes.com.
Rights related to automated decision-making (Art. 22): LUMINA uses AI to generate personalised content. You can request a human review of any automated decision by contacting us.

To exercise any right, go to Settings → Privacy in the LUMINA app, or email privacy@ushvibes.com. If you believe we have violated your rights, you may lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) at www.dsb.gv.at.

8. How We Protect Your Data

Encryption in transit: All data between your device and LUMINA is encrypted using TLS 1.2+.
Encryption at rest: Database and file storage are encrypted at rest using AES-256.
Password hashing: Passwords are hashed using industry-standard algorithms. We never store plain-text passwords.
Access control: Strict role-based access. Only essential personnel can access production data, and only for support/legal purposes.
Security headers: HTTP Strict Transport Security, Content Security Policy, X-Frame-Options, and other security headers are applied to every response.
Rate limiting: All API endpoints are rate-limited to prevent abuse.
DDoS protection: Cloudflare protects LUMINA against distributed denial-of-service attacks.
Penetration testing: We will conduct annual security reviews as the product scales.
Breach notification: In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Art. 33–34.

9. Children and Minors

LUMINA is intended for users aged 18 and over. We verify age during onboarding. If we discover that a user is under 18, we will immediately restrict their account and, where required by law, seek parental consent or delete the account.

If you believe a child has created a LUMINA account without appropriate consent, please contact us immediately at privacy@ushvibes.com.

10. International Data Transfers

Some of our service providers are based outside the EU/EEA (notably in the United States). When we transfer data outside the EEA, we ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all providers
EU data residency where available (our primary database is in Paris, France)

11. AI and Automated Processing

LUMINA uses Claude (Anthropic) to generate personalised responses, Morning Illumination briefings, Echo poetry, Life Chapters, and Companion messages. This constitutes automated processing of personal data.

Your conversation content is sent to Anthropic's API to generate responses. Anthropic's privacy policy governs their handling of this data. LUMINA has a Data Processing Agreement with Anthropic.

LUMINA's AI does not make decisions that produce legal or similarly significant effects on you without human oversight.

12. Mental Health Data — Special Category

Some data you share with LUMINA — about your mental health, emotional state, or wellbeing — may constitute special category data under GDPR Article 9. This includes mood logs, responses to check-in questions, and conversations about mental health.

We process this data only with your explicit consent, which you provide when you first use LUMINA's wellbeing features. You may withdraw this consent at any time by contacting privacy@ushvibes.com.

Important: LUMINA is not a medical device, not a healthcare provider, and not a substitute for professional mental health support. If you are in crisis, please contact a crisis helpline. In Austria: call 142 (Telefonseelsorge, free, 24/7).

13. Changes to This Policy

We will notify you of material changes to this Privacy Policy via email and in-app notification at least 30 days before the changes take effect. Your continued use of LUMINA after the effective date constitutes acceptance of the updated policy.

14. Contact and Data Protection Officer

Privacy questions or GDPR requests

Email: privacy@ushvibes.com
Response time: within 72 hours (GDPR requests within 30 days)

USHVIBES OÜ · Registered in Estonia
Operated by Emmanuel Iorkase · Vienna, Austria

Austrian Data Protection Authority (Datenschutzbehörde):
www.dsb.gv.at · +43 1 531 15-202525

Privacy Policy