Your data, plainly explained.
This policy explains what information Lumina collects, why we collect it, who we share it with, and what choices you have. It applies to the Lumina website, dashboard, and APIs operated by the Lumina team.
Information we collect
We collect only what we need to give you an account, deliver the audio you generate, and keep the service safe. Specifically:
You give us
- Account data — your name, email, and a hashed password (we never store your password in plain text).
- Profile data — anything else you put in your settings, such as default voice preferences or an avatar URL.
- Content — the text you submit for synthesis, the audio Lumina generates from it, the transcripts of audio you upload, and any project metadata you save.
- Payment data — billing details you enter through our payment processor (Stripe). We never see or store your full card number on our servers; we store only the brand, last four digits, and expiry that Stripe returns to us so you can recognise the card you saved.
We collect automatically
- Authentication signals — login timestamps, IP addresses of requests during sign-in and password reset, and the outcome of OTP checks. We use these to rate-limit abuse.
- Usage events — counts of generations, transcripts, and projects per billing period, so we can enforce your plan limits and show your usage dashboard.
- Technical data — browser type, operating system, and a small set of error/performance signals. We do not run advertising or cross-site tracking.
How we use your information
We use the data described above to:
- Create your account and authenticate you on every sign-in.
- Generate, store, and deliver the audio and transcripts you ask for.
- Apply plan limits (generations per month, project caps, character limits).
- Process payments and renewals through Stripe.
- Send transactional email — verification codes, password resets, billing receipts, and material account notices. We do not send marketing email without your explicit opt-in.
- Detect and prevent abuse (brute force, payment fraud, spam).
- Comply with applicable law and respond to lawful requests.
We do not sell your personal information, and we do not train general-purpose AI models on your private content.
Third-party processors
The vendors below process data on our behalf:
| Vendor | Purpose | Region |
|---|---|---|
| Supabase / PostgreSQL | Account, billing metadata, generation history | EU / US |
| Stripe | Payments, subscriptions, invoicing | Global |
| Resend | Transactional email delivery (OTP, receipts) | US / EU |
| Google Cloud Text-to-Speech | Voice synthesis | Global |
| NVIDIA NIM | Premium voice synthesis and AI Studio inference | Global |
| Vercel | Hosting, edge delivery, CI/CD | Global |
Each processor receives only the data needed for its task. The audio we generate for you flows through the synthesis vendor and is not retained by the vendor beyond the duration of the request, except for any data the vendor processes for its own service-quality monitoring per its own terms.
Data retention
We keep your account data for as long as your account is active, and for a short period after closure so we can handle billing reconciliation and dispute resolution.
- Account profile — until you delete your account.
- Generation history — until you delete the individual item or the account.
- Authentication logs — 90 days, then deleted or anonymised.
- Billing records — 7 years, to satisfy tax/accounting obligations.
- One-time passcodes — automatically expire and are purged within 10 minutes of issuance.
Your rights
Depending on where you live (GDPR in the EEA/UK, LGPD in Brazil, CCPA/CPRA in California, etc.) you have some or all of these rights:
- Access — get a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — ask us to delete your account and the data tied to it.
- Portability — receive an export of your generations and profile.
- Objection / restriction — ask us to stop a specific processing.
- Withdraw consent — for any processing we do on the basis of consent.
You can exercise most of these from your account settings or by emailing us. We will respond within 30 days. If you believe we have mishandled your data you also have the right to lodge a complaint with your local data protection authority.
Children
Lumina is not directed at children under 13 (or under 16 in jurisdictions that set a higher bar). We do not knowingly collect information from children. If you believe a child has created an account, contact us and we will delete the account and its data.
International data transfers
We operate globally, and our processors (Supabase, Stripe, Resend, Vercel, etc.) may store and process your data outside your country of residence — typically in the United States and the European Union. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms to protect your data.
Security
Passwords are stored as bcrypt hashes. OTPs are hashed before storage and expire in 10 minutes. Email-change and password-reset flows require ownership proof against the new address before the change takes effect. We use rate limiting on authentication endpoints, HTTPS everywhere, and security headers (CSP, HSTS, X-Frame-Options) on every page. No method is 100% secure; if you find a vulnerability, please report it to the contact below.
Changes to this policy
We may update this policy as the service evolves or the law changes. Material changes will be announced by email and shown as an in-app notice before they take effect. The “Last updated” date at the top of this page always reflects the most recent revision.
Contact
You can reach us about anything in this policy — including data requests, complaints, and questions — at yusrilprayoga90@gmail.com.
Need to reach us?
Questions, complaints, or data requests can be sent to yusrilprayoga90@gmail.com. We aim to respond within 5 working days.