Luminout Privacy Policy
This Privacy Policy explains how Luminout collects, uses, shares, and protects personal data when you use the web application and related services.
1. Who We Are (Data Controller)
The operator of Luminout is the data controller for personal data processed through the service. For privacy requests, contact: hello@luminout.app.
2. Applicable Laws
Luminout is designed to operate in line with:
- EU General Data Protection Regulation (GDPR) 2016/679.
- Croatian Act on the Implementation of the GDPR (Zakon o provedbi Opce uredbe o zastiti podataka).
- EU ePrivacy rules and applicable Croatian electronic communications rules for cookies and similar technologies.
3. Data We Process
- Account and identity data: e-mail address, account identifiers, authentication provider, verification status.
- Profile data: first name and last name (if provided during registration).
- Learning data you create: subjects, lectures, questions, generated questions you decide to save, quiz attempts, scores, and progress metrics.
- AI generation input data: selected lecture content and/or uploaded files (PDF, DOCX, PPT/PPTX, TXT) processed to generate questions.
- Billing/subscription data: plan status, Stripe customer/subscription identifiers, checkout and subscription status events.
- Technical and security data: IP-derived request metadata, device and browser metadata, session cookies, security and audit events, and rate limiting events.
- Optional analytics and advertising data: pseudonymized usage events, ad request metadata, and consent signals (depending on your consent choices and region).
4. Why We Process Data (Purposes and Legal Bases)
- Contract performance (GDPR Art. 6(1)(b)): account access, authentication, study features, question generation, quiz history, exports, and premium subscription functionality.
- Legitimate interests (GDPR Art. 6(1)(f)): security monitoring, service integrity, fraud prevention, abuse prevention, and debugging.
- Consent (GDPR Art. 6(1)(a)): non-essential analytics and advertising personalization/cookie-related processing where required.
- Legal obligation (GDPR Art. 6(1)(c)): accounting/tax and regulatory obligations connected to paid subscriptions.
5. Authentication and Session Management
We use Firebase Authentication and server-side sessions to keep you signed in securely. Session cookies are used for authenticated requests and security controls. Passwords are never stored in plain text.
6. AI Question Generation
When you use AI generation, we process lecture content and/or uploaded files to produce question suggestions. Uploaded file content is parsed for extraction and generation. Generated questions are stored only when you choose to save them. We also store monthly usage counters for plan enforcement and abuse prevention.
7. Payments and Premium Subscriptions
Premium payments are processed by Stripe. We do not store full payment card data. We store subscription metadata necessary to activate, maintain, and cancel Premium status (for example Stripe customer and subscription identifiers and billing event records).
8. Ads, CMP, Cookies, and Similar Technologies
Luminout may display ads using Google AdSense. Consent prompts for ads may be handled through a Google-certified CMP flow, depending on region and configuration.
- Strictly necessary storage/cookies are used for security and core app operation.
- Non-essential analytics and ad personalization are handled based on consent where required by law.
- Ads may still be shown in a generalized (non-personalized) mode when consent for personalization is not given.
9. Analytics and Product Improvement
We use analytics tooling (Firebase Analytics) for product and stability insights. Event design follows data minimization principles and avoids intentionally logging sensitive data such as passwords, tokens, raw lecture content, or full answer text.
10. Data Sharing and Processors
We share data only where necessary with service providers acting as processors or independent controllers, depending on context, including:
- Google/Firebase (hosting, database, auth, analytics).
- Google AI services (Gemini API) for AI generation requests.
- Stripe (payment and subscription processing).
- Google AdSense and related ad-tech vendors (advertising).
11. International Transfers
Some providers may process data outside the EEA. Where required, we rely on appropriate safeguards, such as adequacy decisions and/or standard contractual clauses.
12. Data Retention
- Account and learning data: retained while your account is active, unless deletion is requested or required by law.
- Billing/subscription records: retained as needed for legal, tax, accounting, and dispute purposes.
- Security and operational logs: retained for limited periods based on security and reliability needs.
13. Your GDPR Rights
You may have the right to:
- Access your personal data.
- Rectify inaccurate data.
- Erase data ("right to be forgotten") in applicable cases.
- Restrict processing in applicable cases.
- Data portability for data you provided to us.
- Object to processing based on legitimate interests.
- Withdraw consent at any time for future processing.
14. Complaints
If you believe your privacy rights are infringed, you can contact us first at hello@luminout.app. You also have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) or your local EU supervisory authority.
15. Children and Educational Use
Luminout is intended for learners. Where local law requires parental or guardian involvement for minors, users must ensure lawful use and valid permissions.
16. Security Measures
We apply technical and organizational safeguards, including access controls, authenticated API access, transport security, and abuse/rate limiting controls. No system can be guaranteed 100% secure.
17. Changes to this Privacy Policy
We may update this Privacy Policy to reflect legal, technical, or product changes. The updated version will be posted on this page with a revised "Last updated" date.
Please also review the Terms of Service.