Luminout Privacy Policy

Last updated: 2026-05-17

This Privacy Policy explains how Luminout collects, uses, shares, and protects personal data when you use the web application and related services.

1. Who We Are (Data Controller)

The operator of Luminout is the data controller for personal data processed through the service. For privacy requests, contact: hello@luminout.app.

2. Applicable Laws

Luminout is designed to operate in line with:

• EU General Data Protection Regulation (GDPR) 2016/679.
• Croatian Act on the Implementation of the GDPR (Zakon o provedbi Opce uredbe o zastiti podataka).
• EU ePrivacy rules and applicable Croatian electronic communications rules for cookies and similar technologies.

3. Data We Process

• Account and identity data: e-mail address, account identifiers, authentication provider, verification status.
• Profile data: first name and last name (if provided during registration).
• Learning data you create: subjects, lectures, questions, generated questions you decide to save, quiz attempts, scores, and progress metrics.
• AI generation input data: selected lecture content and/or uploaded files (PDF, DOCX, PPT/PPTX, TXT) processed to generate questions.
• Billing/subscription data: plan status, Stripe customer/subscription identifiers, checkout and subscription status events.
• Technical and security data: IP-derived request metadata, device and browser metadata, session cookies, security and audit events, and rate limiting events.
• Optional analytics data: pseudonymized usage events and consent signals (depending on your consent choices and region).

4. Why We Process Data (Purposes and Legal Bases)

• Contract performance (GDPR Art. 6(1)(b)): account access, authentication, study features, question generation, quiz history, exports, and premium subscription functionality.
• Legitimate interests (GDPR Art. 6(1)(f)): security monitoring, service integrity, fraud prevention, abuse prevention, and debugging.
• Consent (GDPR Art. 6(1)(a)): non-essential analytics and related cookie processing where required.
• Legal obligation (GDPR Art. 6(1)(c)): accounting/tax and regulatory obligations connected to paid subscriptions.

5. Authentication and Session Management

We use Firebase Authentication and server-side sessions to keep you signed in securely. Session cookies are used for authenticated requests and security controls. Passwords are never stored in plain text.

6. AI Question Generation

When you use AI generation, we process lecture content and/or uploaded files to produce question suggestions. Uploaded file content is parsed for extraction and generation. Generated questions are stored only when you choose to save them. We also store monthly usage counters for plan enforcement and abuse prevention.

7. Payments and Premium Subscriptions

Premium payments are processed by Stripe. We do not store full payment card data. We store subscription metadata necessary to activate, maintain, and cancel Premium status (for example Stripe customer and subscription identifiers and billing event records).

8. Cookies and Similar Technologies

Luminout uses essential cookies and similar technologies to keep the service secure, remember preferences, and maintain core app operation.

• Strictly necessary storage/cookies are used for security and core app operation.
• Non-essential analytics are handled based on consent where required by law.
• Optional analytics may be disabled if you do not provide consent where required.

9. Analytics and Product Improvement

We use analytics tooling (Firebase Analytics) for product and stability insights. Event design follows data minimization principles and avoids intentionally logging sensitive data such as passwords, tokens, raw lecture content, or full answer text.

10. Data Sharing and Processors

We share data only where necessary with service providers acting as processors or independent controllers, depending on context, including:

• Google/Firebase (hosting, database, auth, analytics).
• Google AI services (Gemini API) for AI generation requests.
• Stripe (payment and subscription processing).

11. International Transfers

Some providers may process data outside the EEA. Where required, we rely on appropriate safeguards, such as adequacy decisions and/or standard contractual clauses.

12. Data Retention

• Account and learning data: retained while your account is active, unless deletion is requested or required by law. If you request account deletion in-app, we schedule the deletion for 7 days later so you can reverse it by signing in again during that grace period.
• Billing/subscription records: retained as needed for legal, tax, accounting, and dispute purposes.
• Security and operational logs: retained for limited periods based on security and reliability needs.

13. Your GDPR Rights

You may have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Erase data ("right to be forgotten") in applicable cases.
• Restrict processing in applicable cases.
• Data portability for data you provided to us.
• Object to processing based on legitimate interests.
• Withdraw consent at any time for future processing.

When you request account deletion through the app, your account is marked for deletion after a 7-day grace period. Signing in again during that period cancels the pending deletion. If you have an active Premium subscription, it is scheduled for cancellation at the end of the current billing period when the deletion request is made.

14. Complaints

If you believe your privacy rights are infringed, you can contact us first at hello@luminout.app. You also have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) or your local EU supervisory authority.

15. Children and Educational Use

Luminout is intended for learners. Where local law requires parental or guardian involvement for minors, users must ensure lawful use and valid permissions.

16. Security Measures

We apply technical and organizational safeguards, including access controls, authenticated API access, transport security, and abuse/rate limiting controls. No system can be guaranteed 100% secure.

17. Changes to this Privacy Policy

We may update this Privacy Policy to reflect legal, technical, or product changes. The updated version will be posted on this page with a revised "Last updated" date.

Please also review the Terms of Service.