Privacy Policy

Last updated: April 21, 2026

1. Who We Are

Lumora is an independently-operated service built and maintained by a solo developer. We act as the controller of the personal data we process about you in relation to the Service. You can reach us for any privacy matter at hello@lumora.ai β€” questions, requests, and complaints all go to the same inbox and are answered personally.

2. Information We Collect

We collect only what we need to operate the Service:

  • Account information β€” your email address and, if you sign in with Google, basic profile details provided by Google (name, avatar)
  • Photos you upload β€” used to generate your requested outputs
  • Generated images β€” the outputs we produce for you
  • Payment information β€” processed by Stripe; card numbers never touch our servers (see section 8)
  • Usage data β€” basic information such as device type, browser, pages visited, and interactions needed to operate and improve the Service

3. How We Use Your Information & Legal Bases

We use your information to deliver and maintain the Service, and we rely on the following legal bases under GDPR and similar laws:

  • Performance of a contract β€” to generate your headshots, deliver outputs, process payments, and provide customer support
  • Consent β€” for optional analytics and any marketing communications you opt into; you can withdraw consent at any time
  • Legitimate interests β€” to prevent fraud and abuse, secure the Service, and improve product quality
  • Legal obligation β€” to retain billing records and respond to lawful requests as required by applicable law

We do not sell your personal information.

4. AI Processing β€” No Model Training

We do not train or fine-tune AI models on your photos. When you upload an image, it is sent to a third-party AI provider (Black Forest Labs and/or Replicate) for inference only, meaning it is used to produce your requested output and nothing else. Those providers operate under their own privacy policies and, under their standard API terms, do not retain customer inputs to train their models. We do not use your photos to improve any model of our own, and we do not share or sell them.

5. Face Images in Your Photos

Photos you upload typically contain your face. We process them only to generate the portrait outputs you request. We do not use facial recognition to identify you, we do not match your face against any other database, and we do not share your photos with advertisers or data brokers.

6. Photo Retention

  • Uploaded (input) photos β€” deleted shortly after generation completes, or sooner on request. We do not keep input photos long-term.
  • Generated (output) images β€” retained while your account is active so you can re-download them, and deleted after you close your account.
  • Account and billing records β€” retained while your account is active. Billing records may be kept longer where required by applicable tax or accounting law.

You can request deletion of specific images, your account, or all of your data at any time by emailing hello@lumora.ai.

7. Third-Party Services We Use

To run Lumora, we rely on a small set of trusted processors. Each receives only the data they need for their function, governed by their own privacy terms:

  • Stripe β€” payment processing (card data, billing details)
  • Polar.sh β€” purchase and receipt management
  • Amazon Web Services (S3) β€” temporary storage of input photos and hosting of generated outputs
  • Black Forest Labs and Replicate β€” AI image generation (inference only, no training on your data)
  • Google β€” optional sign-in via Google OAuth; website analytics via Google Analytics
  • Our email delivery provider β€” to send transactional emails such as receipts and account notifications

8. Payment Data

All payments are processed by Stripe. Your full card number, CVC, and expiration date are submitted directly to Stripe and never stored on Lumora servers. Stripe is a PCI-DSS Level 1 certified payment provider. We receive only limited, non-sensitive confirmation data such as the last four digits, card brand, and billing country.

9. International Data Transfers

Some of our service providers (for example Stripe, AWS, Google, Black Forest Labs, and Replicate) are established in the United States or other countries outside your own. When personal data is transferred internationally, we rely on the safeguards those providers have in place β€” most commonly the European Commission's Standard Contractual Clauses (SCCs) β€” to maintain an appropriate level of protection.

10. Cookies & Tracking

We use a small number of cookies and similar technologies:

  • Strictly necessary β€” session and authentication cookies required to keep you signed in; these cannot be disabled
  • Analytics β€” Google Analytics, to understand how the Service is used and improve it; you can opt out via your browser or cookie-banner settings
  • Preferences β€” to remember choices such as UI theme or language

You can clear or block cookies through your browser settings; disabling strictly-necessary cookies may break parts of the Service.

11. Data Security

We apply reasonable technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest for stored files, hashed passwords, least-privilege access controls, and scoped API keys for third-party services. No system is perfectly secure, but we take our responsibilities seriously and build with security in mind.

12. Automated Decision-Making

Lumora uses AI to generate images, but we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (for example, denying service or pricing differently). The AI only generates the visual output you requested.

13. Your Rights

Depending on where you live, you may have some or all of the following rights in relation to your personal data:

  • Access a copy of the data we hold about you
  • Correct data that is inaccurate or out of date
  • Delete your data ("right to be forgotten")
  • Restrict or object to certain processing
  • Withdraw consent you previously gave
  • Receive your data in a portable, machine-readable format
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email hello@lumora.ai. We will respond within one month; for complex requests we may extend this by a further two months and let you know.

14. California Residents

If you are a California resident, the CCPA gives you the right to know what personal information we collect about you, to request deletion, and to opt out of the "sale" or "sharing" of your personal information. We do not sell or share personal information as those terms are defined under California law, and we will not discriminate against you for exercising any of your privacy rights.

15. Children's Privacy

Lumora is not intended for anyone under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us and we will delete it.

16. Data Breach Notification

If we become aware of a data breach affecting your personal data, we will notify you and, where legally required, the relevant supervisory authority, without undue delay.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced on this page and, where appropriate, by email. The "Last updated" date at the top always reflects the current version.

18. Contact

Questions or privacy requests? Email us at hello@lumora.ai.