Luminous
Legal

Privacy Policy

Last updated: June 1, 2026

Luminous is built around a simple promise: collect the minimum data needed to run the product, never sell it, and give you full control. This policy explains what we collect, why, and the rights you may have under Canadian privacy law, GDPR, UK GDPR, California privacy law, and similar laws.

1. Who is the data controller

Luminous Labs (“Luminous”) is the controller of personal data processed via this Service. You can reach our privacy team at desilvayalina@gmail.com.

2. What we collect & why

  • Account data — email, name, and authentication identifiers. Used to create and secure your account. Legal basis: contract.
  • Onboarding & dashboard data — role, experience, skills, goals, milestones, and quiz answers. Used to personalise insights, roadmap, and progress reports. Legal basis: contract.
  • Resume uploads and parsed resume content — files, extracted text, structured resume data, skills, education, projects, work history, and related metadata. Used to provide resume analysis, dashboard persistence, and AI advisor context. Legal basis: contract.
  • AI advisor prompts — the questions you ask and the responses generated, which may include selected resume context when you ask resume-related questions. Used to deliver the feature, preserve chat history where enabled, and improve quality and safety. Legal basis: contract / legitimate interest.
  • Contact messages — name, email, company, message text, and submission timestamp. Used to respond to requests and route founder notifications. Legal basis: legitimate interest / consent.
  • Community content — posts, comments, and likes you publish. Visible to other authenticated users. Legal basis: contract.
  • Billing data — processed by Stripe. We store subscription status and Stripe customer/subscription references; Stripe stores and processes payment card details off-site. Legal basis: contract / legal obligation.
  • Technical & usage data — IP address, device, browser, pages viewed. Used for security, abuse prevention, and aggregated analytics. Legal basis: legitimate interest.
  • Cookies & similar technologies — see “Cookies” below.

3. What we never do

We never sell your personal data. We never share your activity with your employer, even on Enterprise plans. We never use your private content, including resumes, parsed resume content, prompts, milestones, or contact messages, to train third-party AI models.

4. Payments and PCI scope

Financial transactions are handled by Stripe. Luminous does not directly collect, store, or process full payment card numbers, CVV codes, or bank account credentials on our own servers. Stripe receives payment information through its hosted or embedded checkout infrastructure and is responsible for its own PCI-DSS compliance obligations. We store only the limited billing records needed to operate subscriptions, verify account status, prevent fraud, and meet accounting or legal requirements.

5. Sub-processors

We rely on a small set of vetted providers, each under a Data Processing Agreement:
  • Supabase — database, authentication, file storage (EU region).
  • Stripe — payments and billing.
  • Google / OpenAI / Anthropic — LLM inference for the AI advisor (no training on your data).
  • Resend — transactional email (login, weekly progress reports).

6. International transfers

Where data is transferred outside the EEA / UK, we rely on Standard Contractual Clauses and equivalent safeguards.

7. How long we keep it

We retain account and usage data for as long as your account is active. When you delete your account we erase your personal data within 30 days, except where retention is required by law (e.g. invoices for tax purposes — up to 7 years). Backups are rotated within 90 days.

8. Your rights

Depending on where you live, you may have the right to access, correct, delete, export, restrict, or object to certain processing of your personal data. You can also withdraw consent where consent is the processing basis. To request deletion of your account, resumes, parsed resume content, contact messages, or AI prompt history, email desilvayalina@gmail.com. We will verify the request, respond within a reasonable period required by applicable law, and delete data unless we must retain limited records for security, fraud prevention, tax, accounting, or legal reasons. You may also lodge a complaint with your local privacy regulator.

9. Cookies

We use cookies and similar technologies in three categories:
  • Strictly necessary — authentication session, CSRF protection, cookie-consent preference. Always on; required to deliver the Service.
  • Analytics — first-party, privacy-preserving analytics (page views, feature usage). Loaded only after you accept.
  • Marketing — conversion tracking on the marketing site only. Loaded only after you accept.
You can change your choice at any time via the “Cookie settings” link in the footer.

10. Security

Personal data transmission is encrypted in transit using TLS, and production storage is protected with provider-managed encryption at rest where available. Access to production data is limited to a small number of authorised operators under role-based controls. While no online service can guarantee absolute security, we use reasonable technical and organisational safeguards and will notify affected users and relevant authorities of qualifying personal-data breaches where required by applicable law.

11. Children

Luminous is not intended for children under 16 and we do not knowingly collect their data. If you believe a child has provided us data, contact us and we'll delete it.

12. Changes to this policy

We'll post material updates here and notify you by email at least 14 days before they take effect.

13. Contact and legal inquiries

Questions, privacy requests, dispute notices, legal complaints, or legal inquiries must be sent to desilvayalina@gmail.com. See also our Terms of Service.