Privacy Policy
We take the protection of your personal data seriously. This Privacy Policy explains what data we collect, how we use it and what rights you have as a data subject. It applies to the Lumi app and this website.
1. Data controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
[YOUR FULL NAME]
[STREET AND HOUSE NUMBER]
[POSTCODE CITY]
Germany
Email: [YOUR_EMAIL]
2. Data collected and purposes of processing
2.1 User account and authentication
Using the app requires registration with an email address and password. This data is processed for account management and authentication purposes.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
2.2 Children's profiles
Users may create optional profiles for their children (name, age). This data is used solely to organise animations within the app. It is not shared with third parties.
Legal basis: Art. 6(1)(b) GDPR; for data of minors, Art. 6(1)(a) GDPR (consent of the parent or guardian)
Note on children's data: Lumi is designed for parents and guardians. We do not process personal data of children without the consent of a parent or guardian. Children's names and ages are never transmitted to AI services.
2.3 Uploaded drawings and generated content
Photographs of children's drawings are transmitted to our AI service providers after upload (see section 5). The original drawing, generated image and video are stored on our cloud storage so you can access them at any time.
Legal basis: Art. 6(1)(b) GDPR
2.4 Credits and purchases
Payment data is processed exclusively via the Apple App Store or Google Play Store. We do not receive complete payment information from these platforms — only a confirmation of a successful transaction.
Legal basis: Art. 6(1)(b) GDPR
2.5 App usage data
To improve the app, anonymised crash reports and technical usage data may be collected. Individual users cannot be identified from this data.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
3. Retention periods
| Data type | Retention period |
|---|---|
| User account and email address | Until the account is deleted by the user or on request; at most 3 years after last activity |
| Children's profiles | Until deleted by the user or account deletion |
| Uploaded drawings | Until deleted by the user or account deletion |
| Generated images and videos | Until deleted by the user or account deletion |
| Transaction data | 10 years (statutory retention obligation under § 147 AO / § 257 HGB) |
4. Cookies and local storage
The Lumi app uses only technically necessary local storage (AsyncStorage) for session management (e.g. login status, settings). No tracking cookies are used.
This website does not use tracking cookies. Technically necessary cookies may be set for basic functionality only.
5. Third-party providers and data transfers
We use the following service providers to operate the app:
| Service | Purpose | Location / Legal basis |
|---|---|---|
| Supabase | Database, authentication, user accounts | USA · EU Standard Contractual Clauses (SCCs) |
| Cloudflare R2 | Cloud storage of images and videos | USA/EU · EU Standard Contractual Clauses (SCCs) |
| OpenAI (GPT-image-1) | AI-based image generation from drawings | USA · SCCs; data not used for model training per OpenAI API policy |
| fal.ai (Kling Video) | AI-based video animation | USA · EU Standard Contractual Clauses (SCCs) |
For transfers to third countries (in particular the USA) we ensure an adequate level of data protection through EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
6. Data security
All data transfers are encrypted via TLS/HTTPS. Access to user data is restricted to authorised personnel. We use Row-Level Security in our database so that users can only access their own data.
7. Your rights as a data subject
Under the GDPR you have the following rights:
- Access (Art. 15 GDPR): Information about what data we hold about you.
- Rectification (Art. 16 GDPR): Correction of inaccurate personal data.
- Erasure (Art. 17 GDPR): Deletion of your data where no statutory retention obligation applies. You can delete your account and all associated data directly in the app.
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR): Receipt of your data in a structured, machine-readable format.
- Objection (Art. 21 GDPR): Objection to processing based on legitimate interests.
- Withdrawal of consent: Consent can be withdrawn at any time with effect for the future.
To exercise your rights, please contact us by email: [YOUR_EMAIL]
You also have the right to lodge a complaint with a supervisory authority. The competent authority for your federal state can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
8. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy when the app changes or the legal framework is amended. The current version is always available on this page and within the app. We will notify you of material changes by email or in-app notification.
Last updated: March 2026