Legal

Privacy Policy

Last updated: June 19, 2026

At Lumy ("we", "us", "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (collectively, the "Service").

1. Data Controller

Lumy (the "Service") is operated by its sole developer, based in the Republic of Moldova, who acts as the data controller for the personal data processed through the Service. To protect the operator's privacy, we do not publish a personal postal address here; we will provide the operator's full identity and registered contact details on request where required for data-protection purposes. For any privacy question, or to exercise your rights, contact us at [email protected].

2. Information We Collect

Information you provide

  • Account information: name, email address when you create an account.
  • Financial data: expenses, budgets, savings goals, and other financial information you enter into the app. This data is stored on your device and synced only if you opt in.
  • Contact information: when you reach out via our contact form or email.

Information collected automatically

  • Device type, operating system, and app version.
  • Usage data such as features used, session duration, and crash reports.
  • IP address and approximate location (country-level only).

3. Camera & Photo Library

Lumy's receipt-scanning feature (available with Pro) needs access to your camera and/or photo library so you can capture or select a receipt image. These images are used only to extract transaction details such as the amount, date, and merchant. The photo is stored locally on your device and is sent to our AI provider solely to perform that extraction — never for advertising or any unrelated purpose. You can grant or revoke camera and photo-library access at any time in your device settings.

4. How We Use Your Information

  • To provide and maintain the Service.
  • To personalize your experience and deliver AI-powered insights.
  • To process your transactions and manage your account.
  • To communicate with you about updates, security alerts, and support.
  • To improve our app based on aggregated, anonymized usage patterns.

5. Automated Decision-Making & AI

Lumy uses automated processing to suggest categories and to generate budget insights, anomaly alerts, and predictions. These features are informational only and do not produce legal effects or similarly significant effects concerning you within the meaning of Article 22 of the GDPR. You always remain in control: you can edit categories and ignore or disable AI suggestions at any time. We do not use automated processing to make decisions about your creditworthiness or eligibility.

6. Data Storage & Security

Lumy is designed with a privacy-first, offline-first architecture. Your financial data is stored locally on your device by default. If you enable cloud sync, data is encrypted in transit and at rest by our infrastructure provider (Supabase Inc.).

We do not sell, trade, or rent your personal information to third parties. We do not connect to your bank accounts or access your banking credentials.

7. Data Stored on Your Device

Lumy is offline-first. Your transactions, budgets, savings goals, AI chat history, and receipt photos are stored locally on your device. This local data stays on your device until you delete it within the app or uninstall Lumy, which removes all locally stored data. If you enable cloud sync, a copy is also stored with our infrastructure provider as described in this Policy.

8. Family Sharing

If you use the family sharing feature, financial data is shared only with family members you explicitly invite. Each family member controls their own data visibility settings.

9. Service Providers (Processors)

We use the following service providers (processors) to operate Lumy. Each processes only the data necessary to deliver their service and is bound by a Data Processing Agreement.

  • Supabase Inc. database, authentication, and edge functions. Hosted in the United States. Acts as a processor; data is processed under Standard Contractual Clauses. See https://supabase.com/privacy.
  • RevenueCat Inc. subscription and in-app purchase management. See https://www.revenuecat.com/privacy.
  • Groq Inc. AI inference (primary). Used to power conversational and analytical features. See https://groq.com/privacy-policy.
  • OpenRouter AI inference (fallback). See https://openrouter.ai/privacy.
  • Apple Inc. & Google LLC payments and Sign-in providers. Each has its own privacy policy.
  • PostHog Inc. product analytics, pageview tracking, and session replay (with all form inputs masked). Used only on the marketing website, not inside the mobile app. Hosted in the United States. See https://posthog.com/privacy.

These services have their own privacy policies. We encourage you to review them.

10. AI Processing & Model Training

When you use an AI feature, the inputs needed to answer your request (such as your question and the relevant transactions) are sent to our AI inference providers — Groq Inc., with OpenRouter as a fallback — to generate a response. We do not sell your data, and we do not use your personal or financial data to train AI models. Our AI providers process your inputs only to return the response and, under their API terms, do not use those inputs to train their models. We do not retain your AI inputs beyond what is necessary to deliver the feature.

11. International Data Transfers

Lumy uses service providers located in the United States, including Supabase Inc. (our database and infrastructure provider). When you use Lumy from the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to and stored in the United States.

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for these transfers, as incorporated in our Data Processing Addendum with Supabase Inc. The UK addendum to the SCCs, approved by the UK Information Commissioner's Office, applies to transfers from the United Kingdom.

You may request a copy of the SCCs that apply to your data by emailing [email protected]. We will respond within 30 days.

12. Data Retention

We keep your personal data only for as long as necessary to provide the Service. Account details and synced financial data are retained until you delete them or close your account. When you delete your account, we remove your data from our active systems within 30 days and from encrypted backups within 90 days. Data stored only on your device is removed when you uninstall the app. Aggregated, anonymized analytics that can no longer identify you may be kept indefinitely. We may retain limited records for longer where the law requires it (for example, for tax or accounting purposes).

13. Your Rights

You have the right to:

  • Access, update, or delete your personal data at any time.
  • Export your data in a standard format.
  • Adjust your browser's Do Not Track signal — we honor it for analytics.
  • Request a copy of all data we hold about you.
  • Withdraw your consent at any time where our processing is based on consent; this does not affect the lawfulness of processing carried out before the withdrawal.
  • Object to or request restriction of certain processing, and lodge a complaint with your local data protection authority.

14. California Privacy Rights (CPRA)

If you are a California resident, the California Privacy Rights Act (CPRA) gives you the right to know what personal information we collect and how it is used, to access and delete it, to correct inaccurate information, and to opt out of the sale or sharing of personal information. Lumy does not sell or share your personal information as those terms are defined under the CPRA, and we do not use or disclose sensitive personal information beyond the purposes the CPRA permits. We will not discriminate against you for exercising your rights. To make a request, contact us at [email protected].

15. Children's Privacy

Our Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can remove it.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance.

17. Contact Us

If you have questions about this Privacy Policy, please contact us at [email protected].