Use with ClaudeData Protection
Data Protection
Last updated: 28 March 2026
1. Our Commitment
Lumin is built on the principle that your data is yours. We collect only what is necessary to deliver precise KP astrology readings, we retain it for the shortest practical period, and we delete it completely when it is no longer needed.
This page provides a detailed overview of how your data is protected, who processes it, and what measures are in place to keep it secure. It complements our Privacy Policy, which covers the legal basis for processing and your rights.
2. Data We Process
We categorise your data into the following groups, each with distinct handling requirements:
Account Data
Email, display name, profile picture
Received from Google during sign-in. Used to identify your account and personalise the interface. Not shared with any third party beyond our authentication provider.
Birth Profile Data
Name, gender, date/time of birth, geographic coordinates, UTC offset, ayanamsa preference
Provided by you to generate KP charts. Birth coordinates are resolved from the location name you enter. This data is sent to our computation engine for astronomical calculations and to our intelligence layer for interpretation. It is not used for any other purpose.
Chat Data
Messages, session metadata, tool call results, visual blocks
Your conversations with Lumin are stored so you can revisit previous readings. Chat data is associated with your account and the active birth profile. Messages are processed by our intelligence layer to generate responses.
Diagnostic Data
Error logs, usage events (anonymised), performance metrics
Collected to maintain platform stability and improve reliability. Error logs may include request paths and stack traces but never include your birth data or message content. Usage events are anonymised and aggregated.
3. Data Retention Schedule
We follow a strict retention schedule. Data is automatically purged when it reaches the end of its retention period.
| Data | Retention | Trigger for Deletion |
|---|---|---|
| Account data | Active + 30 days | Account deletion |
| Birth profiles | Active + 30 days | Profile or account deletion |
| Chat sessions & messages | 30 days from creation | Automatic expiry or account deletion |
| Error logs | 90 days | Automatic expiry |
| Usage statistics (anonymised) | 12 months | Automatic expiry |
Key principle: We do not retain your personal data for longer than 30 days after you stop using the Service or delete your account. Chat sessions are automatically deleted 30 days after creation, regardless of account status.
4. Your Rights
Under the GDPR, CCPA/CPRA, UK GDPR, and other applicable data protection laws, you have the right to:
To exercise any right, email contact@lumin.guru. We will respond within 30 days. No fee is charged for standard requests.
If you are in the EU/EEA/UK and believe your rights have been violated, you may lodge a complaint with your local data protection supervisory authority.
5. Security Measures
We implement layered technical and organisational safeguards to protect your data:
Encryption
- All data in transit is encrypted using TLS 1.2+ (HTTPS)
- Database storage is encrypted at rest by our hosting provider
- Authentication tokens are signed with secure algorithms (JWT with Supabase)
Access Control
- Row-Level Security (RLS) on all user data tables, ensuring you can only access your own data
- Admin operations require separate authentication and are audit-logged
- Timing-safe comparison for sensitive credentials to prevent timing attacks
Platform Hardening
- Security headers: X-Frame-Options (DENY), X-Content-Type-Options (nosniff), strict Referrer-Policy
- Rate limiting on all API endpoints to prevent abuse
- Request body size limits (256KB agent, 64KB engine) to prevent resource exhaustion
- CORS restrictions, ensuring only authorised origins can communicate with our APIs
- Input validation with Zod schemas on all mutations
Operational Security
- Graceful shutdown procedures on all services (no in-flight data loss)
- Structured JSON logging with no sensitive data in production logs
- Startup validation, so services fail fast if security-critical configuration is missing
- Error sanitisation, so clients receive generic error messages, never raw stack traces
6. Data Processors
We work with a limited number of trusted service providers to operate Lumin. Each processor is bound by a Data Processing Agreement (DPA) and processes data only as instructed.
| Processor | Purpose | Data Accessed |
|---|---|---|
| Supabase | Authentication & database hosting | Account data, profiles, chat sessions |
| LLM Provider | Generating astrological interpretations | Birth data & chat messages (not retained by provider) |
| Sentry | Error tracking | Error context & stack traces (no birth data) |
| Hosting Provider | Application hosting & delivery | Access logs, IP addresses |
None of our processors use your data for their own purposes, model training, or any activity beyond what is specified in their DPA. We regularly review processor compliance and update agreements as regulations evolve.
7. Data Breach Response
In the event of a personal data breach, we will:
- Investigate and contain the breach as quickly as possible
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR)
- Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
- Document the breach, its effects, and the remedial actions taken
- Review and improve our security measures to prevent recurrence
8. International Data Transfers
Some of our data processors operate in countries outside of your jurisdiction. When your data is transferred internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers outside the EU/EEA
- UK International Data Transfer Agreement or UK Addendum to the SCCs for transfers outside the UK
- Adequacy decisions where the destination country has been recognised as providing adequate data protection
You may request details about the specific safeguards applied to your data transfers by contacting us.
9. Future: Local-Run Packages
We are developing local-run packages that will allow you to perform KP calculations entirely on your own device, without sending any birth data to our servers. When available, these packages will offer the highest level of data protection by design, so your data never leaves your machine.
We will update this page with details on local-run data handling when these packages are released.
10. Regulatory Compliance
Lumin is designed to comply with the following data protection frameworks:
- GDPR (EU General Data Protection Regulation)
- UK GDPR (United Kingdom General Data Protection Regulation)
- CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
- ePrivacy Directive (regarding cookies and electronic communications)
We do not sell personal information as defined under CCPA/CPRA. We do not engage in cross-context behavioural advertising. We do not process sensitive personal information for purposes beyond what is necessary to provide the Service.
11. Contact Us
For data protection enquiries, requests to exercise your rights, or to report a concern:
contact@lumin.guru
We aim to respond to all data protection requests within 30 days.