Privacy Policy

Last updated: 10 March 2026

1. Introduction

Luminar Works ("we", "us", "our") operates Luminar Forge, an AI-powered content management platform. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service, in compliance with the General Data Protection Regulation (GDPR), the South African Protection of Personal Information Act (POPIA), and other applicable privacy laws.

2. Data Controller

Luminar Works is the data controller for personal data processed through the Service. For questions about data processing, contact our data protection contact at hello@luminarworks.com.

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Email address
  • Display name
  • Authentication credentials (hashed passwords, OAuth tokens)
  • Tenant and workspace membership information

3.2 Content Data

When you use the Service, we store:

  • Content you create (calendar cards, prompts, wiki articles, brand assets)
  • AI-generated content and generation logs
  • Voice DNA profiles and brand settings
  • Uploaded files and images

3.3 Usage Data

We automatically collect:

  • Feature usage metrics (generation counts, storage usage)
  • Error logs and performance data (via Sentry)
  • Authentication events (login timestamps, IP addresses for security)

3.4 Payment Data

Payment processing is handled by Paddle, our Merchant of Record. We do not store credit card numbers, bank account details, or other payment instrument data. Paddle processes payments as an independent data controller under their own Privacy Policy.

4. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract performance: Processing necessary to provide the Service you subscribed to (account management, content storage, AI generation)
  • Legitimate interests: Security monitoring, fraud prevention, service improvement, error tracking
  • Consent: Marketing communications (opt-in only), non-essential cookies on the marketing site
  • Legal obligation: Tax records retention, compliance with law enforcement requests

5. How We Use Your Data

  • Provide and maintain the Service
  • Process AI content generation requests
  • Enforce usage limits and subscription tier features
  • Send transactional emails (account confirmation, password reset, usage warnings)
  • Monitor and improve Service reliability and security
  • Detect and prevent fraud, abuse, and security incidents

6. AI Processing

When you use the AI writing pipeline, your content briefs and brand voice data are sent to third-party AI providers (Anthropic, Google) for processing. This data is:

  • Transmitted over encrypted connections (TLS 1.2+)
  • Not used by AI providers to train their models (per their enterprise terms)
  • Not retained by AI providers beyond the request lifecycle

Enterprise customers using BYO API keys interact directly with AI providers under their own agreements.

7. Data Sharing

We share personal data only with:

  • Supabase: Database hosting and authentication (data processor)
  • Paddle: Payment processing (independent data controller)
  • Anthropic & Google: AI model providers for content generation (data processors)
  • Sentry: Error monitoring (data processor)
  • Cloudflare: CDN, DDoS protection, and WAF (data processor)
  • Render: API hosting (data processor)
  • Vercel: Frontend hosting (data processor)
  • Resend: Transactional email delivery (data processor)

All data processors are bound by Data Processing Agreements (DPAs). We do not sell personal data to third parties.

8. Data Security

We implement comprehensive security measures:

  • Encryption in transit (TLS 1.2+) and at rest
  • API keys encrypted with AES-256-GCM, decrypted only in memory
  • Row-level security (RLS) for tenant data isolation
  • Multi-factor authentication for admin accounts
  • Rate limiting and DDoS protection via Cloudflare
  • Regular security audits and penetration testing

9. Data Retention

  • Account data: Retained while your account is active, deleted within 72 hours of account deletion (after grace period)
  • Content data: Retained while your account is active, included in data exports, deleted on account deletion
  • Usage logs: Retained for 90 days for operational purposes
  • Security logs: Retained for 12 months for incident investigation
  • Billing records: Retained for 7 years as required by tax law

10. Your Rights (GDPR & POPIA)

You have the right to:

  • Access: Request a copy of all personal data we hold about you
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your account and associated data
  • Data portability: Export your data in a machine-readable format (ZIP)
  • Restriction: Request limitation of data processing
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent for optional processing at any time

To exercise these rights, use the account settings in the Service or contact hello@luminarworks.com. We will respond within 30 days (GDPR/POPIA).

11. Data Export and Account Deletion

Data export: You can request a full export of your tenant data (content cards, wiki, prompts, voice DNA, analytics, settings — API keys excluded) from your account settings. Exports are delivered as a ZIP file via email download link, auto-deleted after 48 hours. Limited to 1 export per 24 hours.

Account deletion: Account owners can initiate deletion from account settings. Deletion requires password confirmation and MFA (if enabled). There is a 72-hour grace period during which deletion can be cancelled. After the grace period, all data is permanently removed: database records, storage files, Paddle subscription cancelled, and authentication record deleted.

12. International Data Transfers

Your data may be processed in countries outside your residence, including the United States (Supabase, Anthropic, Vercel, Render) and the EU (Cloudflare). We ensure adequate protection through Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

13. Cookies

Our marketing site uses minimal cookies. The authenticated application uses JWT-based sessions, not tracking cookies. See our Cookie Policy for details.

14. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

15. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The "Last updated" date at the top indicates the most recent revision.

16. Contact

For privacy-related enquiries or to exercise your data rights, contact:

Luminar Works
Email: hello@luminarworks.com

If you are unsatisfied with our response, you may lodge a complaint with your local data protection authority (e.g. the Information Regulator in South Africa, or your EU supervisory authority).