Lume

Privacy Policy

Last updated: 2026-05-24.

The short version

We collect the minimum we need to make the app work: your account (Google or Apple), the shows / movies / people / franchises you follow, the friendships you create, and the comments and ratings you post. We do not sell or share your personal information with advertisers and we do not run third-party analytics.

Who runs Lume

Lume is operated by RKServicesPDX (Portland, Oregon, United States), reachable at contact@app-lume.com. For privacy questions, write to the same address with subject "Privacy request."

What we collect

Stored only on your device

These never leave your device unless you uninstall and reinstall:

What we do NOT collect

Why we process this data (legal bases)

For users in the EU/UK, we rely on the following legal bases under GDPR Article 6:

Where your data lives

On a Postgres database operated by Supabase Inc. in the United States. Access is gated by Postgres row-level-security policies — your private rows are only visible to you (and, for some rows, to your accepted friends). Avatar images are stored in Supabase Storage with the same access controls.

International transfers. If you are in the EU, UK, or another jurisdiction with cross-border transfer rules, your data is transferred to the United States. Supabase Inc. is our data processor under EU Standard Contractual Clauses (SCCs) and the equivalent UK IDTA; TMDB receives only the title strings and years from your imports for the purpose of matching to their catalog.

Sub-processors

Third-party metadata

We fetch show / movie / person metadata from TMDB. This product uses the TMDB API but is not endorsed or certified by TMDB.

Retention

Your rights

Regardless of where you live, you have the following rights and can exercise them at any time:

California residents (CCPA / CPRA)

Under California law, you have the rights to know, delete, correct, and non-discrimination listed above. The categories of personal information we collect map to: identifiers (account ID, email, push token), internet or other electronic activity (follows, ratings, comments, notification interactions), and inferences (recommendations from friends). We collect for the purposes described above (account operation, alert delivery, friendships, diagnostics).

We do not sell or share your personal information as defined by California law, and have not done so in the preceding 12 months. We do not knowingly process the personal information of California residents under 16 for purposes of cross-context behavioral advertising or sale.

Children

Lume requires you to confirm you are at least 13 (16 in the EEA, per local age-of-consent rules) at sign-up, and accounts that fail this age check are not created. We do not knowingly collect data from anyone under these ages. If you believe a minor has created an account, email us and we will remove it.

Security

Data in transit is encrypted with TLS 1.2+. Data at rest in Supabase uses standard managed-Postgres encryption. Authentication is handled by Apple Sign In or Google Sign-In — we never see or store your password. Avatar and contact-hash data are protected by Postgres row-level security policies that restrict access to the owner (and, where applicable, accepted friends).

Breach notification

In the event of a personal data breach affecting your data, we will notify you without undue delay and within 72 hours where required by GDPR Article 34. Notice will go to the email address on your account and, if material, will also be posted on this page.

Changes to this policy

If we materially change this policy, we will update the "Last updated" date and (for material changes) post a notice in the app on next launch. Continued use after a change constitutes acceptance of the updated policy.

Your rights — quick reference

You always have the right to:

Contact

Questions about privacy? Email contact@app-lume.com with subject "Privacy request."