Privacy Policy
Last updated: 2026-05-24.
The short version
We collect the minimum we need to make the app work: your account (Google or Apple), the shows / movies / people / franchises you follow, the friendships you create, and the comments and ratings you post. We do not sell or share your personal information with advertisers and we do not run third-party analytics.
Who runs Lume
Lume is operated by RKServicesPDX (Portland, Oregon, United States), reachable at contact@app-lume.com. For privacy questions, write to the same address with subject "Privacy request."
What we collect
- Account info.When you sign in with Apple or Google, we receive an opaque user ID and (unless you use Apple's private email relay) an email address.
- Profile you create. Username, optional display name, avatar (uploaded only when you pick one — we ask for photo-library access only at that moment, and only read the file you select), bio, timezone, and your alert preferences.
- Your follows + watch state.Which shows / movies / people / franchises you follow, which you've marked watched, the ratings you assign, and any per-show alert overrides.
- Friends + recommendations. Friendships you create, recommendations you send, and the comments you post on entity pages.
- Contacts (optional, opt-in). If you tap Find friends from contacts, Lume reads your address book on your device, computes a one-way SHA-256 hash of each contact's email, and sends only the hashes to our server to match against existing Lume members. Raw contact data never leaves your device. You can deny this permission at any time in your OS settings; the feature is fully optional and the rest of the app works without it.
- Device push tokens + metadata. Token, platform (iOS/Android), app version, and last-seen timestamp so we can deliver the alerts you asked for and retire dead tokens.
- Watchlist imports. When you import a CSV from Letterboxd, Trakt, or another source, we read the file locally on your device, send each title (and year, if present) to TMDB through our edge functions to find a match, and store the resulting follows. The raw CSV file is never uploaded to our servers.
- Calendar export tokens (opt-in). If you enable calendar export, we generate a per-user secret token that authorises your private ICS feed. Revoke at any time in Settings.
- Crash + error diagnostics. When a part of the app fails, we record the error message, stack trace, the area of the app where it happened, the platform (iOS/Android), and the app version into a private diagnostics table. We never include the contents of what you were viewing or typing.
Stored only on your device
These never leave your device unless you uninstall and reinstall:
- Recent search queries.
- Dismissed recommendations.
- Theme preference (auto / light / dark) and accent palette.
- Onboarding-tour completion flag.
- Rating-prompt timestamps.
- The sticky-unmute preference for the Trails tab.
What we do NOT collect
- Precise location data.
- Advertising or cross-app tracking identifiers (no IDFA, no GAID).
- Third-party analytics SDKs.
- Biometric data, fingerprints, or face data.
- Health, financial, or government-ID information.
Why we process this data (legal bases)
For users in the EU/UK, we rely on the following legal bases under GDPR Article 6:
- Contract. Operating your account, storing your follows and friendships, and delivering the alerts you signed up for.
- Consent. Push notifications, contact matching, calendar export, and any other opt-in feature you enable. Revocable at any time in app settings or the OS permission panel.
- Legitimate interest. Security, abuse prevention, spam filtering, and crash diagnostics — all narrowly scoped and balanced against your rights.
Where your data lives
On a Postgres database operated by Supabase Inc. in the United States. Access is gated by Postgres row-level-security policies — your private rows are only visible to you (and, for some rows, to your accepted friends). Avatar images are stored in Supabase Storage with the same access controls.
International transfers. If you are in the EU, UK, or another jurisdiction with cross-border transfer rules, your data is transferred to the United States. Supabase Inc. is our data processor under EU Standard Contractual Clauses (SCCs) and the equivalent UK IDTA; TMDB receives only the title strings and years from your imports for the purpose of matching to their catalog.
Sub-processors
- Supabase Inc. — Postgres database, edge functions, file storage, authentication, push token delivery.
- Apple / Google. — sign-in providers; we never see your password and never receive your Apple ID or Google account beyond an opaque user ID and (unless private-relay) an email address.
- Apple Push Notification service / Firebase Cloud Messaging. — message delivery for the push notifications you enabled.
- TMDB. — show/movie/person metadata; receives only title strings and IDs, never your account info.
- Vercel Inc. — marketing site hosting, CDN.
- Sentry (Functional Software, Inc.). — error and crash diagnostics (United States); receives stack traces and diagnostic context with personal data redacted before transmission.
- RevenueCat, Inc. — subscription and billing management for Lume Plus; receives purchase events and device identifiers. This applies only once Lume Plus is available, and we will update this notice before that feature ships.
Third-party metadata
We fetch show / movie / person metadata from TMDB. This product uses the TMDB API but is not endorsed or certified by TMDB.
Retention
- Account data, follows, friendships, recommendations, comments, ratings: kept while your account exists; deleted within 30 days of you deleting your account.
- Crash + error diagnostics: 30 days, then automatically purged.
- Push tokens: removed when invalidated by APNs/FCM, on sign-out, or after 60 days of inactivity.
- Backups:Supabase's standard backup window (typically 7 days). Deleted-account data may persist in backups for up to that window.
Your rights
Regardless of where you live, you have the following rights and can exercise them at any time:
- Access / download. Settings → Account → Download my data. We generate a JSON export covering your account, follows, friendships, recommendations, comments, and ratings.
- Rectification. Edit your profile (display name, bio, avatar, privacy radio) in Settings → Edit profile.
- Erasure. Settings → Account → Delete my account. Cascades through follows, friendships, recommendations, comments, ratings, blocks, push tokens, and avatar storage.
- Restrict processing / object. Email contact@app-lume.com with the words "Restrict processing" or "Object to processing" and a brief reason; we'll honor it within 30 days.
- Portability. The JSON export above is your portable copy.
- Withdraw consent. Revoke push permissions, contact matching, or calendar export at any time in app settings or the OS permission panel.
- Lodge a complaint. EU users may complain to their national data protection authority; UK users to the ICO.
California residents (CCPA / CPRA)
Under California law, you have the rights to know, delete, correct, and non-discrimination listed above. The categories of personal information we collect map to: identifiers (account ID, email, push token), internet or other electronic activity (follows, ratings, comments, notification interactions), and inferences (recommendations from friends). We collect for the purposes described above (account operation, alert delivery, friendships, diagnostics).
We do not sell or share your personal information as defined by California law, and have not done so in the preceding 12 months. We do not knowingly process the personal information of California residents under 16 for purposes of cross-context behavioral advertising or sale.
Children
Lume requires you to confirm you are at least 13 (16 in the EEA, per local age-of-consent rules) at sign-up, and accounts that fail this age check are not created. We do not knowingly collect data from anyone under these ages. If you believe a minor has created an account, email us and we will remove it.
Security
Data in transit is encrypted with TLS 1.2+. Data at rest in Supabase uses standard managed-Postgres encryption. Authentication is handled by Apple Sign In or Google Sign-In — we never see or store your password. Avatar and contact-hash data are protected by Postgres row-level security policies that restrict access to the owner (and, where applicable, accepted friends).
Breach notification
In the event of a personal data breach affecting your data, we will notify you without undue delay and within 72 hours where required by GDPR Article 34. Notice will go to the email address on your account and, if material, will also be posted on this page.
Changes to this policy
If we materially change this policy, we will update the "Last updated" date and (for material changes) post a notice in the app on next launch. Continued use after a change constitutes acceptance of the updated policy.
Your rights — quick reference
You always have the right to:
- Delete your account and all data — runs inside the app or via email; covered in detail on its own page.
- Opt out of any sale or sharingof your personal information — required by California's CCPA / CPRA. Lume doesn't sell or share by default, but the formal opt-out path is documented for compliance.
- Request a copy of the data we hold about you (email us).
- Correct inaccurate information we hold (email us).
Contact
Questions about privacy? Email contact@app-lume.com with subject "Privacy request."