Privacy Policy

1.1 Information you provide

• Account information: Email address, name, and password (via Supabase Auth)
• Coaching profile: Coaching niche, target audience, transformation promise, tone preferences, primary platform, content pillars, coaching philosophy, and example posts
• Voice samples: Audio recordings uploaded for voice cloning (optional, biometric data)
• Uploaded images: Photos you provide for use in content visuals, along with consent timestamps recording when you confirmed your rights to use the images
• Narration preferences: Your selection for how frequently AI narration is applied to your posts (off, selected, AI-selected, or all social posts)
• Payment information: Processed by Stripe; we do not store credit card numbers directly
• Social account tokens: OAuth access tokens for connected social media accounts

1.2 Information generated through the Service

• Generated content: Social media posts, blog articles, and video scripts created by AI
• Voice narrations: Audio files generated from your voice clone
• Visual specifications: Design parameters, color palettes, and layout selections for your content
• Voice signature: Analyzed writing patterns (sentence length, tone intensity, emoji usage) derived from your example posts
• Gamification data: Activity streaks, points, badge levels, and achievement milestones tracked based on your content approval activity
• Marketing enrichment data: AI-generated hashtag strategies, caption variants, and engagement tips stored alongside your content
• Content ideas: AI-generated topic suggestions and brainstormed content ideas stored for your reference
• Consent records: Timestamps recording when you accepted the Terms of Service and Privacy Policy, and when you provided consent for specific features (voice cloning, image uploads)

1.3 Information collected automatically

• Usage data: Pages visited, features used, content approval/rejection patterns, and session duration
• Device information: Browser type, operating system, and screen resolution (for rendering optimization)
• Log data: IP address, access times, and referring URLs

1.4 Public data collected for trend analysis

• Publicly available fitness content metadata from social media platforms, including: platform, engagement rates, hashtag counts, post types, hook phrases (first sentence, max 100 characters), and visual style tags
• We never collect full captions, images, or personally identifiable information from public posts
• Maximum 300 posts per collection run

1.5 Draft sharing

When you share a draft via a public link, we collect: the share token and link metadata, any comments left by external viewers (including name and/or email if provided), and access logs for shared links.

• Content generation: Your coaching profile, content pillars, tone preferences, and coaching philosophy are used to generate personalized social posts, blog articles, and video scripts via Anthropic Claude
• Voice cloning: Your voice samples are processed by ElevenLabs to create a digital voice model for narrating your content
• Trend analysis: Public fitness content metadata is analyzed to identify trending topics, hook styles, and content formats that improve content recommendations
• Content publishing: Approved content is published to your connected social media accounts via Late API using your OAuth tokens
• Billing: Payment data is processed by Stripe for subscription management and billing
• Gamification: We track your content approval activity to calculate engagement streaks, award points, and assign badge levels to encourage consistent content creation
• Communications: Your email address is used by Resend to send transactional emails (content approval reminders, account notifications, billing receipts) and periodic digest emails (weekly performance summaries and content tips). You may opt out of digest emails at any time through your account settings or via the unsubscribe link in each email, without affecting transactional communications
• Visual design: Image search queries derived from your niche and content pillars are sent to Pexels to retrieve relevant stock photos for content visuals
• Service improvement: Aggregated and anonymized usage data may be used to improve the platform

We process your data under the following legal bases:

We share your data with the following third-party processors, each of which handles specific categories of data:

We maintain Data Processing Agreements (DPAs) with our key processors where required by applicable law. We select processors that maintain appropriate technical and organizational security measures.

Your data is primarily stored and processed in the United States via Supabase. If you are located outside the United States, your data will be transferred to the US for processing. We ensure appropriate safeguards for international data transfers, including:

• Standard Contractual Clauses (SCCs): For transfers from the EU/EEA, we rely on SCCs approved by the European Commission
• Adequacy decisions: Where applicable, we rely on adequacy decisions issued by relevant data protection authorities
• Supplementary measures: We implement additional technical measures including encryption in transit and at rest, access controls, and regular security assessments

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data (subject to legal retention requirements)
• Data portability: Request your data in a structured, machine-readable format
• Restrict processing: Request that we limit how we use your data
• Object to processing: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent for processing that relies on consent (such as voice cloning) at any time, without affecting the lawfulness of processing before withdrawal
• Lodge a complaint: File a complaint with your local data protection authority
• Non-discrimination: You will not be discriminated against for exercising your privacy rights

You can exercise your data rights in the following ways:

• In-app settings: Update your coaching profile, disconnect social accounts, or delete your voice clone through your account settings
• Email: Send a request to support@lumae.coach with the subject line "Data Rights Request"

We will respond to all data rights requests within 30 days. We may need to verify your identity before processing certain requests. If we need additional time, we will notify you within the initial 30-day period.

Lumae is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal data, please contact us at support@lumae.coach.

Lumae currently does not use cookies for advertising or third-party tracking purposes. We use only essential cookies and local storage required for the platform to function, including:

• Authentication session tokens (required for login)
• User preferences and settings (stored locally for UI functionality)

If we introduce analytics or marketing cookies in the future, we will update this policy and implement appropriate consent mechanisms in accordance with applicable laws, including the ePrivacy Directive for EU/EEA users.

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (TLS/HTTPS) for all data communications
• Encryption at rest for stored data in Supabase
• Secure storage of OAuth tokens and API credentials using encrypted database columns
• Row-level security (RLS) policies ensuring users can only access their own data
• Regular security assessments and updates to dependencies
• Access controls limiting employee access to production data

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately at support@lumae.coach.

If you are located in the European Union or European Economic Area, the following additional provisions apply:

• Data controller: Lumae acts as the data controller for your personal data
• Legal bases: We process your data under the legal bases described in Section 3. For voice cloning (biometric data), we rely on your explicit consent as required by Article 9(2)(a) of the GDPR
• Data transfers: Transfers outside the EEA are conducted under Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) of the GDPR
• Data Protection Officer: For data protection inquiries, contact support@lumae.coach
• Supervisory authority: You have the right to lodge a complaint with your local Data Protection Authority
• Automated decision-making: AI content generation constitutes automated processing. You have the right to human review of AI-generated content before publication, which is built into the Lumae workflow (all content requires your approval before publishing). Additionally, if you select the "Let Lumae choose" narration preference, our system will automatically select posts for voice narration based on content suitability. You retain the ability to override these selections before approving any post

If you are a resident of the United Kingdom, your personal data is processed under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Your rights are equivalent to those described in the EU/EEA section (access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent).

Supervisory authority: The supervisory authority for UK data subjects is the Information Commissioner's Office (ICO):

• Information Commissioner's Office
• Wycliffe House, Water Lane
• Wilmslow, Cheshire, SK9 5AF
• https://ico.org.uk

You can lodge a complaint with the ICO if you believe we have not handled your personal data in accordance with UK GDPR.

UK-EU data transfers: Following the UK's exit from the EU, the UK is treated as a "third country" for EU data transfers. The UK retains an adequacy decision with the EU as of the most recent review, meaning data transfers between the UK and EU may continue without additional safeguards.

Data controller: The data controller for UK data subjects is Central Orbit LTD, Company No. 12575445, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. Contact: support@lumae.coach.

If you are located in Brazil, the following additional provisions apply under the Lei Geral de Proteção de Dados (LGPD):

• Controller: Lumae is the controller (controlador) of your personal data
• Legal bases: We process your data based on: consent (voice cloning), contract execution (Service delivery), and legitimate interest (trend analysis and service improvement)
• Sensitive data: Voice samples are treated as sensitive personal data. Processing is based on your explicit, informed consent
• Your LGPD rights: You have the right to: confirmation of processing, access, correction, anonymization/blocking/deletion of unnecessary data, portability, deletion of consent-based data, information about shared data, information about consent denial consequences, and consent revocation
• International transfers: Your data is transferred to the United States. We ensure adequate protection through contractual safeguards as required by the LGPD
• ANPD complaints: You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD)

If you are located in Argentina, the following additional provisions apply under the Personal Data Protection Act (Ley 25.326 / PDPA):

• Registration: Our databases are subject to registration requirements with the Dirección Nacional de Protección de Datos Personales (DNPDP) where applicable
• Your rights: You have the right to access your personal data free of charge (at intervals of no less than six months), and to request rectification, updating, suppression, or confidentiality of your data
• Data quality: We ensure that personal data is accurate, complete, and up to date as required by the PDPA
• International transfers: Your data is transferred to the United States under contractual safeguards that provide adequate protection as required by Argentine law
• AAIP complaints: You may file a complaint with the Agencia de Acceso a la Información Pública (AAIP)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Categories of personal information collected

• Identifiers: Name, email address, IP address, account credentials
• Commercial information: Subscription tier, billing history, payment records
• Biometric information: Voice samples and voiceprint (only if you opt in to voice cloning)
• Internet activity: Usage data, pages visited, features used
• Professional information: Coaching niche, audience, content pillars, coaching philosophy
• Inferences: Writing style analysis, voice signature data

Your CCPA/CPRA rights

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to delete: You may request deletion of your personal information, subject to certain exceptions
• Right to correct: You may request correction of inaccurate personal information
• Right to opt out of sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising
• Right to limit use of sensitive data: You may limit our use of sensitive personal information (such as voice biometric data) to purposes necessary to provide the Service
• Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights

To exercise your California privacy rights, contact us at support@lumae.coach with the subject line "California Privacy Request." We will verify your identity and respond within 45 days.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email and/or a prominent notice within the Service
• For material changes affecting your rights, provide at least 30 days' notice before the changes take effect

We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

• Email: support@lumae.coach
• Subject line: "Data Rights Request" or "Privacy Inquiry"
• Operator: Central Orbit LTD, a company registered in England and Wales (Company No. 12575445), with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. Trading as Lumae.