Legal

Privacy Policy

Last updated: May 19, 2026 · Effective immediately

Short version: We collect your email for authentication and track credit usage so billing works. We don't sell your data. We don't store your page content or chat history — those stay in your browser.

1. Who we are

Lumen AI ("we", "us", "our") operates the Lumen Chrome extension and the website at uselumen.com. We are based in the Czech Republic.

Contact: support@uselumen.com

2. What we collect

Account data

Email address — used for authentication (via Google Firebase Auth) and account recovery
User ID — a unique identifier assigned at registration
Authentication tokens — short-lived JWTs stored locally in your browser to authenticate API requests

Usage data

Credit balance and transactions — stored in our database to enforce plan limits and process billing
Subscription status — plan type (Free/Starter/Pro/Max), subscription ID from Stripe
Device identifier — a random ID generated by the extension on first install, used to enforce the 1-device-per-account policy. Stored in chrome.storage.local, never shared.

What we do NOT collect

Chat messages or conversation history — these stay in chrome.storage.local on your device only
Page content, source code, or DOM elements you send as context — these are forwarded directly to the AI provider for that single request and immediately discarded
Browsing history or URLs you visit
Keystroke data or form inputs

3. How we use your data

To authenticate you and serve your requests
To track credit usage and enforce plan limits
To process payments and manage subscriptions via Stripe
To send transactional emails (receipts, password reset) — no marketing without opt-in
To investigate abuse or violations of our Terms of Service

4. Third-party services

We use the following third-party services that may process your data:

Google Firebase Auth — handles authentication. Firebase Privacy Policy
Stripe — handles payment processing. We never see your card details. Stripe Privacy Policy
Google Gemini API — AI model provider. Requests include only the message you send + any context you explicitly attach. Gemini API Terms
OpenAI API — AI model provider for GPT-4o and o4-mini. OpenAI Privacy Policy
Cloudflare — hosts our API worker and website. Cloudflare Privacy Policy

5. Data retention

Account data: retained as long as your account is active. Deleted within 30 days of account deletion request.
Credit transaction logs: retained for 12 months for billing dispute resolution.
Chat history: never stored on our servers — exists only in your browser and is deleted when you clear it.

6. Your rights (GDPR)

If you are in the EU/EEA, you have the right to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your account and associated data
Export your data in a machine-readable format
Object to processing or restrict processing

To exercise any of these rights, email support@uselumen.com. We will respond within 30 days.

7. Cookies

Our website uses no tracking cookies. We use localStorage solely to remember your auth token. We do not use advertising cookies or third-party analytics.

8. Security

API requests are authenticated with short-lived JWTs (1-hour expiry). API keys for AI providers are stored as encrypted secrets in Cloudflare Workers — they are never exposed to clients. All traffic is HTTPS.

9. Children

Lumen is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have, contact us immediately.

10. Changes to this policy

We will notify registered users of material changes by email at least 14 days before they take effect. The "last updated" date at the top of this page will always reflect the current version.

11. Contact

Questions about this policy: support@uselumen.com