LuminariaMemoBETA
DOC privacy/v1UPDATED 2026-03-26JURISDICTION EU · GDPR

Privacy Policy

Last updated: March 26, 2026

Important

Luminaria Memo is not intended for storing Protected Health Information (PHI), patient records, clinical data, or other sensitive personal data of third parties. If you work in a regulated industry, please ensure any AI conversations you import do not contain identifiable third-party personal data. See Section 2a for details.

1. Data Controller

The data controller for Luminaria Memo is:

Stellari Studio S.R.L.
CUI 38758119
Dealului 3D, Toplița, Romania
Contact: doriana@luminaria.so

2. What Data We Collect

  • Account data: email address and profile information from your authentication provider (GitHub, Google, or email).
  • AI conversation content: session data that you upload or sync to the Service, including conversation messages, code snippets, and metadata from AI tools (Claude Code, Claude.ai, Cursor, etc.).
  • Usage data: actions you take within the Service (searches, tags, notes) for feature functionality. Activity logging is opt-in for paid plans and can be disabled in Settings.
  • Billing data: billing address, tax ID, and payment metadata processed by Stripe. We do not store credit card numbers. Stripe handles all payment card data.

2a. Data Not Intended for This Service

Luminaria Memo is designed to store AI workflow and coding session content for knowledge management purposes. You should not upload the following categories of data to the Service:

  • Protected Health Information (PHI) as defined under the U.S. Health Insurance Portability and Accountability Act (HIPAA)
  • Special categories of personal data under GDPR Article 9, including health data, genetic data, biometric data, or data concerning criminal convictions or offences
  • Financial account credentials, payment card data, or banking information of third parties
  • Government-issued identification numbers of third parties
  • Classified, privileged, or government-restricted information

Luminaria Memo is not a HIPAA-covered entity and does not enter into Business Associate Agreements (BAAs). The Service is designed for AI workflow documentation, not clinical, legal, or financial data storage.

If you inadvertently upload such data, you may delete it immediately from Dashboard → Sessions. Contact doriana@luminaria.so if you need assistance with urgent data removal.

3. Why We Collect It (Legal Basis under GDPR)

We process your data based on:

  • Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the Service you signed up for, authenticate your identity, and process payments.
  • Legitimate interest (Art. 6(1)(f) GDPR): improving the Service, ensuring security, and preventing abuse.
  • Consent (Art. 6(1)(a) GDPR): where applicable, such as for optional activity logging and optional communications.

4. No Training on Your Data

We do not use your session content, conversation data, or any uploaded material to train AI models. Your data is processed solely to provide search, storage, and analysis features within the Service.

5. Sub-Processors

Your data is processed by the following third-party infrastructure providers. We have accepted a Data Processing Agreement (DPA) or equivalent with each provider. Each maintains its own security certifications and data processing terms.

ProviderPurposeData processedLocation
SupabaseAuthentication & user managementEmail, OAuth profile, auth tokensEU (AWS eu-central-1)
Neo4j AuraGraph database & vector searchSession content, messages, metadataEU (GCP europe-west1)
StripePayment processingBilling address, tax ID, payment infoUS (SCCs in place)
VercelFrontend hostingStatic assets & CDN routing only (no user data stored)Global CDN
Clever CloudBackend API hostingRequest processing (ephemeral, not stored)EU (France)
Mistral AIAI search, chat, and embeddingsMessage text sent for AI processing and embedding generation (Pro/Business plans only). Not used for model training per Mistral API termsEU (France)

Data transferred outside the European Economic Area (EEA), including to Stripe, is governed by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c).

6. Data Storage and Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) for all connections
  • Encryption at rest for all database storage (Neo4j Aura, Supabase)
  • API key hashing (SHA-256). We never store raw API keys
  • Tenant-scoped data isolation: all queries enforce per-user boundaries; no cross-user data access is possible at the query layer
  • Rate limiting on all API endpoints to prevent abuse
  • Access controls limiting employee access to production data

7. Data Retention

  • Active accounts: data is retained for as long as your account is active.
  • Downgrade grace period: if you downgrade to a plan with lower storage limits and exceed the new limit, you have 30 days to export or reduce your data before excess data is pruned (oldest messages first). You will be notified before any pruning occurs.
  • Account deletion: upon request, all your personal data is deleted within 30 days, except where retention is required by law (e.g., billing records for tax compliance under Romanian and EU law).
  • Activity data: activity logs are automatically pruned based on your plan (Pro: 14 days, Business: 90 days).

8. Your Rights (GDPR)

Under the GDPR and Romanian Law 190/2018, you have the following rights:

  • Access: request a copy of your personal data. You can export all your session data at any time from Dashboard → Settings → Data Management.
  • Rectification: correct inaccurate personal data.
  • Erasure: request deletion of your data. You can delete individual sessions or your entire account from Settings.
  • Portability: receive your data in a structured, machine-readable format (JSON/ZIP export available at any time, on all plans including free).
  • Objection: object to processing based on legitimate interest.
  • Restriction: request limitation of processing in certain circumstances.

To exercise any of these rights, contact us at doriana@luminaria.so. We will respond within 30 days.

8a. Data Export for Compliance and Audit Purposes

You may export a complete copy of your data at any time, including all session content, messages, tags, notes, and metadata, in machine-readable JSON/ZIP format. No plan restrictions apply to data export. This feature is available on all plans including the free tier.

This export capability supports compliance workflows where individuals or organizations need to document and retain records of AI-assisted work for audit, regulatory, or professional purposes. Exports include timestamps, session identifiers, and full message content.

To export: Dashboard → Settings → Data Management → Export All Data.

9. Data Processing Agreements

Where Luminaria Memo processes personal data on your behalf as a data processor under GDPR, we do so only on your documented instructions and in accordance with this Privacy Policy.

For enterprise or professional customers requiring a formal Data Processing Agreement (DPA), please contact doriana@luminaria.so. We will provide a DPA based on the EU Standard Contractual Clauses (Module 2: Controller to Processor) upon request.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR and Romanian Law 190/2018. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Article 34 GDPR).

11. Cookies

Luminaria Memo uses only strictly necessary cookies required for authentication (Supabase session cookies). We do not use tracking cookies, analytics cookies, or advertising cookies. No cookie consent banner is required as we use only cookies strictly necessary for the Service to function.

12. International Data Transfers

Some infrastructure providers are based outside the European Economic Area. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c) or adequacy decisions by the European Commission. See Section 5 for details by provider.

13. Children

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at doriana@luminaria.so.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 14 days before they take effect. The "Last updated" date at the top indicates when the policy was last revised. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
www.dataprotection.ro

You may also contact your local data protection authority within the EU.

16. Contact

For questions about this Privacy Policy or to exercise your data protection rights:

Email: doriana@luminaria.so

Stellari Studio S.R.L. · CUI 38758119 · Dealului 3D, Toplița, Romania