Privacy Policy
This Privacy Policy explains what we collect, why, and how to control it. We try to collect the minimum necessary to deliver the product.
What we collect
Account info (email, name) for authentication. The credit reports you upload, parsed into structured data so we can analyze them. Chat messages you send. Subscription and payment metadata from our billing provider — we never see full card numbers. Standard server logs (IP, request id, user-agent).
Sensitive data
Credit reports contain sensitive personal data including SSN fragments and account numbers. We store them encrypted at rest, scope every database query by user, and never share with third parties for advertising or analytics.
Signatures
If you choose to save a signature, it is encrypted with AES-GCM in your browser and stored in IndexedDB on your device only. It is never uploaded to our servers.
AI / LLM processing
We send the minimum facts needed (creditor name, balance, dates, your question) to large language model APIs to generate analysis, letters, and chat answers. We do not send full reports verbatim. Our LLM providers are contractually prohibited from training on your data.
Your rights
You can export or delete your data at any time from Profile. Deletion wipes reports, letters, chat history, and embeddings within 30 days. We honor GDPR and CCPA requests; email privacy@lumacredit.net.
Cookies
We use a single first-party session cookie (httpOnly, SameSite=Lax) for authentication. No advertising or tracking cookies.
Retention
Active reports are kept while your account is active. Deleted reports are purged from primary storage immediately and from backups within 90 days.