Privacy Policy

Luma ("we", "us", "our") is an attention management service available at theluma.ai. We help you turn messy thoughts into clear, prioritized action.

For any privacy questions, contact us at: joelchiapower@gmail.com

Account data

When you create an account, we collect your name and email address. You can sign up with an email and password, or with Google. If you use Google, we receive your name and email from Google. We store these to identify your account.

Brain dump content

The free-form text you enter in the brain dump field is sent to an AI service (OpenAI) to extract structured tasks. Your raw input text and the extracted tasks are stored on our servers. We do not sell or share this content.

Behavioral signals

We record how you interact with tasks — completions, ignores, skips, timing patterns — to learn your work style and improve task prioritization. These signals are stored against your account and are not shared.

Settings

We store your preferences: timezone, preferred brief time, preferred deep-work window, and email notification preferences.

Payment data

Pro subscriptions are processed by Stripe. We never see or store your full card number. Stripe stores payment details under their own privacy policy. We receive and store a Stripe customer ID and subscription status.

Usage data

We collect standard server logs (IP address, user-agent, request timestamps) for security and debugging. We may use analytics tools to understand aggregate product usage.

• To authenticate you and maintain your session
• To extract tasks from your brain dump via AI
• To prioritize and surface tasks based on your behavior patterns
• To send email notifications if you have enabled them
• To process and manage your Pro subscription
• To improve the product (using aggregated, anonymized patterns)
• To detect and prevent abuse or unauthorized access

We do not sell your data to third parties. We do not use your brain dump content to train AI models beyond your own session context.

Your brain dump text is sent to OpenAI's API for task extraction. This means your input is subject to OpenAI's data processing terms in addition to ours. We send only the text necessary for extraction — no account identifiers are passed to OpenAI.

On-device behavior signals (skip patterns, timing, etc.) are processed entirely on our servers. No behavioral data is shared with OpenAI.

• Tasks and inputs: retained for the life of your account, or until you delete them
• Behavioral signals: decay weekly (×0.95 per week) by design; older patterns naturally lose influence
• Account data: retained until you delete your account
• Server logs: retained for up to 90 days

When you delete your account, we permanently delete your tasks, inputs, behavioral signals, and account record within 30 days.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (right to erasure)
• Export your data in a portable format
• Withdraw consent for processing where consent is the legal basis

To exercise any of these rights, email us at joelchiapower@gmail.com. We will respond within 30 days.

We use session cookies to keep you logged in. We do not use third-party advertising cookies. If we use analytics, it will be configured to respect Do Not Track signals and minimize data collection.

• Google OAuth — authentication (Google Privacy Policy applies)
• OpenAI — task extraction from brain dump text (OpenAI Privacy Policy applies)
• Stripe — payment processing (Stripe Privacy Policy applies)
• Cloudflare — bot protection via Turnstile (Cloudflare Privacy Policy applies)

We use HTTPS for all data in transit. If you sign up with a password, it is hashed with bcrypt before storage; we never store or log your password in plain text. You can also sign in with Google, in which case no password is involved. We follow industry-standard practices to protect data at rest. No system is 100% secure; if you become aware of a security issue, please contact us immediately.

Luma is not directed at children under 13. We do not knowingly collect personal data from children. If we learn we have done so, we will delete the data promptly.

We may update this policy as the product evolves. We will notify you of material changes via email or an in-app notice. Continued use after changes constitutes acceptance of the updated policy.