lumi
← Back to Lumi

Legal

Privacy Policy

Last updated: June 2025

Plain-language summary: We collect your email to create your account, your event details to render your invite, and anonymized analytics to improve the product. We use Meta Pixel and may use server-side event forwarding for advertising. You can delete your account and all data at any time by emailing us.

1. Who We Are

Lumi Invites ("Lumi," "we," "us," "our") operates the website and platform available at www.lumi-invites.com. We provide a digital invitation creation and sharing service.

For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, Lumi is the data controller for personal data collected through our service.

Contact: For all privacy inquiries: privacy@lumi-invites.com

2. Data We Collect

2.1 Data You Provide Directly

  • Account data: Email address, name (if provided via OAuth), profile picture (from Google or Apple if you use OAuth sign-in).
  • Invitation data: Event title, dates, venue details, uploaded photos, schedule, guest details, WhatsApp phone number for RSVPs, gift registry links, and any other content you add to your invitation.
  • Payment data: We do not store your card details. Payments are processed by Stripe, Inc. We receive a transaction confirmation and your billing country for tax compliance purposes.
  • Communications: If you contact us by email, we retain those communications.

2.2 Data Collected Automatically

  • Usage data: Pages visited, features used, time spent in the builder, clicks, and interaction events.
  • Device and browser data: IP address, browser type, operating system, screen resolution, language preferences, and device type.
  • Referral data: The URL or ad that brought you to Lumi (e.g., a Meta ad, a WhatsApp invite link).
  • Cookie data: Session cookies for authentication, preference cookies, and third-party analytics/advertising cookies (described below).

2.3 Data From Third Parties

  • OAuth providers: If you sign in with Google or Apple, we receive your name, email address, and profile picture from that provider.
  • Meta Platforms: If you arrive via a Meta advertisement, Meta may share limited event-matching data with us through their advertising tools.
  • Stripe: We receive payment confirmation, billing country, and fraud signals from Stripe.

3. Advertising and Tracking Technologies

3.1 Meta Pixel (Browser-Side)

We use the Meta Pixel, a JavaScript tracking tag, on our website. This tool is operated by Meta Platforms, Inc. (Facebook). The Meta Pixel tracks certain user actions on our site and reports them to Meta so we can measure the effectiveness of our advertising campaigns.

Events we send via the Meta Pixel include:

  • PageView: When any page on our site is loaded.
  • ViewContent: When a user views the invite builder.
  • InitiateCheckout: When a user clicks "Save & Get My Link" in the builder.
  • Lead: When a user completes account creation.
  • Purchase: When a user completes a paid transaction.

The Meta Pixel may use cookies and similar technologies and may collect your IP address and browser information. This data is transmitted to Meta's servers and is governed by Meta's Privacy Policy.

You can opt out of Meta's use of your data for advertising purposes at facebook.com/ads/preferences or via the Digital Advertising Alliance at optout.aboutads.info.

3.2 Meta Conversions API (Server-Side Events)

In addition to the browser-side Pixel, we may implement the Meta Conversions API (CAPI), which sends certain conversion events directly from our servers to Meta. This server-side approach is used to improve ad measurement reliability in environments where browser-based cookies are blocked or degraded (e.g., by browser privacy settings or ad blockers).

When using CAPI, we may send the following data to Meta in a hashed (SHA-256) format:

  • Email address (hashed)
  • IP address (hashed)
  • User agent string
  • Event names and timestamps (e.g., Purchase, Lead)
  • External event identifier (a random ID that does not identify you personally)

Hashing means the raw values are mathematically transformed before transmission; the original values cannot be recovered from the hash. This data is used solely for ad performance measurement and optimization. We do not sell this data to Meta or any other party.

3.3 Analytics

We may use analytics tools (such as Vercel Analytics, PostHog, or Google Analytics) to understand how users interact with our service. These tools may collect anonymized usage data including page views, session duration, and navigation paths. Where required by law, we obtain your consent before placing analytics cookies.

4. How We Use Your Data

PurposeData UsedLegal Basis (GDPR/LGPD)
Provide the invitation serviceAccount data, invitation content, imagesPerformance of contract
Process paymentsEmail, billing country (via Stripe)Performance of contract
Send transactional emailsEmail addressPerformance of contract
Prevent fraud and abuseIP address, device data, usage patternsLegitimate interests
Improve our productAnonymized usage dataLegitimate interests
Run advertising campaignsEmail (hashed), IP (hashed), event dataLegitimate interests / Consent
Comply with legal obligationsAny data required by applicable lawLegal obligation
Respond to your inquiriesEmail address, message contentLegitimate interests

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Supabase, Inc.: Our database and authentication provider. Data is stored on their infrastructure. Supabase Privacy Policy.
  • Stripe, Inc.: Payment processing. Stripe Privacy Policy.
  • Vercel, Inc.: Website hosting and infrastructure. Vercel Privacy Policy.
  • Meta Platforms, Inc.: Advertising measurement, as described in Section 3. Meta Privacy Policy.
  • Law enforcement or regulators: When required by applicable law, court order, or governmental authority.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

6. Guest Data and Invitation Content

When you create an invitation, you may include other people's personal data (e.g., your WhatsApp number is shared with guests via the RSVP button). You are responsible for ensuring you have the right to share any personal data you include in your invitations and that your guests are informed appropriately.

Guests who open a Lumi invitation link are subject to our automatic data collection (Section 2.2). We do not use guest data for advertising targeting without explicit consent.

7. Data Retention

  • Account and invitation data: Retained as long as your account is active. If you delete your account, we delete your data within 30 days, except where retention is required by law.
  • Payment records: Retained for 7 years for tax and legal compliance.
  • Analytics data: Typically retained in anonymized form for up to 24 months.
  • Server logs: Retained for up to 90 days for security and debugging.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct inaccurate data.
  • Erasure ("right to be forgotten"): Request deletion of your personal data.
  • Portability: Receive your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests, including profiling for advertising.
  • Restriction: Request that we restrict processing of your data.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email privacy@lumi-invites.com. We will respond within 30 days (or the timeframe required by your local law).

Brazilian Users (LGPD)

If you are located in Brazil, you are protected by the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018). All rights listed above apply to you. You may also contact the Autoridade Nacional de Proteção de Dados (ANPD) if you believe your rights are not being respected.

Indian Users (DPDP Act)

If you are located in India, you are protected by the Digital Personal Data Protection Act 2023 (DPDP Act). You have the right to access, correct, and erase your personal data, and to nominate a representative in case of incapacity. Contact us at privacy@lumi-invites.com to exercise these rights.

EU/EEA and UK Users (GDPR / UK GDPR)

If you are in the EU, EEA, or UK, you have the rights listed above under the General Data Protection Regulation. You may also lodge a complaint with your local supervisory authority.

9. International Data Transfers

Lumi is operated from [your country]. Our service providers (Supabase, Stripe, Vercel, Meta) may process data in the United States and other countries. Where we transfer data from the EEA or UK to countries not considered adequate by the European Commission, we rely on appropriate safeguards such as Standard Contractual Clauses.

10. Children's Privacy

Our service is not directed to children under the age of 13 (or 16 in certain jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@lumi-invites.com and we will delete it promptly.

11. Cookies

We use the following categories of cookies:

  • Strictly necessary: Session cookies required for authentication and security. These cannot be disabled.
  • Analytics: Used to understand how visitors use our site. You can opt out via your browser settings or our cookie preferences.
  • Advertising: Used to measure the effectiveness of our ads (Meta Pixel). You can opt out as described in Section 3.1.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of the service.

12. Security

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and Row Level Security (RLS) in our database so that each user can only access their own data. Despite these measures, no system is completely secure. We will notify you of any breach affecting your personal data as required by applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and, for material changes, notify you by email. Your continued use of the service after the changes take effect constitutes acceptance of the updated policy.

14. Contact

For any privacy-related questions, requests, or complaints:
Email: privacy@lumi-invites.com
Response time: Within 30 days of receipt.