Lumia Labs

Privacy Policy

Last updated: 21 May 2026

This Privacy Policy explains how Lumia Labs B.V. ("Lumia Labs", "we", "us") collects, uses, shares and protects personal data when you visit lumia-labs.com, create an account, or use our AI product photography platform (the "Service"). It is written to comply with the EU General Data Protection Regulation 2016/679 ("GDPR"), the Dutch GDPR Implementation Act (UAVG) and the Spanish Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD).

1. Data Controller

The data controller responsible for the processing of your personal data is:

Lumia Labs B.V.

Heidelberglaan 8, 3584 CS Utrecht, The Netherlands

Privacy contact: privacy@lumia-labs.com

General contact: info@lumia-labs.com

Lumia Labs B.V. operates the Lumia Labs brand and platform. References to "we", "us" or "Lumia Labs" in this Policy refer to this entity. We have not formally appointed a Data Protection Officer, as we are not required to do so under Article 37 GDPR; however, all privacy enquiries are handled directly by our founders.

2. Categories of Personal Data

We collect and process the following categories of personal data:

2.1 Account information

  • Identifiers: full name, display name, profile picture (when you sign in via Google).
  • Contact details: email address.
  • Authentication data: Firebase Authentication user ID (UID), hashed password (when you register with email/password), Google OAuth tokens.
  • Account preferences: language, role, brand settings and feature permissions.

2.2 Content you upload or generate

  • Reference product photographs you upload to the Service.
  • Reference model, environment and style images you upload to your private library.
  • Text prompts, briefs and instructions you submit to the AI generation pipeline.
  • AI-generated output images, valuations and metadata associated with each photo session.

These materials may incidentally contain personal data (for example, the likeness of a person depicted in a reference photograph). You are responsible for ensuring you have the right to upload such material — see our Terms of Service.

2.3 Usage and Lumens data

  • Lumens balance, transactions and credit consumption history.
  • Session and generation history (timestamps, prompts used, models invoked, outputs produced).
  • Feature usage events (for example: wizard completion, multi-image generation, agent interactions).

2.4 Payment metadata (once Stripe is enabled)

When we activate paid plans, we will process transactional metadata through Stripe Payments Europe, Ltd. (Ireland): purchase amount, currency, plan, invoice ID, last four digits of your card, billing country and VAT number. We do not store full card numbers or CVV on our own infrastructure — these are handled by Stripe under PCI-DSS Level 1 controls.

2.5 Technical and log data

  • IP address, user agent, device type, operating system and browser language.
  • Server logs: HTTP request paths, response codes, latency and error stack traces.
  • Security events: login attempts, password resets, suspicious traffic.

2.6 Communications

When you contact us via the website form, by email or through support channels, we keep the message, your email address and any attachments necessary to respond.

3. Purposes and Legal Bases

We process personal data only where we have a lawful basis under Article 6 GDPR. The table below summarises each purpose, the categories of data involved and the legal basis we rely on.

Providing and operating the Service

Account creation, authentication, image generation, storage of your library, Lumens accounting, customer support.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

Service security, fraud prevention and abuse detection

Monitoring logs, rate-limiting, detecting prohibited content uploads, protecting against unauthorised access.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in keeping the platform safe and reliable.

Service improvement and quality assurance

Aggregated usage analysis, prompt-engineering review, evaluation of generation quality, debugging of failing sessions.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in improving the Service.

Billing, invoicing and tax compliance (once paid plans are live)

Processing payments, issuing invoices, VAT reporting, accounting record keeping.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) and compliance with a legal obligation (Art. 6(1)(c) GDPR), in particular Dutch and EU tax law.

Marketing, newsletters and product announcements

Sending product updates, onboarding emails, feature announcements and occasional offers.

Legal basis: Consent (Art. 6(1)(a) GDPR) when you opt in. For existing customers we may also rely on the soft opt-in under Article 95 of the ePrivacy Directive, always with an easy unsubscribe option in every email.

Analytics and audience measurement

Google Analytics 4 to understand which pages and features are used most.

Legal basis: Consent (Art. 6(1)(a) GDPR), collected through our cookie banner. You may withdraw consent at any time.

Legal claims and regulatory compliance

Responding to lawful requests from authorities, defending and exercising legal claims.

Legal basis: Legal obligation (Art. 6(1)(c) GDPR) and legitimate interest (Art. 6(1)(f) GDPR).

4. AI Inputs and Outputs

Lumia Labs is, fundamentally, an AI service. We believe you deserve clear and specific information about how your inputs are used.

4.1 What happens to your inputs

When you upload a product image, reference photograph or text prompt, that content is transmitted to our generation pipeline. Depending on the feature you use, your inputs may be sent to Google's Gemini family of models via the Google AI / Vertex AI API in order to produce an output image. Google processes these inputs under its enterprise terms.

We do not sell your uploaded content, and we do not use it to train third-party foundation models. Google has confirmed that paid Gemini API inputs and outputs are not used to train its general models.

4.2 Use of inputs to improve Lumia Labs

We may retain a sample of prompts and (anonymised) outputs to debug failing generations, evaluate prompt-engineering changes and improve our internal orchestration. We may also use aggregated, de-identified statistics to improve the Service. We do not use your private library or uploaded reference images to train any model offered to other customers without your separate, explicit consent.

4.3 Output ownership

Subject to your compliance with our Terms of Service, you own the commercial rights to the AI-generated outputs produced for you, and you may use them for any lawful commercial purpose. We do not claim ownership of your outputs.

4.4 Automated processing

The image generation pipeline is fully automated, but it does not produce decisions with legal or similarly significant effects on you within the meaning of Article 22 GDPR. You always remain the decision-maker about whether to publish or commercially use a generated image.

5. Retention Periods

We keep your personal data only for as long as necessary for the purposes set out above. Specifically:

  • Account data: for as long as your account is active, and up to twelve (12) months after deletion or prolonged inactivity, after which the account record is permanently erased.
  • Generated images, libraries and session history: until you delete them or your account, whichever comes first.
  • Technical logs and security events: ninety (90) days, after which they are rotated out of our logging system.
  • Prompt samples retained for quality assurance: up to twelve (12) months, in pseudonymised form.
  • Invoices and tax records: seven (7) years, as required by Article 52 of the Dutch General Tax Act (Algemene wet inzake rijksbelastingen).
  • Marketing consent records: until you withdraw consent, plus a reasonable archival period to demonstrate compliance.
  • Support correspondence: up to twenty-four (24) months after the matter is closed.

When a retention period ends, we either delete the data or irreversibly anonymise it so that it can no longer be associated with you.

6. Recipients and Sub-processors

We rely on a small number of carefully selected service providers ("sub-processors") to deliver the Service. Each sub-processor is bound by a Data Processing Agreement that meets the requirements of Article 28 GDPR.

Provider Purpose Region
Google Ireland Ltd. / Google LLC (Firebase Authentication, Firestore, Cloud Storage, Cloud Run, Cloud Functions) Authentication, database, file storage, application hosting. EU (primary) with possible transfers to the US.
Google LLC (Gemini API / Vertex AI) AI image generation, prompt orchestration. EU/US, depending on selected region.
Google LLC (Google Analytics 4) Audience and usage analytics, only after consent. EU/US.
Namecheap Inc. (Private Email SMTP) Transactional email delivery (account, notifications, support). United States.
Stripe Payments Europe, Ltd. (planned) Payment processing, invoicing, fraud prevention. Activated once paid plans go live. Ireland (EU), with limited transfers to Stripe Inc. (US).

We may also disclose personal data to professional advisers (lawyers, accountants, auditors), competent public authorities when legally required, and to a successor entity in the context of a merger, acquisition or sale of assets, in which case we will notify you in advance.

7. International Transfers

Some of our sub-processors are established outside the European Economic Area, in particular in the United States. When personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V of the GDPR:

  • Standard Contractual Clauses approved by the European Commission (Decision 2021/914) signed with Google LLC, Namecheap and other US providers.
  • Where applicable, certification of the recipient under the EU-US Data Privacy Framework adopted by the European Commission on 10 July 2023.
  • Supplementary technical measures such as encryption in transit (TLS 1.2+) and encryption at rest.

You can request a copy of the safeguards in place by writing to privacy@lumia-labs.com.

8. Your Rights

Under the GDPR you have the following rights with respect to your personal data:

  • Right of access (Art. 15 GDPR): to obtain confirmation of whether we process your data and, if so, a copy of it.
  • Right to rectification (Art. 16 GDPR): to correct inaccurate or incomplete data about you.
  • Right to erasure (Art. 17 GDPR): the "right to be forgotten", subject to legal retention obligations.
  • Right to restriction of processing (Art. 18 GDPR): to limit how we use your data in certain situations.
  • Right to data portability (Art. 20 GDPR): to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object (Art. 21 GDPR): to processing based on our legitimate interests, including direct marketing.
  • Right to withdraw consent (Art. 7(3) GDPR): at any time, without affecting the lawfulness of processing carried out before the withdrawal.
  • Right not to be subject to solely automated decisions producing legal or similarly significant effects (Art. 22 GDPR).

You can exercise these rights by writing to privacy@lumia-labs.com, or, for erasure, directly via the in-app deletion flow at /profile/delete. We will respond within one month of receiving your request, in line with Article 12(3) GDPR. We may ask you to verify your identity before processing the request.

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authorities for Lumia Labs are:

  • Autoriteit Persoonsgegevens (Dutch Data Protection Authority) — https://autoriteitpersoonsgegevens.nl.
  • Agencia Española de Protección de Datos (AEPD) — https://www.aepd.es — for users resident in Spain.
  • The supervisory authority of your place of residence, place of work, or place of the alleged infringement.

9. Cookies and Analytics

We use a minimal set of cookies and similar technologies. This section serves as our Cookie Policy.

9.1 Strictly necessary cookies

We use a session cookie named __session, set by Firebase Hosting, to keep you logged in and to maintain Flask session state in Firestore. This cookie is essential to the operation of the Service; without it you would have to log in on every page. No consent is required for strictly necessary cookies under Article 5(3) of the ePrivacy Directive.

9.2 Analytics cookies

We use Google Analytics 4 (cookies starting with _ga) to measure aggregated traffic and feature usage. These cookies are set only after you give consent via the cookie banner. You may withdraw your consent at any time by clearing your browser cookies or using the cookie settings link in the footer.

9.3 No advertising cookies

We do not use third-party advertising or cross-site tracking cookies.

10. Security Measures

We implement appropriate technical and organisational measures, as required by Article 32 GDPR, to ensure a level of security appropriate to the risk. These include:

  • TLS 1.2 or higher for all traffic between your browser and our servers.
  • Encryption at rest for all data stored in Firestore and Firebase Cloud Storage.
  • Identity and access management based on the principle of least privilege, with Firebase IAM and Cloud Run service accounts.
  • Password hashing handled by Firebase Authentication using industry-standard algorithms.
  • Segregation of production and development environments, with separate credentials and Firestore projects.
  • Continuous logging, anomaly monitoring and regular review of access by our engineering team.
  • Mandatory security training for personnel with access to production systems.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours, in line with Article 33 GDPR, and inform affected users without undue delay where required by Article 34 GDPR.

11. Children and Minors

The Service is intended exclusively for businesses and adult professionals. We do not knowingly collect personal data from children under 18. If you become aware that a minor has provided us with personal data, please contact privacy@lumia-labs.com and we will delete it promptly.

12. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, in applicable law or in our business practices. The "Last updated" date at the top of this page indicates when the latest version was published. When the changes are material, we will notify you by email or by an in-app banner at least 30 days before they take effect.

13. Contact

For any question about this Privacy Policy or about how we handle your personal data, please write to us at privacy@lumia-labs.com or by post to Lumia Labs B.V., Heidelberglaan 8, 3584 CS Utrecht, The Netherlands.

Thank you for trusting Lumia Labs with your creative work.