Legal

Privacy Policy

Last updated · 2026-05-14

We respect your privacy. This policy describes what data we collect, why, and how long we keep it. Compliance: GDPR (EU), CCPA (California).

What we collect

Purchase data — your email, the tour you bought, the currency and amount, the language you chose. Stored to deliver your pass.

Activation & usage data — when you activated, and anonymized interaction logs (which POIs were unlocked, in what order) to improve our content. We do not collect or store your GPS positions.

Preferences — your chosen language and currency, stored in a browser cookie and in our database against your email.

What we do not collect

We do not store your continuous location, your photos, your contacts, or any third-party social identifier. The Lume app uses GPS while running, but coordinates are processed locally and not transmitted to our servers in normal use.

Cookies

We use strictly-necessary cookies (preference cookies for language and currency) and analytics cookies (privacy-respecting, no third-party ad networks). You can refuse analytics cookies and the site will still work.

Data retention

Purchase records: kept 5 years for accounting/legal compliance. Usage analytics: anonymized and retained indefinitely in aggregate form. Account-level data is deleted on request within 30 days.

Your rights

Under GDPR, you have the right to access, correct, port, and delete your personal data. Email privacy@lume.travel to exercise these rights.

Sub-processors

  • Stripe (payment processing)
  • Supabase (database hosting)
  • Vercel (web hosting)
  • Resend (transactional email)
  • Google Cloud (text-to-speech, AI)