Privacy Policy
Last updated · 2026-05-14
We respect your privacy. This policy describes what data we collect, why, and how long we keep it. Compliance: GDPR (EU), CCPA (California).
What we collect
Purchase data — your email, the tour you bought, the currency and amount, the language you chose. Stored to deliver your pass.
Activation & usage data — when you activated, and anonymized interaction logs (which POIs were unlocked, in what order) to improve our content. We do not collect or store your GPS positions.
Preferences — your chosen language and currency, stored in a browser cookie and in our database against your email.
What we do not collect
We do not store your continuous location, your photos, your contacts, or any third-party social identifier. The Lume app uses GPS while running, but coordinates are processed locally and not transmitted to our servers in normal use.
Cookies
We use strictly-necessary cookies (preference cookies for language and currency) and analytics cookies (privacy-respecting, no third-party ad networks). You can refuse analytics cookies and the site will still work.
Data retention
Purchase records: kept 5 years for accounting/legal compliance. Usage analytics: anonymized and retained indefinitely in aggregate form. Account-level data is deleted on request within 30 days.
Your rights
Under GDPR, you have the right to access, correct, port, and delete your personal data. Email privacy@lume.travel to exercise these rights.
Sub-processors
- Stripe (payment processing)
- Supabase (database hosting)
- Vercel (web hosting)
- Resend (transactional email)
- Google Cloud (text-to-speech, AI)