Privacy Policy
Effective Date: March 18, 2026 · Last Updated: March 18, 2026
Lumitone ("we," "us," or "our"), operated at lumitone.io, respects your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding your personal data.
By using our Service, you consent to the practices described in this policy. If you do not agree, please do not use the Service.
1. Data We Collect
1.1 Data You Provide Directly
| Data | When | Purpose |
|---|---|---|
| Email address | Guest (email) purchase | Deliver purchased recommendations |
| Letterboxd username | Film to Music analysis | Retrieve your public film-watching data |
1.2 Data Collected via Third-Party Authentication
When you sign in with Spotify, we receive the following through Spotify's OAuth flow:
- Email address — associated with your Spotify account (used for account identification).
- Top tracks — your most-listened tracks across three time ranges (short-term, medium-term, long-term). This is read-only data used solely to generate recommendations.
- OAuth tokens — provider access token and refresh token, stored in secure httpOnly cookies (not in our database).
We do NOT access, read, or modify your Spotify playlists (except when you explicitly use the "Export as Playlist" feature), library, followers, profile details beyond email, or account settings.
1.3 Data Generated by the Service
- Recommendation results — AI-generated track or film recommendations, stored in your analysis history if you have an account.
- Purchase records — Stripe transaction identifiers, tier information, and timestamps.
1.4 Automatically Collected Data
- Cookies — essential authentication cookies only. See our Cookie Policy for details.
- Server logs — standard web server logs (IP address, user agent, timestamps) retained for security and operational purposes.
2. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Generate AI recommendations from your preferences | Contractual necessity (performance of service) |
| Process payments and deliver purchased content | Contractual necessity |
| Send recommendation results via email (guest purchases) | Contractual necessity |
| Maintain your analysis history | Contractual necessity |
| Authenticate your identity | Contractual necessity |
| Prevent fraud and abuse | Legitimate interest |
| Improve and maintain the Service | Legitimate interest |
3. What We Do NOT Do
- We do not sell your personal data to any third party.
- We do not share your data for advertising or marketing purposes.
- We do not use your data to train or improve our machine learning models.
- We do not track you across other websites.
- We do not use analytics trackers, advertising pixels, or social media tracking scripts.
4. Data Sharing
We share your data only with the following categories of service providers, strictly as necessary to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (Hetzner, EU) | Authentication, database | User ID, email, tier, analysis history |
| Stripe | Payment processing | Email, payment details (handled by Stripe) |
| Spotify | Authentication, listening data | OAuth tokens (Spotify's domain) |
| Resend | Transactional email delivery | Recipient email, recommendation content |
| Hetzner (Finland) | Server infrastructure | Encrypted data at rest on our servers |
We do not share data with any other third parties unless required by law or to protect our legal rights.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (user profile, tier) | Until account deletion |
| Analysis history | Until account deletion |
| Guest purchase records | 1 year after purchase |
| Cached recommendations | 1–24 hours (automatic expiry) |
| Spotify OAuth tokens (cookies) | Access token: 1 hour; Refresh token: 30 days |
| Server logs | 90 days |
6. Data Security
We implement the following security measures:
- All data transmitted over HTTPS (TLS encryption in transit).
- OAuth tokens stored in httpOnly, secure cookies (not accessible to JavaScript).
- Stripe handles all payment card data — we never see or store card numbers.
- Supabase Row Level Security (RLS) ensures users can only access their own data.
- Server hosted in a secure data center (Hetzner, Helsinki, Finland).
- Backend API accessible only through reverse proxy (Nginx).
While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
7. International Data Transfers
Our servers are located in Helsinki, Finland (EU/EEA). Some of our service providers (Stripe, Spotify, Resend) may process data in the United States. Where data is transferred outside the EEA, we rely on:
- EU-US Data Privacy Framework (DPF) adequacy decisions where applicable.
- Standard Contractual Clauses (SCCs) as approved by the European Commission.
- The provider's own GDPR compliance mechanisms.
8. Your Rights
8.1 Under GDPR (EU/EEA Residents)
If you are located in the EU or EEA, you have the right to:
- Access — request a copy of your personal data.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Restriction — request limitation of processing.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
You may also lodge a complaint with your local data protection authority (e.g., the Turkish Personal Data Protection Authority — KVKK, or any EU DPA).
8.2 Under CCPA (California Residents)
If you are a California resident, you have the right to:
- Know — what personal information we collect, use, and disclose.
- Delete — request deletion of your personal information.
- Opt-out of sale — we do not sell your personal information.
- Non-discrimination — we will not discriminate against you for exercising your rights.
8.3 Under KVKK (Turkish Residents)
If you are a resident of Turkey, you have rights under the Personal Data Protection Law No. 6698 (KVKK), including the right to learn whether your data is processed, request information about processing, request correction, request deletion or destruction, and object to automated decisions.
8.4 Exercising Your Rights
To exercise any of these rights, contact us at recs@lumitone.io. We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.
9. Children's Privacy
The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us and we will promptly delete such data.
10. Third-Party Links
The Service may contain links to third-party websites (e.g., Spotify, Letterboxd, Stripe). We are not responsible for the privacy practices of these websites. We encourage you to review their privacy policies.
11. AI and Automated Decision-Making
Our Service uses machine learning models to generate recommendations. This constitutes automated decision-making. However:
- The recommendations are for entertainment/discovery purposes only.
- No decisions with legal or similarly significant effects are made about you.
- Your listening/watching data is processed only to generate the specific recommendations you request.
- We do not profile users for purposes other than generating the requested recommendations.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last Updated" date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact
For any privacy-related questions or to exercise your data rights:
Lumitone — Data Protection
Email: recs@lumitone.io
Website: lumitone.io
If you believe your privacy rights have been violated, you have the right to lodge a complaint with your local data protection authority.