Privacy Policy

Lumen is a personal finance analytics service operated as an independent project based in the Netherlands. For GDPR purposes, Lumen acts as the data controller for information you provide when creating an account and using the Service. Contact: [email protected].

Account information — collected at registration:

• Email address (required)
• First and last name (required)
• Phone number (optional)
• Date of birth (optional)
• Password (stored as a bcrypt hash — we never see your plaintext password)

Financial transaction data — when you upload files:

• Transaction dates, amounts, currencies, and descriptions from bank CSV exports
• Counterparty names and IBANs where present in the source file
• Running balance figures where present in the source file
• Auto-assigned and user-corrected spending categories

Portfolio data — when you import broker statements:

• Ticker symbols, ISINs, position quantities, average cost prices
• Broker name and statement filename

Usage & session data — automatically collected:

• Authentication tokens and session metadata (managed by Supabase Auth)
• Timestamps of logins and data imports

We do not collect cookies beyond those strictly necessary for authentication, and we do not use advertising trackers or analytics SDKs.

All data is stored in a PostgreSQL database hosted by Supabase in the European Union. Row Level Security (RLS) policies ensure that each user can only access their own data — even at the database level. Connections are encrypted with TLS in transit.

PDF files you upload are passed transiently to the Anthropic Claude API for text extraction. The extracted transaction rows are stored in our database; the raw PDF is not retained after processing.

Portfolio positions are enriched with live prices from Yahoo Finance. Your ticker symbols may be sent to Yahoo Finance and, if Groq symbol resolution is enabled, to Groq — no personal account data is shared with these providers.

Transfers to processors outside the EU are covered by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

• Account data — retained for as long as your account is active.
• Transaction & portfolio data — retained until you delete it or close your account.
• On account deletion — all personal data is permanently erased within 30 days.
• Backups — may be retained for up to 90 days after deletion for disaster-recovery purposes, then purged.

As a data subject you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data (“right to be forgotten”).
• Restriction — ask us to limit processing in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interests.

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Lumen is not directed at children under 18. We do not knowingly collect data from minors. If you believe a minor has registered, contact us and we will delete the account promptly.

We may update this Privacy Policy to reflect changes in the Service or applicable law. We will notify you by email at least 14 days before material changes take effect. Continued use after the effective date constitutes acceptance of the updated policy.

Privacy questions or requests: [email protected]