This Privacy Policy describes how LUMA ("we," "us," "our") collects, uses, and shares personal information when you use our services. By using LUMA, you agree to this policy.
1. Who we are
LUMA is a booking and communication platform for solo beauty professionals (the "Service"). LUMA is operated by Neo Cadiz, based in the United States. You can reach us at neo@startluma.com.
2. Information we collect
We collect the following categories of information:
Account information: Your name, business name, email address, phone number, and password (hashed; we never store plain text passwords).
Booking and client data: Information you enter about your clients, including names, contact details, appointment history, and care notes you choose to record.
Message content: SMS messages sent and received through your LUMA business number, including message text, timestamps, and sender/recipient phone numbers. Instagram direct messages received through LUMA's Instagram integration.
Usage data: Pages you visit, features you use, and timestamps of activity within LUMA. Used to improve the product.
Device and technical data: Browser type, IP address, and device identifiers for security and abuse prevention.
3. How we use your information
We use the information we collect to:
Provide the booking, messaging, and communication features of LUMA.
Route SMS messages between you and your clients through our SMS partner (Twilio).
Automatically categorize incoming messages (e.g., booking request, reschedule) using an AI model (OpenAI). Message content is processed but not retained by OpenAI under our zero-retention agreement.
Process payments and subscriptions through our payment processor (Stripe).
Send you account-related notifications (booking confirmations, appointment reminders, account alerts) via SMS, with your consent.
Improve LUMA's features and detect abuse or fraud.
4. How we share your information
We share information only with service providers who help us operate LUMA:
Twilio — SMS delivery. We share your business phone number, recipient phone numbers, and message content with Twilio so messages can be transmitted.
OpenAI — automatic message categorization. Message text is sent for classification under a zero-retention agreement; OpenAI does not store or train on this data.
Supabase — our database and authentication infrastructure. Your account and booking data are stored on Supabase's secure infrastructure in the United States.
Vercel — application hosting. Vercel processes web requests but does not have access to your stored data.
Stripe — payment processing. If you subscribe to LUMA or accept deposits from clients through LUMA, Stripe handles the payment data.
Meta (Instagram) — only if you connect your Instagram account, we use Meta's Messenger API to receive and send direct messages on your behalf.
We do not sell your personal information. We do not share your or your clients' message content with advertisers or third parties for marketing purposes.
5. SMS and consent
LUMA sends SMS messages only to recipients who have consented to receive them. Providers using LUMA explicitly opt in to receive SMS from LUMA itself by toggling SMS consent in their account settings. Clients who text your LUMA business number have implicitly consented to receive replies through that conversation.
You can reply STOP at any time to a LUMA SMS to immediately opt out of further messages. You can reply HELP to receive contact information. Message and data rates may apply. Detailed SMS terms are available at /sms-terms.
6. Data retention
We retain your account information, booking history, and message records for as long as your LUMA account is active. If you close your account, we retain limited records for up to 7 years for legal and tax compliance purposes, then delete them. You can request deletion of specific data by emailing neo@startluma.com.
7. Your rights
Depending on your jurisdiction, you may have the right to:
Access the personal information we hold about you.
Request correction of inaccurate information.
Request deletion of your information (subject to legal retention requirements).
Opt out of certain processing or marketing communications.
Receive a copy of your data in a portable format.
To exercise these rights, email us at neo@startluma.com. We will respond within 30 days.
8. Security
We use industry-standard security practices to protect your information, including TLS encryption in transit, encrypted storage at rest, hashed passwords, and access controls. However, no system is perfectly secure. You are responsible for keeping your account credentials safe.
9. Children's privacy
LUMA is not intended for use by anyone under 18. We do not knowingly collect information from children. If you believe we have collected information from a child, contact us and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The "Effective" date at the top of this policy reflects the most recent update.
11. Contact us
If you have questions about this Privacy Policy or how we handle your data, email us at neo@startluma.com.