Privacy Policy
Your privacy is important to us. This policy explains how Lumina Studio OS collects, uses, and protects your information.
Last updated: February 20, 2026
Table of Contents
Introduction
Welcome to Lumina Studio OS, operated by Strategia-X ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered creative suite platform, including our website at www.lumina-os.com, applications, and related services (collectively, the "Service").
This Privacy Policy applies to all users worldwide. If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, please see Section 10 for additional rights under the General Data Protection Regulation (GDPR). If you are a California resident, please see Section 11 for additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). If you reside in another U.S. state with comprehensive privacy legislation, please see Section 12.
By accessing or using Lumina Studio OS, you acknowledge that you have read and understand this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.
Information We Collect
We collect information that you provide directly to us, information we obtain automatically when you use our Service, and information from third-party sources.
Information You Provide
- **Account Information:** When you create an account, we collect your name, email address, password, and optional profile information. - **Payment Information:** When you subscribe to our premium services, we collect payment details through our secure payment processor (Stripe). We do not store complete credit card numbers on our servers. - **Content and Files:** We collect the content you create, upload, or receive through our Service, including images, videos, designs, and documents. - **Communications:** When you contact us for support or feedback, we collect the information you provide in those communications. - **Survey Responses:** If you participate in surveys or research, we collect the responses you provide.
Information Collected Automatically
- **Usage Data:** We collect information about how you interact with our Service, including features used, actions taken, time spent, and navigation patterns. - **Device Information:** We collect device type, operating system, browser type, unique device identifiers, and mobile network information. - **Log Data:** Our servers automatically record information including your IP address, access times, pages viewed, and the page you visited before navigating to our Service. - **Cookies and Similar Technologies:** We use cookies, pixels, and similar technologies to collect information about your browsing activities and to distinguish you from other users. See Section 15 for details. - **Geolocation Data:** We infer your approximate location from your IP address to provide region-appropriate services and comply with local regulations.
Information from Third Parties
- **Social Login:** If you sign in using Google, Apple, or other social providers, we receive information from those services as permitted by your settings. - **Analytics Partners:** We receive aggregated analytics data from our partners to help improve our Service.
How We Use Your Information
We use the information we collect for various purposes, including:
Service Delivery
- Provide, maintain, and improve our Service - Process transactions and send related information - Create and manage your account - Enable features like AI image generation, video creation, and design tools - Store and process your creative projects
Communication
- Send you technical notices, updates, security alerts, and administrative messages - Respond to your comments, questions, and customer service requests - Send promotional communications (with your consent, where required) - Provide news and information about our products and services
Personalization
- Personalize and improve your experience - Provide content recommendations - Remember your preferences and settings
AI and Machine Learning
- Improve our AI models and algorithms using aggregated, anonymized data - Develop new features and services - Analyze usage patterns to enhance user experience
Safety and Security
- Detect, prevent, and address fraud, abuse, and security issues - Protect the rights, property, and safety of our users and others - Enforce our Terms of Service and other policies
Legal Compliance
- Comply with applicable laws, regulations, and legal processes - Respond to lawful requests from public authorities
Lawful Basis for Processing (GDPR)
If you are located in the EEA, UK, or Switzerland, we process your personal data on the following lawful bases under the General Data Protection Regulation (GDPR):
Contract Performance (Article 6(1)(b))
- Creating and managing your account - Providing the Service and its features - Processing payments and subscriptions - Delivering customer support
Legitimate Interests (Article 6(1)(f))
- Improving and optimizing our Service - Detecting and preventing fraud and abuse - Ensuring network and information security - Conducting analytics on aggregated, anonymized data - Sending Service-related communications
Consent (Article 6(1)(a))
- Sending marketing and promotional communications - Placing non-essential cookies (analytics, marketing) - Processing special categories of data, if applicable
Legal Obligation (Article 6(1)(c))
- Complying with tax, accounting, and financial reporting requirements - Responding to valid legal requests from authorities - Maintaining records required by law
You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. To withdraw consent, contact us at [email protected] or use the relevant controls in your account settings or cookie preferences.
AI-Generated Content and Data Processing
Lumina Studio OS uses artificial intelligence to provide creative tools and generate content. Here is how we handle AI-related data:
Content Generation
- When you use our AI features (image generation, video creation, etc.), your prompts and inputs are processed to generate content. - Generated content is stored in your account and can be accessed, downloaded, or deleted at any time.
Model Training
- We may use aggregated, anonymized usage data to improve our AI models. - We do NOT use your personal creative content to train our AI models without explicit consent. - You retain full ownership of the content you create using our tools.
Third-Party AI Services
- AI features are powered by Google Gemini. Paid plans support a Bring Your Own Key (BYOK) option so you can connect your own API key. - When using these services, your data is processed according to both our privacy policy and the respective third-party's privacy policy. - We carefully select AI partners who maintain strong privacy and security standards.
Content Moderation
- AI-generated content may be automatically scanned to prevent the creation of harmful or prohibited content. - This scanning is automated and designed to protect our community. - No human review occurs unless flagged content requires manual investigation.
How We Share Your Information
We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising. We may share your information in the following circumstances:
Service Providers
We share information with third-party vendors who perform services on our behalf, including: - Cloud hosting and storage (Cloudflare) - Payment processing (Stripe) - Authentication services (Supabase Auth) - Analytics and monitoring (Google Analytics) - Email delivery services
All service providers are contractually obligated to use your information only to provide services to us and are prohibited from using it for their own purposes.
Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our Service before your information becomes subject to a different privacy policy.
Legal Requirements
We may disclose your information if required by law or in response to valid legal requests, such as subpoenas, court orders, or government requests. We will attempt to notify you of such requests unless prohibited by law.
Protection of Rights
We may disclose information when we believe in good faith that it is necessary to: - Protect our rights, privacy, safety, or property - Protect the rights, privacy, safety, or property of our users or others - Enforce our Terms of Service - Respond to claims that content violates the rights of third parties
With Your Consent
We may share your information with third parties when you give us explicit consent to do so.
Aggregated or De-identified Data
We may share aggregated or de-identified information that cannot reasonably be used to identify you.
Data Security
We implement robust security measures to protect your information:
Technical Safeguards
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256) - Secure cloud infrastructure with regular security audits - Multi-factor authentication options - Regular security testing and vulnerability assessments - Automated threat detection and monitoring - HTTP Strict Transport Security (HSTS) headers
Organizational Measures
- Limited access to personal data on a need-to-know basis - Employee security training and awareness programs - Incident response procedures with breach notification protocols - Regular review and update of security policies
Your Responsibilities
- Keep your login credentials confidential - Use strong, unique passwords - Enable two-factor authentication when available - Log out of your account on shared devices - Report any suspected security incidents to us immediately at [email protected]
Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by applicable law (within 72 hours under GDPR, without unreasonable delay under CCPA).
While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
Data Retention
We retain your information for as long as necessary to provide our Service and fulfill the purposes described in this Privacy Policy. Specific retention periods are:
Account Data
- Active accounts: Retained while your account is active - Deleted accounts: Personal data is deleted within 30 days of account deletion - Some data may be retained longer for legal, tax, or regulatory purposes
Content and Projects
- Your creative content is retained while your account is active - Upon account deletion, content is permanently removed within 30 days - Backups may retain data for up to 90 days before automatic purging
Usage and Analytics Data
- Aggregated analytics: Retained indefinitely in anonymized form - Individual usage logs: Retained for 12 months, then deleted or anonymized
Communication Records
- Support tickets and communications: Retained for 3 years - Marketing consent records: Retained for the duration of consent plus 3 years
Cookie Consent Records
- Consent audit logs: Retained for 3 years as required by GDPR accountability obligations - Consent preferences: Automatically expire after 365 days, prompting re-consent
Legal Holds
- Data subject to legal proceedings may be retained until the matter is resolved
Your Privacy Rights (All Users)
Regardless of your location, we provide all users with the following rights:
Access and Portability
- Request a copy of the personal information we hold about you - Receive your data in a structured, machine-readable format (JSON or CSV)
Correction
- Request correction of inaccurate or incomplete personal information - Update your account information directly through your account settings
Deletion
- Request deletion of your personal information - Delete your account and associated data - Note: Some data may be retained for legal or legitimate business purposes
Restriction and Objection
- Request restriction of processing in certain circumstances - Object to processing based on legitimate interests - Opt out of marketing communications via the unsubscribe link in any email
Withdraw Consent
- Withdraw consent where processing is based on consent - This will not affect the lawfulness of processing before withdrawal
Non-Discrimination
We will not discriminate against you for exercising your privacy rights. Exercising your rights will not result in denial of Service, different pricing, or a different level of service quality.
Exercising Your Rights
To exercise these rights, contact us at [email protected] or [email protected]. You may also use the controls available in your account settings. We will verify your identity before processing any request and respond within 30 days (or sooner if required by applicable law).
European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent local laws:
Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about the purposes, categories, recipients, retention periods, and your rights.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data and completion of incomplete personal data.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, when you object to processing, or when data has been unlawfully processed. This right does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
Right to Restriction of Processing (Article 18)
You have the right to request restriction of processing while we verify accuracy, if processing is unlawful but you oppose erasure, if we no longer need the data but you require it for legal claims, or if you have objected to processing pending verification of legitimate grounds.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller without hindrance.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing immediately.
Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you. We do not currently engage in solely automated decision-making that produces legal effects.
Right to Lodge a Complaint
You have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner's Office (ICO).
Data Protection Contact
For GDPR-related inquiries, contact our Data Protection team at [email protected]. We will respond within 30 days. If we need an extension, we will inform you within the initial 30-day period.
International Transfers
When we transfer personal data outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, adequacy decisions, or other approved transfer mechanisms. You may request a copy of the applicable SCCs by contacting us.
California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section serves as our "Notice at Collection" and describes your rights.
Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA: - **Identifiers:** Name, email address, IP address, unique account identifiers - **Customer Records:** Name, billing address, payment information (via Stripe) - **Commercial Information:** Subscription plan, purchase history, usage records - **Internet/Network Activity:** Browsing history on our Service, search history within our tools, interaction data - **Geolocation Data:** Approximate location derived from IP address - **Professional Information:** Job title and company (if provided in your profile) - **Inferences:** Preferences, characteristics, and behavior drawn from the above categories
Categories of Personal Information Disclosed for a Business Purpose
We disclose identifiers, customer records, commercial information, and internet/network activity to our service providers (Cloudflare, Stripe, Supabase, Google Analytics) for the purposes described in Section 6 of this Privacy Policy.
Sale and Sharing of Personal Information
We do NOT sell your personal information as defined by the CCPA. We do NOT share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
Your California Rights
- Right to Know (Cal. Civ. Code § 1798.110): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting, and the categories of third parties with whom we share your information.
- Right to Delete (Cal. Civ. Code § 1798.105): You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, completing transactions, security).
- Right to Correct (Cal. Civ. Code § 1798.106): You have the right to request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing (Cal. Civ. Code § 1798.120): Although we do not sell or share personal information, you may exercise this right at any time. We honor Global Privacy Control (GPC) signals as a valid opt-out request.
- Right to Limit Use of Sensitive Personal Information (Cal. Civ. Code § 1798.121): We do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA.
- Right to Non-Discrimination (Cal. Civ. Code § 1798.125): We will not discriminate against you for exercising any of your CCPA/CPRA rights.
How to Submit a Request
Submit a verifiable consumer request by emailing [email protected] or [email protected]. You may also use the "Do Not Sell" toggle in our cookie consent preferences. We will verify your identity by matching information you provide against our records. We will respond within 45 days. If we need additional time, we will notify you of the extension (up to 90 days total).
Authorized Agents
You may designate an authorized agent to submit requests on your behalf. Authorized agents must provide written authorization signed by you and may be required to verify their own identity.
California Shine the Light (Cal. Civ. Code § 1798.83)
California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. As stated above, we do not share personal information with third parties for their direct marketing purposes.
Minors Under 16
We do not knowingly sell or share the personal information of consumers under 16 years of age.
Other U.S. State Privacy Rights
If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another U.S. state with comprehensive privacy legislation, you may have additional rights similar to those described in the GDPR and CCPA sections above.
Common Rights Under State Privacy Laws
- **Right to Access:** Confirm whether we are processing your personal data and access that data - **Right to Correct:** Request correction of inaccurate personal data - **Right to Delete:** Request deletion of personal data you have provided or that we have obtained - **Right to Data Portability:** Obtain a copy of your personal data in a portable, readily usable format - **Right to Opt-Out:** Opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects - **Right to Non-Discrimination:** Exercise your rights without receiving discriminatory treatment
Exercising Your Rights
To exercise rights under any applicable state privacy law, contact us at [email protected] or [email protected]. We will verify your identity and respond within the timeframe required by your state's law (typically 45 days).
Appeals
If we decline to take action on your request, you have the right to appeal. To appeal, email us at [email protected] with the subject line "Privacy Rights Appeal." We will respond to appeals within 60 days. If the appeal is denied, you may contact your state's Attorney General.
International Data Transfers
Lumina Studio OS operates globally, and your information may be transferred to and processed in countries other than your country of residence, including the United States.
Transfer Mechanisms
- For EEA/UK/Swiss users: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office - We rely on adequacy decisions where available - We implement additional technical and organizational safeguards as appropriate
Data Storage
- Primary data storage is in the United States via Cloudflare and Supabase infrastructure - We may use servers in other locations for performance and redundancy - All data centers meet our security and compliance requirements
Your Choices
If you do not consent to the transfer of your information to the United States or other countries, you may choose not to use our Service. By creating an account, you acknowledge that your data will be processed in the United States.
Children's Privacy
Lumina Studio OS is not directed to children. We do not knowingly collect personal information from children under the following ages: - Under 13 in the United States (per COPPA) - Under 16 in the EEA/UK (per GDPR, unless the member state has set a lower age, but no lower than 13)
Our Policy
- We do not knowingly collect, use, or disclose personal information from children below the applicable age threshold - If we discover we have collected information from a child below the applicable age, we will delete it promptly and terminate the associated account - We do not knowingly sell or share the personal information of minors under 16
Parental Rights
If you are a parent or guardian and believe your child has provided personal information to us, please contact us at [email protected] to request deletion. We will take steps to verify your identity as the parent or guardian before processing the request.
Third-Party Links and Services
Our Service may contain links to third-party websites, services, or applications that are not operated by us.
Third-Party Services We Use
- Cloudflare (hosting, CDN, security) - Stripe (payment processing) - Supabase (authentication, database) - Google Analytics (website analytics) - Google Gemini (AI content generation)
Your Interactions
- We are not responsible for the privacy practices of third parties - We encourage you to review the privacy policies of any third-party services you access - Information you share with third parties is governed by their privacy policies
Integrations
When you connect third-party services to your Lumina Studio OS account: - We only access information necessary for the integration - You can disconnect integrations at any time through your account settings - Disconnecting will stop future data sharing but may not delete previously shared data
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
Notification of Changes
- We will post the updated Privacy Policy on this page with a new "Last Updated" date - For material changes, we will provide prominent notice via email to the address associated with your account, an in-app notification, or a banner on our website - Material changes will not take effect until at least 30 days after notice is provided
Your Continued Use
Your continued use of the Service after the effective date of any changes indicates your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Service and may request deletion of your account.
Review Regularly
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
General Inquiries
Privacy and Data Rights Requests
Technical Support
Data Protection Contact (GDPR)
For EU/EEA/UK residents with GDPR-related inquiries, contact our Data Protection team at [email protected]
California Privacy Requests (CCPA/CPRA)
For California residents exercising CCPA/CPRA rights, email [email protected] with the subject line "California Privacy Request"
Response Time
- General inquiries: Within 30 days - GDPR requests: Within 30 days (extendable by 60 days for complex requests, with notice) - CCPA/CPRA requests: Within 45 days (extendable by 45 days, with notice)
Preferred Contact Method
For fastest response, please use email and include: - Your account email (if applicable) - A detailed description of your question or request - Your state or country of residence (to ensure we apply the correct legal framework) - Any relevant documentation
Have Questions?
If you have any questions about this Privacy Policy or our data practices, we're here to help.