Last updated: April 2026 Effective date: April 2026
1. Who We Are
LUMA ("we," "us," or "our") operates the LUMA platform accessible at luma-game.com (the "Platform"), a web-based companion discovery and stewardship experience. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Platform.
Data Controller contact: privacy@luma-game.com
2. What Data We Collect
We collect information that you provide directly and information generated automatically when you use the Platform.
2.1 Information You Provide
| Category | Examples | Purpose |
|---|---|---|
| Account data | Email address, display name, chosen handle | Account creation, authentication, communication |
| Profile data | Bio, avatar, featured companion selection | Public profile display, social features |
| Gameplay data | Discovery records, companion ownership, stewardship actions, project progress | Core gameplay functionality |
| Communication data | Support requests, feedback submissions | Customer support, product improvement |
2.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage data | Pages viewed, features used, interaction timestamps | Platform improvement, analytics |
| Device data | Browser type, operating system, screen resolution | Technical compatibility, debugging |
| Log data | IP address, access timestamps, error logs | Security, abuse prevention, debugging |
2.3 Information from Third-Party Services
When you sign in using Google or Discord, we receive your name, email address, and profile picture from those services. We do not receive or store passwords from third-party providers.
3. How We Use Your Data
We use your personal data only for the following purposes:
- Providing the Platform — creating and maintaining your account, enabling gameplay, delivering notifications
- Security and anti-abuse — detecting fraud, preventing unauthorized access, enforcing rate limits
- Communication — responding to support requests, sending service-critical notifications (e.g., account verification)
- Improvement — analyzing usage patterns in aggregate to improve the Platform experience
- Legal compliance — meeting applicable legal obligations
We do not use your data for:
- Selling to third parties
- Behavioral advertising or ad targeting
- Automated decision-making that produces legal effects
- Profiling for purposes unrelated to the Platform
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases:
| Purpose | Legal basis |
|---|---|
| Account creation and gameplay | Performance of a contract (Art. 6(1)(b) GDPR) |
| Security and abuse prevention | Legitimate interest (Art. 6(1)(f) GDPR) |
| Legal compliance | Legal obligation (Art. 6(1)(c) GDPR) |
| Analytics and improvement | Legitimate interest (Art. 6(1)(f) GDPR) |
| Marketing communications (if any) | Consent (Art. 6(1)(a) GDPR) |
5. Data Sharing
We share personal data only in the following circumstances:
- Service providers — We use third-party services to operate the Platform (hosting, email delivery, error tracking). These providers process data on our behalf under contractual obligations that require them to safeguard your data.
- Legal requirements — We may disclose data when required by law, subpoena, or legal process.
- Safety — We may disclose data to protect the rights, safety, or property of our users or the public.
We do not sell, rent, or trade your personal data.
Current service providers
| Provider | Purpose | Data processed |
|---|---|---|
| Vercel | Web hosting | IP address, access logs |
| Neon | Database | Account and gameplay data (encrypted at rest) |
| Upstash | Cache and rate limiting | Session identifiers |
| Cloudflare | CDN, security (Turnstile) | IP address, challenge tokens |
| Resend / SMTP provider | Email delivery | Email address, message content |
| Sentry | Error tracking | Error context, device info (no PII in default config) |
| Google (OAuth) | Authentication | Email, name, profile picture |
| Discord (OAuth) | Authentication | Email, username, avatar |
6. Data Retention
We retain your data for as long as your account is active or as needed to provide the Platform. Specifically:
| Data type | Retention period |
|---|---|
| Account data | Until account deletion or 2 years of inactivity |
| Gameplay data | Until account deletion |
| Log and security data | Up to 90 days |
| Support requests | Up to 1 year after resolution |
| Audit trail | Up to 2 years |
Upon account deletion, we remove or anonymize your personal data within 30 days, except where retention is required by law.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
GDPR (EEA/UK/Switzerland)
- Access — Request a copy of your data
- Rectification — Correct inaccurate data
- Erasure — Request deletion of your data ("right to be forgotten")
- Restriction — Limit how we process your data
- Portability — Receive your data in a structured, machine-readable format
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Where processing is based on consent
CCPA/CPRA (California)
- Know — What personal information we collect and how it is used
- Delete — Request deletion of personal information
- Opt-out of sale — We do not sell personal information
- Non-discrimination — We will not discriminate against you for exercising your rights
To exercise any of these rights, contact us at privacy@luma-game.com or use the data export and deletion tools in your account settings (Settings → Data and privacy).
We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA).
8. Cookies and Similar Technologies
8.1 What Are Cookies
Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies to operate the Platform.
8.2 Cookies We Use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Strictly necessary | Maintains your authenticated session | Session / 30 days |
| Locale preference | Strictly necessary | Remembers your language choice | 1 year |
| Cloudflare Turnstile | Strictly necessary | Anti-bot verification | Session |
__cf_bm | Strictly necessary | Cloudflare bot management | 30 minutes |
8.3 What We Do NOT Use
- ❌ No advertising cookies — We do not serve ads or use ad tracking
- ❌ No third-party analytics cookies — We do not use Google Analytics, Facebook Pixel, or similar tracking tools
- ❌ No social media tracking cookies — OAuth login does not place tracking cookies
8.4 Cookie Consent
Because we use only strictly necessary cookies (required for the Platform to function), we do not require a cookie consent banner under GDPR. However, if we introduce non-essential cookies in the future, we will implement a consent mechanism before doing so.
8.5 Managing Cookies
You can control cookies through your browser settings. Note that disabling strictly necessary cookies may prevent you from using the Platform.
9. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS enforced via HSTS)
- Encryption at rest (database provider-level encryption)
- Access controls and authentication (JWT sessions with version-based revocation)
- Rate limiting and anti-abuse measures (Cloudflare Turnstile, IP-based throttling)
- Regular security reviews and audit logging
- No plaintext password storage (we use passwordless authentication)
No system is perfectly secure. If you discover a security vulnerability, please report it to security@luma-game.com.
10. Children's Privacy
The Platform is not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.
11. International Data Transfers
Your data may be processed in countries outside your country of residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform and updating the "Last updated" date. Continued use of the Platform after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights:
- Email: privacy@luma-game.com
- Platform: Settings → Data and privacy → Support request
- Supervisory authority: If you are in the EEA, you have the right to lodge a complaint with your local data protection authority.