PRIVACY POLICY

The data controller for personal data collected on https://lumipost.app is:

Droid FACTORY, EURL — Share capital €1,000

Registered with the Toulouse Trade and Companies Register under number B 912 234 150

13 rue Sainte Ursule, 31000 Toulouse, France

Contact: contact@lumipost.app

In connection with your use of LumiPost, we collect the following data:

Identity data: full name, email address.

Authentication data: hashed password (bcrypt), one-time OTP codes (not stored after verification).

Profile data: monitoring keywords, sector, curation mandate, schedule preferences.

Billing data: payment information processed exclusively by Stripe (we do not store your card details).

Usage data: articles viewed, saved, AI scores, login activity.

Technical data: IP address at login (retained for a limited period for security purposes).

Your data is processed for the following purposes:

Service delivery: authentication, generation of personalised news feeds, AI relevance scoring.

Subscription management: payment processing, access management based on subscribed plan (Starter or Pro).

Security: prevention of unauthorised access, connection rate limiting.

Service improvement: aggregated and anonymised usage analysis via PostHog (analytics).

Communication: sending OTP codes by email, subscription-related notifications.

Processing is based on the following legal grounds under the GDPR (EU Regulation 2016/679):

Performance of a contract (Art. 6.1.b): processing necessary to deliver the subscribed service.

Legitimate interest (Art. 6.1.f): platform security, fraud prevention, service improvement.

Legal obligation (Art. 6.1.c): retention of billing data in accordance with French accounting requirements.

Account data: retained for the duration of the active subscription, then 3 years after termination for legal purposes.

Billing data: 10 years in accordance with accounting obligations (French Commercial Code).

Login logs and OTPs: maximum 90 days.

Usage data (feeds, scores): retained for the duration of the subscription, deleted within 30 days of account closure.

Upon expiry of these periods, your data is permanently deleted or irreversibly anonymised.

Under the GDPR, you have the following rights over your personal data:

Right of access: obtain a copy of the data held about you.

Right to rectification: correct inaccurate or incomplete data.

Right to erasure: request deletion of your data ('right to be forgotten').

Right to restriction: limit processing in certain circumstances.

Right to data portability: receive your data in a structured, machine-readable format.

Right to object: object to processing based on legitimate interest.

To exercise these rights, contact us at the address below. We respond within 30 days. You may also lodge a complaint with the CNIL (www.cnil.fr) or your local supervisory authority.

LumiPost uses cookies and similar technologies for the following purposes:

Session cookie (lumi_session): HttpOnly cookie essential for authentication. Duration: 7 days. No consent required (strictly necessary).

Analytics (PostHog): anonymised audience measurement hosted on PostHog's European servers (eu.i.posthog.com). No personally identifiable data is transmitted.

LumiPost does not use any advertising or third-party tracking cookies.

You may configure your browser to refuse cookies. Refusing the analytics cookie does not affect the functioning of the service.

LumiPost uses the following sub-processors, all subject to contractual guarantees compliant with the GDPR:

Supabase Inc. (database, EU hosting) — https://supabase.com/privacy

Mistral AI SAS (AI article processing, France) — https://mistral.ai/privacy

Stripe Inc. (payments, Privacy Shield / SCCs) — https://stripe.com/privacy

PostHog Inc. (analytics, EU servers) — https://posthog.com/privacy

Webshare Inc. (collection proxies) — https://www.webshare.io/privacy-policy

No data is transferred outside the EU without appropriate safeguards (standard contractual clauses or adequacy decision).