Privacy Policy
Last updated: 2026-05-07
1. What we collect
- Account data. Email address, organization, role, and authentication credentials.
- Content you upload. SOPs, videos, panoramas, 3D assets, hotspots, and any text or media you place in modules.
- Author activity. Server-side product events (signup, first module, first publish, etc.) used to measure activation and improve the product. Tied to your user ID — not shared externally.
- Learner activity. Anonymous fingerprints for learners who play published modules — used for per-module analytics (hotspot views, completions). No PII is collected from learners.
- Billing data. Collected and processed by Stripe. We do not store card numbers.
2. How we use it
- Provide, operate, and improve the Service.
- Process payments and manage subscriptions.
- Send transactional email (receipts, trial-ending, payment-failed notices).
- Respond to support requests.
- Measure product activation and funnel performance in aggregate.
Legal basis for processing (GDPR Art. 6(1))
Under Articles 13 and 14 of the GDPR we are required to inform you of the legal basis for each processing activity. The table below maps each category to its lawful basis.
| Processing activity | Legal basis |
|---|---|
| Account data (name, email, organisation) | Contract performance — Art. 6(1)(b) |
| Authentication & session management | Contract performance — Art. 6(1)(b) |
| AI processing (SOP extraction, 3D generation) | Contract performance — Art. 6(1)(b) |
| Product analytics (usage, feature adoption) | Legitimate interest — Art. 6(1)(f) |
| Error monitoring (Sentry) | Legitimate interest — Art. 6(1)(f) |
| Billing & invoicing | Legal obligation — Art. 6(1)(c) |
| Marketing emails | Consent — Art. 6(1)(a) |
| Cookies & tracking (when enabled) | Consent — Art. 6(1)(a) |
Where we rely on legitimate interest, you may object at any time — see Section 5 below. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
3. Subprocessors
We use the following processors to deliver the Service:
- Supabase — database, auth, file storage
- Vercel — application hosting
- Cloudflare R2 — asset and published-module storage + CDN
- Upstash Redis — rate limits, ephemeral state
- Inngest — background job execution
- Anthropic — Claude (hotspot generation from SOPs)
- OpenAI — Whisper (video transcription)
- Meshy & Tripo3D — 3D asset generation
- Stripe — payment processing
- Resend — transactional email delivery
- Sentry — error monitoring (when enabled)
We do not sell personal data. AI subprocessors (Anthropic, OpenAI, Meshy, Tripo3D) receive only the inputs required to generate the requested output and, per their published policies, do not train on your content.
4. Retention
Account data is retained for the life of your account and 30 days after deletion. Learner event data is retained for 24 months. Published module content is retained as long as your account is active. Billing records are retained for 7 years (legal requirement).
5. Your rights (GDPR / CCPA)
You may access, correct, export, or delete your personal data at any time. For EU residents: you may also object to processing or lodge a complaint with your local data protection authority. For California residents: you have the right to know what personal information is collected and to request deletion.
To exercise any of these rights, email legal@lumenxr.com. We will respond within 30 days.
6. Cookies
We use a single authentication cookie (managed by Supabase) to maintain your session. This is strictly necessary for the Service to function and does not require consent. If we enable optional analytics or error-monitoring cookies in the future, we will request your consent before setting them.
7. Cross-border data transfers
Your data is processed and stored in the United States. For EU/EEA users, transfers are supported by the EU-US Data Privacy Framework where applicable, or Standard Contractual Clauses. If you require additional transfer safeguards, contact us at legal@lumenxr.com.
8. Data Processing Agreement
Enterprise customers requiring a Data Processing Agreement (DPA) for GDPR compliance may request our standard DPA by emailing legal@lumenxr.com.
9. Security
Data is encrypted in transit (TLS) and at rest. Access to production systems is limited to authorized personnel. We will notify affected customers of any security incident within 72 hours of confirmation.
10. Children
The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe we have, contact legal@lumenxr.com for removal.
11. Changes
We may update this policy. Material changes will be announced at least 30 days before taking effect.
12. Contact
Privacy questions: legal@lumenxr.com.