Last updated: May 11, 2026
Lumidara ("we", "us", "our") is committed to protecting the privacy of our users and their clients. This Privacy Policy explains how we collect, use, and safeguard information when you use our Service.
Account information: When you create an account, we collect your email address, business name, phone number, and timezone.
Client data: Business owners enter client information including names, email addresses, phone numbers, and birthdays. This data is owned by the business and stored on their behalf.
Usage data: We collect anonymized usage analytics to improve the Service, including pages visited, features used, and session duration.
Technical data: When you or your clients interact with the Service, we collect IP addresses and basic request metadata used to secure authentication endpoints, enforce rate limits, and detect abuse.
Payment information: Subscription payments are processed by Stripe. We do not store credit card numbers or banking details on our servers.
Cancellation feedback: When a business cancels its subscription, we optionally collect a reason and free-text feedback to help us improve the Service.
We use collected information to:
Provide and maintain the Service, process subscription payments, send transactional messages (account verification, password resets, portal sign-in verification codes, booking confirmations, appointment reminders, cancellation notices, client welcome emails, and trial-ending notices), send automated campaign emails and SMS on behalf of business owners, provide customer support, secure authentication endpoints against abuse, and improve the Service through anonymized analytics.
We do not sell personal information to third parties. We share data only with service providers necessary to operate the platform:
Supabase: database hosting and authentication
Stripe: payment processing
Resend: transactional and campaign emails
Twilio: SMS delivery, including portal authentication codes
Upstash: rate limiting for authentication endpoints
Vercel: application hosting
We implement industry-standard security measures including encrypted connections (SSL/TLS), Row Level Security ensuring businesses can only access their own data, secure password hashing, and regular security reviews.
Authentication SMS: When a client signs in to a business's portal, we send a one-time verification code to the phone number they enter. These messages are transactional, sent only at the client's own request, and are never used for marketing.
Marketing SMS: Marketing SMS is sent only to clients who have provided explicit opt-in consent. We store opt-in timestamps and sources for compliance. Clients can opt out at any time by replying STOP. Business owners are responsible for ensuring compliance with the TCPA and other applicable regulations.
Business data is retained for the duration of the active account. Upon account cancellation, data is retained for 30 days (to allow for reactivation) and then permanently deleted. Business owners can request immediate deletion by contacting us.
You have the right to access, update, or delete your personal information at any time. Business owners can manage their account, clients, and subscription through the dashboard. Clients can manage their email and SMS notification preferences through their portal account, or by using the unsubscribe link included in every marketing email. To request a data export or deletion, or for any privacy concerns, please contact us.
We use essential cookies for authentication and session management. This includes a session cookie for business owners signed in to the dashboard, a portal session cookie for clients who have signed in (valid for 30 days), and a short-lived verification cookie used during the portal sign-in flow. We do not use advertising cookies and we do not sell cookie data.
We may update this Privacy Policy from time to time. We will notify you of material changes via email. Continued use of the Service after changes constitutes acceptance of the updated policy.
Privacy questions or concerns? Contact us.