← Back to LumaDeck

Privacy Policy

Last updated: 9 April 2026 · Effective date: 9 April 2026

This Privacy Policy explains how CJ Development ("we", "us", "our"), the operator of LumaDeck, collects, uses, and protects your personal data when you use the LumaDeck web application and related services (the "Service"). We comply with the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, and Spanish data protection law (LOPDGDD).

1. Data Controller

CJ Development
Email: privacy [at] lumadeck.app
Website: lumadeck.app (also reachable via lumadeck.es)

2. What data we collect

2.1 Account data

• Email address (required for authentication)
• Display name (optional)
• Profile picture URL (only if you sign in via Google OAuth)
• Encrypted authentication tokens managed by Supabase Auth

2.2 Usage data

• Subscription tier (free / pro) and purchase history
• Saved show configurations (loops, presets, branding)
• Token balance and ad-watch logs (for the rewarded-ad token system)
• Aggregated, anonymous performance metrics (page load, errors)

2.3 Payment data

We do not store your card details. Payments are processed directly by Stripe, a PCI-DSS Level 1 provider. We only retain a Stripe customer ID and subscription status to manage your account.

2.4 Audio and microphone

If you grant microphone access, the audio is processed locally in your browser for visual reactivity. No audio is transmitted, recorded, or stored on our servers.

2.5 Cookies and local storage

We use first-party local storage to remember your preferences and session. We do not use third-party advertising cookies, and we do not show ads.

3. Legal basis for processing

• Contract performance (Art. 6(1)(b) GDPR): account creation, subscription management, payment processing.
• Legitimate interest (Art. 6(1)(f) GDPR): security, fraud prevention, service improvement.
• Consent (Art. 6(1)(a) GDPR): microphone access, marketing emails (if you opt in).
• Legal obligation (Art. 6(1)(c) GDPR): tax records and accounting required by Spanish law.

4. How we use your data

• Provide and maintain the Service
• Process payments and manage subscriptions
• Authenticate you and protect your account
• Sync your shows across devices
• Send transactional emails (receipts, password resets)
• Detect abuse, fraud, and security incidents

5. Data sharing

We share data only with processors necessary to deliver the Service:

• Supabase (auth, database, storage) — EU/US, GDPR-compliant
• Stripe (payments) — Ireland/US, GDPR-compliant
• OVH / self-hosted infrastructure (hosting) — EU (France), under CJ Development's direct control

We never sell your personal data.

6. International transfers

Some processors operate outside the EU. Where this occurs, transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-US Data Privacy Framework.

7. Data retention

• Account data: kept while your account is active. Deleted within 30 days of account deletion.
• Payment records: 6 years (Spanish tax law).
• Logs and security events: 90 days.

8. Your rights (GDPR)

You have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data ("right to be forgotten", Art. 17)
• Restrict processing (Art. 18)
• Portability — receive your data in a machine-readable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time
• Lodge a complaint with the Spanish DPA (AEPD)

To exercise any of these rights, email privacy [at] lumadeck.app. We respond within 30 days.

9. Security

We use industry-standard measures: TLS 1.3 in transit, AES-256 at rest, Row-Level Security on the database, and signed webhooks for payment events. No system is 100% secure, but we work continuously to protect your data.

10. Children

LumaDeck is not directed at children under 16. We do not knowingly collect data from minors. If you believe a child has registered, contact us.

11. Changes to this policy

We may update this policy. Material changes will be announced via email or in-app notification at least 30 days before they take effect.

12. Contact

Questions? Email privacy [at] lumadeck.app or visit our contact page.