Privacy policy
Last updated June 19, 2026
Plain-English summary
- Lumera is a privacy-first family operating system. Your family's calendar, chores, meals, notes, photos, and gift lists are stored encrypted with a key the server can't read by itself.
- We never sell your data, and we never use your data — including anything we read from your Google Calendar — for advertising.
- The only people who can read your encrypted data are the family members you invite. Lumera staff cannot read it without your password (we use envelope encryption with a per-family key).
- You can disconnect Google Calendar (or any other connection), delete your account, or export your data at any time from Settings.
What information we collect
Lumera stores only what's needed to make the product work for your family:
- Account information — your email address, password hash, family member display names, and (optionally) date of birth so we can compute ages and surface birthdays.
- Family content — events, chores, meals, recipes, photos, knowledge notes, gift lists, and any text you type into the app. All Tier-A user-visible content is encrypted with a per-family Data Encryption Key (DEK) that is itself wrapped by a Key Management Service.
- Calendar / external integrations — if you connect Google Calendar, Microsoft Outlook, or Apple iCloud, we read events from the calendars you choose and (when you opt in to two-way sync) write the events you create in Lumera back to those services.
- Inbound email / scans— when you forward an email to your family's Lumera address or upload a photo / PDF, we run it through an AI classifier to detect events, recipes, chores, etc. The original content is encrypted before storage.
- Operational logs — server logs, error reports, and an audit log of security events (sign-ins, password resets, account recovery). These never contain decrypted family content.
How we use information
Lumera uses your data exclusively to provide the product features you signed up for. Specifically:
- Render your family's calendar, chores, meals, etc. inside the app and on devices you authorize.
- Run the AI classifier on inbound emails and scans you submit so they land in the right place.
- Sync events back to the calendar providers you've connected.
- Send transactional emails: RSVP confirmations, password resets, co-parent invitations, the optional weekly digest, and the host-broadcast updates you initiate.
- Detect abuse, prevent fraud, and keep the service running securely.
We do not use your data for advertising, do not sell or rent it to third parties, and do not share it with anyone other than the sub-processors listed below.
Google API Services — Limited Use disclosure
Lumera's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
What we request from Google
https://www.googleapis.com/auth/calendar.readonly— to read events from the calendars you choose to connect.https://www.googleapis.com/auth/calendar.events— to create, update, and delete events on those same calendars, but only when you have explicitly enabled two-way sync for a specific Lumera sub-calendar.- Your Google account email and name, via
oauth2.userinfo, so the app can show which Google account is connected.
What we do with that data
Google Calendar events are merged into your Lumera family calendar so the household can see one combined schedule. Events you create inside Lumera are pushed back to the calendars you authorized for two-way sync. That's it.
What we do not do with that data
- We do not use Google user data for advertising, ad targeting, or marketing.
- We do not sell or rent Google user data.
- We do not let humans (including Lumera staff) read your Google user data, except for the narrow exceptions the Limited Use policy permits: with your explicit consent, for security investigations, to comply with applicable law, or when data is fully anonymized + aggregated for internal operations.
- We do not use Google user data to train, fine-tune, or evaluate any large language model.
Disconnecting Google
You can disconnect Google Calendar at any time from your Lumera calendar page — open the Connected calendars panel and tap Disconnect. Disconnecting stops all sync and deletes the OAuth refresh token Lumera stored for you. You can also revoke the connection directly at myaccount.google.com/permissions.
Encryption and access
Family-facing content is stored under envelope encryption: each family has a unique Data Encryption Key (DEK), and that DEK is wrapped by a Key Management Service (KMS) that itself never sees plaintext content. The DEK is unwrapped on a per-request basis using your password-derived session key.
Practically, this means Lumera operators cannot read your family's events, chores, photos, notes, or messages. If you forget your password and have not opted into recovery escrow, we cannot recover the data for you — it stays encrypted with a key no one holds. That's the privacy trade-off the architecture is designed to deliver.
Sub-processors
Lumera relies on a small number of vendors to operate the service. None of them receive decrypted family content:
- Vercel — hosts the web application and receives encrypted bytes only.
- Supabase / Postgres — stores encrypted rows.
- Vercel Blob — stores encrypted photo and document bytes.
- Resend — delivers transactional email (recipient address + subject + rendered body are visible to Resend for the duration of delivery, same as any email provider).
- Anthropic— runs the AI classifier on the specific scan you submit. We send the scan's content for the classification call only. Anthropic does not retain your content for training under the API agreement we use.
- OpenAI— when you opt in to generated flyer artwork, the prompt you build (no Google or family content) is sent to OpenAI's image API. The generated PNG comes back and is encrypted before storage.
- Google / Microsoft / Apple — only when you connect those calendar providers, and only for the calendars you choose.
Data retention and deletion
We keep your data for as long as you maintain a Lumera account. You can delete your account at any time from Settings → Account → Delete account. Deletion wipes:
- All Postgres rows for your family (events, chores, meals, members, gift lists, RSVPs, etc.).
- All encrypted blobs (photos, documents, flyer artwork).
- The wrapped DEK that protected your family content.
- OAuth tokens for any calendar providers you had connected.
Account-deletion is irreversible and propagates within minutes. Operational logs (without decrypted content) may persist in backups for up to 30 days before automatic rotation removes them. We do not retain Google user data after disconnection beyond what's needed to flush in-flight sync jobs (typically seconds; always under 24 hours).
Children
Lumera is designed for families and includes surfaces that are visible to children inside the household. Parent / guardian accounts hold the encryption keys and grant per-member access to content. Lumera is not directed at children outside the household context; we do not knowingly collect personal information from children under 13 outside of a parent-managed family account.
Your choices
- Access & export — contact hello@lumera.family for a JSON export of your family data.
- Correction— most fields are editable directly in the app. For anything that isn't, email the address above.
- Deletion — Settings → Account → Delete account.
- Withdraw consent for Google — Calendar → Connected calendars → Disconnect.
Changes
We'll update this page when our practices change. Material changes are announced in-app or by email at least 30 days before taking effect.
Contact
Questions about this policy or a data-protection concern: hello@lumera.family.