Privacy Policy

This Privacy Policy describes how Lumen (“we”) collects, uses, and shares personal information when you use the Service. We apply the principles of Canada’s PIPEDA and Ontario’s applicable privacy legislation. If you are in the EU/UK, we apply GDPR/UK-GDPR principles. If you are in California, we apply CCPA/CPRA.

1. Information we collect

• Account data: email address; display name (optional); authentication tokens issued by Supabase. If you sign in with Google, we receive your email and basic profile from Google’s OAuth service. We do not receive your Google password.
• Usage data: mock attempts (questions seen, answers selected, scores, time spent); per-topic performance; flags such as “mark for review.”
• Technical data: IP address (used for rate limiting and abuse prevention); browser user-agent; pages visited; HTTP request metadata.
• Payment data: if you purchase a subscription, Stripe processes your payment. We never see or store your card number. We receive only your customer ID, subscription status, and the last four digits of your card from Stripe.

2. How we use it

• To provide the Service: build mocks, score attempts, surface gaps.
• To exclude already-seen questions when you take a new mock.
• To send sign-in links and account-related notifications.
• To prevent abuse and secure the Service (rate limiting, fraud detection).
• To process payments and manage subscriptions (where applicable).
• To improve content quality (aggregated, never identifying individuals).

We do not sell your personal information. We do not use your data to train third-party large language models. We do not share usage data with advertisers.

3. Sub-processors

• Supabase — database and authentication. Hosted in the US; data may be processed there.
• Vercel — hosting and edge runtime.
• Stripe — payment processing.
• OpenRouter / Anthropic / Google — only when acting as drafting / question-generation providers, and only against non-identifying prompts. Your personal account data is never sent to these providers.
• Google Analytics 4 — aggregate product analytics (page views, sign-in, mock start/complete, purchase events). IP anonymization is enabled. We do not pass email, name, or other direct identifiers to GA4. We share an internal user UUID only when you are signed in, so we can analyze funnel performance.

4. Cookies

We use first-party cookies for authentication (Supabase session) and for guest-attempt tracking (an HttpOnly token cookie that ties an anonymous attempt to its server-stored grading). Google Analytics 4 sets its own first-party cookies (_ga, _ga_*) on this domain to measure traffic in aggregate. We do not use third-party advertising cookies and do not run cross-site tracking pixels.

5. Retention

• Authed user attempts: retained while your account exists.
• Guest attempts: 24 hours, then automatically purged.
• Auth audit logs: 90 days.
• Payment records: as required by tax law, typically 7 years.

6. Your rights

You can request access, correction, export, or deletion of your data by contacting us. EU/UK residents may lodge a complaint with their local supervisory authority. We respond to verified requests within 30 days.

7. Security

Data is transmitted over HTTPS. Application secrets are stored in the hosting provider’s encrypted environment store. Database access uses row-level security to scope each user to their own attempts. We apply the principle of least privilege for service credentials. We do not, however, guarantee that no breach can occur; if one does, we will notify affected users in accordance with applicable breach-notification laws.

8. Children

The Service is not directed to anyone under 16. If you believe a minor has created an account, contact us and we will remove it.

9. Changes

We may update this Policy. Material changes will be communicated via email or in-product notice at least 14 days before taking effect.

10. Contact

Privacy questions: contact via the email address listed in the GitHub repository’s README, or by reaching the project owner directly.