🔒 Lumi AI Assistant — Privacy Policy

            🎯 Privacy‑first: Lumi works on an on‑page bubble principle and does not collect your browsing history. We only process the text you explicitly select for analysis.
        

1) What we collect

Account data (if you sign in): email and authentication tokens (OAuth). We do not collect or store passwords when using Google Sign‑In.
User‑provided text: only the text you select, temporarily sent for AI processing.
Diagnostics (optional): anonymous diagnostics and error events if you enable them (off by default).

2) What we do not collect

Browsing history: we do not record which pages you visit.
Location, payment, health, or device ID data: we do not collect these.

3) How we use data

Functionality: we send selected text to AI providers to return an answer.
Account and security: we handle authentication and token refresh.
Reliability: diagnostics only if enabled by you.

4) Processing and storage

Ephemeral processing: selected text is handled temporarily — we do not persist content unless you deliberately save a result.
Local cache: recent answers may be stored locally in your browser (Cache/Storage) and never leave your device.
Server cache (for performance): to reduce cost and latency, anonymized result snippets can be cached with a content hash and action type. Typical TTLs: dictionary up to ~30 days; explain/summarize up to ~7 days; some tasks ~1–24 hours. Expired entries are cleaned automatically.
Auth tokens: stored locally in your browser and transmitted only over HTTPS; short‑lived access token with refresh when applicable.

5) Third parties

We use AI services (e.g., Google, OpenAI, Groq) to process text. They act as processors strictly for functionality and do not receive identifying information about you beyond what is necessary to process the request.

5.1) Authentication (Google OAuth)

If you choose to sign in with Google, we receive and store only your email and authentication tokens necessary for the session (no passwords).
We do not collect or store passwords.
Tokens are stored locally in your browser and transmitted only over HTTPS.

5.2) Payments (Stripe)

Payments are handled by Stripe. We do not collect or store card details.
From Stripe we receive and store a minimal set of billing metadata: stripeCustomerId, subscriptionId, subscription status (e.g., active/canceled), and tier flags (e.g., isPremium).
Management is via the Stripe Customer Portal; you can cancel or change plans there.

6) Security

Encryption: all traffic is over HTTPS.
Storage: sensitive data is kept to a minimum and only locally as needed for features.

7) Your choices

Telemetry: off by default; you can enable/disable anytime.
Data deletion: you can sign out, clear local cache, and request account/saved data deletion.

8) Data retention

Text requests: processed ephemerally; we do not log content long‑term.
Access tokens: short‑lived (~15 min) and refreshed with a refresh token (~7 days).
Diagnostics (if enabled): retained only as long as necessary to improve reliability and fix issues.

9) Children’s privacy

We do not target minors and do not knowingly collect sensitive information.

10) Your rights

Access and correction: review and update your account information.
Deletion: request account deletion and associated data; for subscriptions, cancel first via the Stripe Portal.
Withdraw consent: sign out and disable telemetry at any time.

11) International transfers

The service may use servers in the EU and/or the US. We use reputable providers and standard safeguards.

12) Contact

Privacy questions: via the extension’s “Contact Us” or the Chrome Web Store listing.

            🌟 The gist: no browsing history, no hidden tracking — only the text you choose, processed to give you an answer in place.
        

13) Changes

We may update this policy; material changes will be posted on this page. Continued use constitutes acceptance of updates.

Last Updated: August 2025