Privacy Policy

Last updated: May 25, 2026

Lumos ("we", "our", "us") operates the trylumos.ai website and platform. This page informs you of our policies regarding the collection, use, and disclosure of personal information.

Information We Collect

We collect information you provide directly, including:

• Account information: name, email address, and password when you create an account.
• Google account data: if you sign in with Google, we receive your name, email address, and profile picture from Google. We do not access your Google contacts, calendar, or other data.
• Usage data: information about how you interact with our platform, including pages visited and features used.

How We Use Your Information

• To provide and maintain the Lumos platform
• To authenticate your identity and manage your account
• To send transactional emails (account confirmations, alerts, reports)
• To improve our product and user experience

Data Storage and Security

Your data is stored securely using Supabase (hosted on AWS). We use encryption in transit (TLS) and at rest. We do not sell your personal information to third parties.

Third-Party Services

We use the following third-party services:

• Supabase: authentication and database
• Vercel: hosting and analytics
• OpenAI and Google Gemini: AI model queries for visibility analysis
• Resend: transactional email delivery

Connected Google Services

You may optionally connect Google services to enrich your Lumos workspace with first-party data. Connections are per-workspace and opt-in. Disconnecting from the Lumos Integrations page wipes the encrypted OAuth refresh token from our database and stops all further data syncs; the consent grant remains visible at your Google Account permissions page where you can fully revoke access at any time. Encrypted OAuth refresh tokens are stored at rest in Supabase. We do not modify your Google data, do not share it outside your Lumos workspace, do not use it for AI model training, and do not sell it.

• Google Search Console. When you connect a Search Console property, we read clicks, impressions, CTR, position, top queries, and top pages via the Search Console API to show Google search performance alongside AI visibility metrics. We request the webmasters.readonly scope only.
• Google Analytics 4. When you connect a Google Analytics 4 property, we read sessions, users, engaged sessions, conversions, conversion value, landing-page paths, and traffic source dimensions via the Google Analytics Data and Admin APIs. We use this data solely to show how AI search platforms (ChatGPT, Perplexity, Gemini, Claude, Copilot, and similar) drive traffic to your site. We request the analytics.readonly scope only.

How We Share, Transfer, or Disclose Google User Data

Lumos uses Google user data — including the OAuth refresh token, account email, and the property data we read from the Google Search Console API and the Google Analytics 4 API — only to provide the features described in the section above to the Lumos workspace that authorized the connection. We share Google user data only with the following categories of recipients, and only to the extent necessary to operate Lumos:

• Infrastructure subprocessors acting on our behalf. These vendors host or transmit Google user data on Lumos's behalf under their own data-processing terms. They do not use Google user data for their own purposes.
  • Supabase, Inc. (hosted on Amazon Web Services in the United States) — stores encrypted OAuth refresh tokens and the rollup metrics derived from Search Console and Google Analytics 4 (clicks, impressions, sessions, users, conversions, landing-page paths, traffic sources). Encryption at rest (Fernet AES-128-CBC + HMAC-SHA256 for tokens; AWS-managed disk encryption for the database) and in transit (TLS).
  • Railway Corp. (hosted on Google Cloud Platform in the United States) — runs the Lumos backend processes that call the Google APIs and process the responses. Google user data is held in memory only for the duration of a request or scheduled sync.
  • Vercel, Inc. (hosted on Amazon Web Services in the United States) — hosts the Lumos web application that renders the rollup metrics to the authorized members of the workspace. Vercel does not receive raw OAuth tokens; it serves API responses containing rolled-up metrics over TLS.
  • Functional Software, Inc. d/b/a Sentry — error and performance monitoring. May incidentally process Google user data that appears in exception stack traces or request contexts. Configured to redact authentication headers and OAuth tokens.
• Members of the Lumos workspace that owns the connection. The rollup metrics derived from Google user data are visible to other users who have been added to that workspace by its owner. They are not visible to other Lumos workspaces or to the public.
• You. You can export or delete your own Google-derived data at any time by contacting Tito@trylumos.com, or by disconnecting the integration with the "Delete historical data" option enabled.
• Legal authorities, only when legally compelled. If we receive a binding legal request (subpoena, court order, or equivalent), we may be required to disclose Google user data. We will notify the affected workspace owner before disclosure unless legally prohibited.

We do not:

• Sell, rent, or trade Google user data to any third party.
• Use Google user data to train, fine-tune, or improve any artificial intelligence or machine learning model — including our own and including OpenAI, Google Gemini, or any other AI provider integrated with Lumos.
• Use Google user data for advertising, retargeting, or audience-building purposes.
• Share Google user data with data brokers, marketing partners, or any other third party not listed above.
• Transfer Google user data to any party outside the workspace that authorized the connection, except as required to operate the service through the subprocessors above or to comply with law.

Limited Use of Google User Data

Lumos's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide and improve user-facing features of Lumos that are prominent in the application's user interface — the Search Console and Google Analytics 4 dashboards visible inside the connected Lumos workspace.
• We do not transfer Google user data to others except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets — and in any such case affected users will be notified before their data is transferred.
• We do not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
• We do not permit humans to read Google user data unless we have your affirmative consent for specific data, it is necessary for security purposes (such as investigating abuse), it is required to comply with applicable law, or the data is aggregated and used for internal operations in a manner that complies with applicable privacy laws.

Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us at Tito@trylumos.com.

Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies.

Changes to This Policy

We may update this policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "last updated" date.

Contact Us

If you have questions about this privacy policy, contact us at Tito@trylumos.com.