Privacy Policy
Last Updated: February 8, 2026
Children's Privacy Protection
Lumisia is an app developed for children and operated by EISOL LLC ("Company"). We strictly adhere to COPPA (Children's Online Privacy Protection Act) and GDPR-K standards. We do not collect personal information from children under 13 without verifiable parental consent.
Verifiable Parental Consent (VPC) Method
We use the "Email Plus" method as our primary VPC mechanism:
- A parent creates an account with their email address.
- A confirmation email is sent with a link and an additional verification step (re-entry of credential).
- Only after the parent completes verification can a child profile be created.
Parents can review, modify, or delete their child's personal information at any time through the app settings or by contacting us at privacy@lumisia.world.
1. Information We Collect
We collect only the minimum information necessary to operate the service:
- Account Info: Parent's email address, display name
- Child Profile: Nickname, age range (strictly for age-appropriate content generation)
- User Content: Stories created, prompts entered, drawings
- Usage Data: Favorites, reading history, app preferences
- Payment Info: Subscription details (credit card numbers are handled directly by Stripe; we do not store card information)
2. AI Data Usage Policy
🚫 NO AI Training on User Data
We value your trust. We do NOT use your stories, prompts, or your child's profile data to train our AI models.
Your creative content remains yours and is used solely to generate the stories you request. API calls to AI providers are configured with Zero Data Retention policies where applicable.
3. How We Use Information
- To provide the interactive storytelling experience
- To ensure content safety and age-appropriateness
- To maintain and improve service reliability
- To communicate important updates to parents
- To perform anonymized statistical analysis of service usage
4. Cookies & Tracking Technologies
We use the following cookies and tracking technologies:
| Technology | Purpose | Provider |
|---|---|---|
| Google Analytics 4 | Service usage analysis & improvement | Google LLC (USA) |
| Firebase Authentication | User authentication | Google LLC (USA) |
| Cookie Consent | Storing consent preferences | Local (no external transmission) |
Analytics tracking is automatically disabled for child accounts.
For users accessing from GDPR-regulated regions, analytics cookies require explicit opt-in consent before activation.
5. Third-Party Service Providers
We work with trusted partners to deliver our service:
- Google Firebase: Secure authentication and database hosting
- Google Cloud AI / OpenAI: Content generation API (configured with Zero Data Retention policies where applicable)
- Stripe: Payment processing (We do not store credit card details)
- Resend: Email notifications (parental notices, service-related emails)
- ipapi.co: IP-based country detection (used to determine GDPR applicability; results are cached locally in the browser)
6. Security Measures
We implement the following measures to protect your data:
- Technical: TLS/SSL encryption for all communications, database access controls, PII redaction in application logs
- Organizational: Limited access to personal data, employee training on data protection
- Infrastructure: Google Cloud Platform with industry-standard physical security compliance
7. Cross-Border Data Transfer
Your personal data may be transferred to and stored on servers located in the following countries:
- United States: Google Cloud Platform (Firebase, AI APIs), Stripe, Resend
These service providers maintain data processing agreements that comply with applicable data protection laws (including GDPR and CCPA), ensuring an adequate level of protection for your personal data.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Generated content (stories, images) | Until account deletion |
| Usage logs | Up to 12 months from collection |
| Payment-related data | As required by law (up to 7 years) |
| Cookie consent preferences | Until changed or browser data is cleared |
When you delete your account, all associated data (including created stories) is permanently removed from our systems.
9. Your Data Rights
Parents have full control over their family's data. You can:
- Review personal information collected from your child
- Request correction of inaccurate data
- Request deletion of your child's data
- Refuse further data collection
You can delete your account and all associated data instantly via the App Settings > Account > Delete Account menu. You may also make requests by emailing us at privacy@lumisia.world.
10. Additional Rights for EU/EEA/UK Residents (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR):
- Right to Access (Art. 15): Request a copy of the personal data we hold about you
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
- Right to Erasure (Art. 17): Request deletion of your personal data
- Right to Restrict Processing (Art. 18): Request limitation of how we process your data
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
Legal Basis for Processing: We process your data based on: (a) Contractual Necessity — to provide the Service; (b) Consent — for analytics cookies and marketing communications; (c) Legitimate Interest — for service improvement and security.
Right to Lodge a Complaint: You have the right to file a complaint with your local supervisory authority if you believe your data protection rights have been violated. A list of EU Data Protection Authorities can be found at edpb.europa.eu.
11. Additional Rights for California Residents (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you
- Right to Delete: You may request deletion of your personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
We do not sell personal information. We do not sell, rent, or share personal information for cross-context behavioral advertising purposes.
12. Data Breach Notification
In the unlikely event of a data breach that affects your personal information, we will:
- Notify affected users via email within 72 hours of becoming aware of the breach
- Report to relevant authorities as required by applicable law (e.g., supervisory authorities under GDPR)
- Provide details about the nature of the breach, the data affected, and the measures taken to address and mitigate it
- Take immediate action to contain the breach and prevent further unauthorized access
We maintain an incident response plan and regularly test our security measures to minimize the risk of data breaches.
13. Contact Us
If you have any questions about our privacy practices, please contact us: