Deutsch English

GDPR · Art. 13 / 14

Privacy Policy

App “LUME – Voice Diary” and website lume-diary.com

Effective date: June 2026

We take the protection of your personal data seriously. With this privacy policy, we inform you in accordance with Art. 13 and 14 GDPR about how and for what purpose we process your personal data when you use the iOS app “LUME – Voice Diary” and the website lume-diary.com.

LUME is a voice diary: you speak your thoughts, and an AI turns your words into a diary entry. Optionally, you can add photos and a mood.

1. Controller

Tobias Bach
Hoheluftchaussee 145A
20253 Hamburg, Germany
Email: [email protected]

2. General information and legal bases

Our application is not designed to specifically collect or process special categories of personal data within the meaning of Art. 9(1) GDPR. However, since you are free to determine the content of your diary, it may happen that your entries contain sensitive information, such as details about health, religious or philosophical beliefs, or comparable particularly sensitive information. You decide on your own responsibility which content you record in the application. Insofar as special categories of personal data are processed as a result of your input, such processing is carried out on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR.

Insofar as we obtain your consent for the processing of personal data, Art. 6(1)(a) GDPR serves as the legal basis. If the processing is necessary for the performance of a contract with you or to carry out pre-contractual measures, it is carried out on the basis of Art. 6(1)(b) GDPR. Insofar as we have to process personal data to comply with a legal obligation, Art. 6(1)(c) GDPR is the legal basis. If we process personal data to protect our legitimate interests or those of a third party, this is done on the basis of Art. 6(1)(f) GDPR, provided that your interests, fundamental rights and freedoms do not override those interests. Section 25 TDDDG applies additionally to the storage of information on your device or access to information already stored there.

Using the app requires the creation of a user account. For this we need at least your email address and a password; without this information, use of the app is not possible. Diary content, photos, moods and comparable information are provided by you voluntarily.

3. Individual processing activities in the app

3.1 Registration

Using LUME requires creating a user account. As part of registering and managing your user account, we process in particular your email address, your name, your password in encrypted or hashed form, and the time of your consent pursuant to Art. 9(2)(a) GDPR.

The processing is carried out to provide your user account, enable login and securely authenticate you when using the app. The legal basis is Art. 6(1)(b) GDPR.

For the technical provision of authentication and the database, we use Supabase, a service of Supabase, Inc., as a processor. The processing takes place on servers within the European Union, in particular at the server location in Ireland, region eu-west-1. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Supabase.

We generally store the data until your account is deleted. After your account is deleted, the data is deleted, unless statutory retention obligations or other legal grounds prevent this. We receive the data directly from you.

3.2 Download via the App Store

When you download our app via the Apple App Store, Apple processes personal data under its own responsibility. This may include, in particular, your Apple ID, your email address, device identifiers, payment information and the time of the download.

We have no influence over this data processing by Apple. Apple is responsible for it as an independent controller. The storage period is determined by Apple’s specifications. The data arises in the course of the download process via the App Store.

3.3 Creating diary entries

You can create diary entries in our app by voice input or text input. In doing so, we process in particular your voice recording temporarily, the transcription text created from it, the AI-generated or rephrased entry text, the mood you selected, and the entry date.

The processing is carried out to convert your input into a diary entry, prepare the entry and store it within the app. The legal basis is Art. 6(1)(b) GDPR.

Since you are free to determine the content of your diary entries, they may contain special categories of personal data within the meaning of Art. 9(1) GDPR. We do not specifically collect such data. Insofar as you yourself speak, enter or otherwise communicate such content, the processing is additionally carried out on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR.

For the transcription of your voice input and the AI-assisted conversion, we use OpenAI, L.L.C., USA, as a processor. In doing so, your temporary voice recording and the texts generated from it may be transmitted to and processed by OpenAI. The AI function serves exclusively to transcribe your input and convert it linguistically into a diary entry; it does not make decisions about you, does not evaluate you and does not create a profile about you. According to OpenAI, content transmitted via the OpenAI API is not used to train the models.

For storing your diary entries, we use Supabase as a processor within the European Union. Data processing agreements have been concluded with each of the service providers used. Information on the transfer of personal data to the USA can be found in Section 4.

Your stored diary entries remain stored until you delete them or your user account is deleted, unless statutory retention obligations or other legal grounds prevent this. The voice recording is processed only temporarily for transcription and then discarded. The voice recording is not stored permanently. We receive the data directly from you.

3.4 Photos for entries

You can voluntarily supplement your diary entries with photos. In doing so, we process exclusively the photos you select in order to add them to your entries and store them in your private area of the app. The legal basis is Art. 6(1)(b) GDPR.

Depending on their content, photos may contain special categories of personal data within the meaning of Art. 9(1) GDPR. We do not specifically collect such content. Insofar as you upload such photos yourself, the processing is additionally carried out on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR.

For storing the photos, we use Supabase as a processor within the European Union. A data processing agreement has been concluded with Supabase. We store the photos until you delete them or your user account is deleted, unless legal grounds prevent this. We only obtain access to your photo library if you have previously permitted this. We receive the photos directly from you.

3.5 Subscription and in-app purchase LUME Pro

If you take out a paid subscription for LUME Pro or use a trial period, we process information about your subscription or trial status, an anonymized device identifier and purchase information. We do not receive payment data such as credit card or bank account details.

The processing is carried out to provide your premium subscription and unlock paid features. The legal basis is Art. 6(1)(b) GDPR.

For managing subscriptions and in-app purchases, we use RevenueCat, Inc., USA, as a processor. A data processing agreement has been concluded with RevenueCat. Payment processing is handled by Apple, whereby Apple is independently responsible in this respect.

We process the data for the duration of the usage or contractual relationship. Purchase and invoice data are processed and stored by Apple in accordance with the specifications applicable there. We receive the data from you or from the purchase process via Apple.

3.6 Push notifications

If you activate push notifications, we process your push token and your reminder settings in order to send you reminders about keeping your diary. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR.

You can withdraw your consent at any time with effect for the future by deactivating push notifications in your device settings. Delivery takes place via the Apple Push Notification service (APNs) from Apple.

We store the data processed for this purpose until you deactivate push notifications or your user account is deleted, unless legal grounds prevent this. We receive the data from you or from your device.

3.7 Usage analytics

To improve and ensure the stability of our app, we process pseudonymized or aggregated event data. In doing so, we do not create personal profiles, do not use IP geolocation, do not process diary content and do not collect directly identifying data.

The processing serves to understand the technical function of the app, to detect errors and to develop the app further in a data-minimizing manner. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in data-minimizing product improvement and ensuring the stability of our app.

For usage analytics, we use PostHog, Inc. as a service provider. The analysis takes place on servers within the European Union. A data processing agreement has been concluded with PostHog.

We store the event data only for as long as is necessary for the analysis and improvement of the app. The data arises automatically when you use the app.

3.8 Technical operation of the app and hosting of the website

For the technical operation of the app and the website, we process technically required data, in particular server and access data such as IP address, date and time of access, content accessed, amount of data transferred, device and browser information, and technical error logs.

The processing is carried out to provide the app and website securely, stably and functionally, to detect technical errors and to prevent misuse. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and reliable provision of our digital offerings.

For technical operation, we use in particular Supabase for the app backend and database, and Cloudflare for the provision, security and performance of the website. The service providers used process data as processors or, insofar as expressly indicated, under their own responsibility. Data processing agreements have been concluded with the processors.

We store technical log data only for as long as is necessary for the aforementioned purposes, unless statutory retention obligations or other legal grounds prevent this.

3.9 App settings and technical storage on your device

For the operation and security of the app, we store technically necessary information on your device. This includes in particular your language selection, app settings and — if activated — a PIN or Face ID key in the protected keychain of your device.

This storage is carried out exclusively to provide the app in a functional, secure and user-friendly manner. We do not use cookies or comparable technologies for advertising or marketing purposes and do not access the advertising identifier IDFA.

The legal basis for the technically necessary storage is Section 25(2) TDDDG. Insofar as personal data is processed in this context, this is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and functional provision of the app.

The stored information generally remains on your device and is not transmitted to us or third parties for advertising or marketing purposes. It remains stored until you delete it, for example via the device settings or by uninstalling the app. The data arises from your use and configuration of the app.

3.10 Contact and feedback

If you contact us or submit feedback, we process your email address and the content of your message or feedback.

The processing is carried out to handle your request and to communicate with you. The legal basis is Art. 6(1)(b) GDPR if your request relates to a contract, and Art. 6(1)(f) GDPR in all other cases. Our legitimate interest lies in the effective handling of your request.

Insofar as feedback is stored within the app, we use Supabase for this as a processor within the European Union. A data processing agreement has been concluded with Supabase.

We store your request only for as long as is necessary to handle it. Afterwards, we delete the data, unless statutory retention obligations or other legal grounds prevent this. We receive the data directly from you.

4. Third-country transfers

In the course of using individual service providers, personal data may be transferred to third countries outside the European Union or the European Economic Area, in particular to the USA. This concerns in particular OpenAI, RevenueCat and Cloudflare.

Insofar as an adequacy decision of the European Commission exists for the respective third country, or the respective provider is certified under a recognized data protection framework, in particular the EU-US Data Privacy Framework, the transfer takes place on this basis. Insofar as no adequacy decision or relevant certification exists, the transfer takes place on the basis of appropriate safeguards, in particular the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

According to OpenAI, data transmitted via the OpenAI API is not used to train the models. We have reviewed the service providers used and the respective transfer mechanisms and take into account the protective measures required for this.

5. Data security

We take appropriate technical and organizational measures to protect your personal data against loss, misuse, unauthorized access and unauthorized disclosure. These include in particular encrypted transmission via TLS, access-restricted storage in your user account, access controls and technical security mechanisms such as row-level security. In addition, you can — if supported by your device and activated by you — protect the app with a PIN, Face ID or comparable security functions.

Our security measures are continuously reviewed, taking into account the state of the art, the nature and scope of the processing and the respective risk, and adjusted where necessary.

6. No automated decision-making

Your voice input may be automatically transcribed and converted into a diary text with the help of artificial intelligence. In doing so, no automated decision-making within the meaning of Art. 22 GDPR takes place that produces legal effects concerning you or similarly significantly affects you. No profiling takes place.

7. Your rights

As a data subject, you have various rights under the GDPR. To exercise your rights, a message to [email protected] is sufficient.

7.1 Right of access

You have the right to obtain confirmation from us as to whether we process personal data concerning you. If this is the case, you have the right to access this personal data as well as to further information and a copy of the data pursuant to Art. 15 GDPR.

7.2 Right to rectification

You have the right to request the rectification of inaccurate personal data or the completion of incomplete personal data concerning you, Art. 16 GDPR.

7.3 Right to erasure

You have the right to request that we erase personal data concerning you, provided that one of the legally prescribed grounds applies and no statutory retention obligations or other legal grounds prevent this, Art. 17 GDPR.

7.4 Right to restriction of processing

You have the right to request that we restrict the processing of your personal data if the legal requirements for this are met, Art. 18 GDPR.

7.5 Right to data portability

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, or to request the transmission of this data to another controller, in accordance with the legal requirements, Art. 20 GDPR.

7.6 Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, insofar as the processing is based on Art. 6(1)(f) GDPR, Art. 21 GDPR.

7.7 Withdrawal of consent

You have the right to withdraw consent you have given at any time with effect for the future, Art. 7(3) GDPR. The lawfulness of the processing carried out on the basis of your consent up to the time of withdrawal remains unaffected.

7.8 Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of your personal data infringes the GDPR, Art. 77 GDPR. The authority responsible for us is the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit, HmbBfDI).

8. Amendments and status

This privacy policy is currently valid and is dated June 2026.

Due to the further development of our app, our website and our offerings, or as a result of changed legal or regulatory requirements, it may become necessary to amend this privacy policy. The current version can be accessed at any time on our website.