Last updated: 23 April 2026 Effective date: 23 April 2026 Applies to: the lume. mobile application (the "App") and related services operated by [Your Full Legal Name], trading as shylume ("we", "us", "our").
Summary of key points
This summary highlights the main points of our Privacy Policy. For full details, read the complete policy below or jump to the relevant section using the table of contents.
What we collect: Profile information (name, photos, bio, voice recordings), account credentials (phone, email), messages, usage data, and approximate location. We process sensitive personal information including sexual orientation, as this is core to providing matches.
How we use it: To operate the App, match you with others, enable chat, deliver safety features, process subscriptions, and keep the platform secure.
Who we share it with: Only with service providers (Google / Firebase, RevenueCat) who process data on our behalf under strict contracts. We do not sell your data. We do not show ads.
International transfers: Data may be processed in the United States by our service providers, protected by Standard Contractual Clauses.
Your rights: You can access, correct, delete, or export your data at any time. Contact us using the details at the end of this policy.
Age limit: lume. is for users 18 and over. We do not knowingly collect data from minors.
1. What information do we collect?
Information you provide to us
When you create an account and use the App, you provide us with the following:
Account credentials: phone number, email address, and password (if using email sign-in).
Profile information: name or display name, date of birth, gender, sexual orientation and preference ("looking for"), profile photos, gallery images, bio, prompts, vibe tags, and profile anthem.
Voice recordings: if you record a voice intro or voice messages.
Communications: messages you send to other users through in-app chat, including vibe reactions and spark answers.
Date and journal content: date proposals, venue information, post-date reviews, and personal journal entries.
Safety information: emergency contact details you add for Safe Date Mode and check-in responses.
Subscription information: payment confirmations and entitlement status received from Google Play and RevenueCat (we never see your payment card details).
Support requests: information you share when contacting us about privacy, technical, or account matters.
Information collected automatically
When you use the App, certain information is collected automatically:
Log and usage data: IP address, session start and end times, screen views, interactions with features (swipes, matches, messages, date proposals), crash reports, and performance metrics.
Device data: device model (e.g., Samsung SM-S926B), manufacturer, operating system and version, screen resolution, language, region, mobile carrier, and unique device identifiers including Firebase Installation IDs.
Location data: approximate location derived from IP address. If you grant location permission, we may also use precise geolocation for proximity-based matching and venue suggestions.
Sensitive personal information
As a dating service, we process sensitive personal information including data concerning your sex life and sexual orientation. This processing is essential to providing matches consistent with your preferences. We rely on your explicit consent, given when you complete your profile, for this processing under Article 9(2)(a) of the UK and EU GDPR.
2. How do we process your information?
We process your personal information for the following purposes:
To deliver and facilitate the lume. service — providing account creation, profile hosting, the Discover feed, swipe matching, and all core features.
To match users and facilitate connections — using profile information, preferences, and location data to suggest compatible matches and generate chemistry scores.
To enable user-to-user communications — delivering real-time chat, progressive reveal, spark prompts, vibe reactions, and voice messages between matched users.
To fulfil and manage subscriptions — processing Lume+ subscription purchases via Google Play Billing and managing entitlements via RevenueCat.
To enable safety features — operating Safe Date Mode including check-ins, emergency contact escalation, and post-date review functionality.
To enable planning and reviewing of dates — powering the Date Planner and post-date Journal features.
To facilitate account linking for couples — when both users opt in, linking accounts for Couple Mode features.
To maintain community safety — detecting and responding to harassment, abuse, underage users, fake profiles, and policy violations through content moderation and reporting mechanisms.
To prevent and detect fraud — identifying fake accounts, duplicate accounts, bot activity, and other fraudulent behaviour.
To respond to user inquiries and provide support — handling questions, bug reports, account recovery, and feedback.
To send administrative information — sending verification codes, security alerts, policy updates, and transactional notifications.
To improve the App — analysing usage trends, measuring feature adoption, and prioritising product improvements.
To comply with legal obligations and defend legal claims — responding to lawful requests, tax and accounting requirements, and preserving evidence for potential disputes.
3. What legal bases do we rely on to process your information?
For users in the European Economic Area, the United Kingdom, and Switzerland, our lawful bases for processing personal information under the GDPR and UK GDPR are as follows:
Consent (Article 6(1)(a) and Article 9(2)(a)): you have given us specific, informed, and unambiguous consent to process your data — in particular, explicit consent for sensitive data such as sexual orientation. You may withdraw your consent at any time.
Performance of a contract (Article 6(1)(b)): processing is necessary to deliver the lume. service you signed up for — matching, chat, subscriptions, and all core functionality.
Legitimate interests (Article 6(1)(f)): we process certain information where our legitimate business interests do not override your rights — specifically for:
Maintaining community safety and enforcing our Community Guidelines;
Preventing and detecting fraudulent activity;
Analysing usage trends to improve the App;
Requesting feedback to improve the user experience;
Defending against legal claims and maintaining records necessary for legal compliance.
Legal obligations (Article 6(1)(c)): processing is necessary to comply with applicable laws, including responding to lawful requests from authorities and retaining tax or accounting records.
Vital interests (Article 6(1)(d)): in rare circumstances — for example, if a user misses a safety check-in in Safe Date Mode and we escalate to their emergency contact or authorities — we may process data to protect someone's life.
4. When and with whom do we share your information?
We share personal information with third parties only in the following situations, and only with providers who process data on our behalf under strict contracts:
Subscription management and entitlement verification
Subscription metadata (no card data)
Google Play Billing
Payment processing for in-app purchases
Payment transaction data (handled by Google, not by us)
Termly, Inc.
Privacy Policy hosting and compliance tooling
Page-view data when users view this policy
We do not:
Sell your personal information.
Share your data with advertisers or ad networks.
Use your data for cross-context behavioural advertising.
Trade user data with business affiliates or partners.
Incorporate advertising SDKs (such as Meta, TikTok, or AdMob) in the App.
Other disclosures
We may disclose your information in the following circumstances:
To comply with law: where required by subpoena, court order, or lawful request from authorities.
To protect rights and safety: where necessary to investigate or respond to violations of our Terms, threats to users, or other illegal activity.
In business transfers: in connection with a merger, acquisition, financing, or sale of assets. Users will be notified in advance of any change of control over their data.
5. Do we use cookies and tracking technologies?
The lume. mobile App does not use browser cookies or web beacons. However, our service providers (primarily Firebase) use mobile SDK tracking technologies to collect device identifiers, installation IDs, and usage data. These technologies are described in Section 1 ("Information collected automatically").
We do not use advertising tracking technologies such as Meta Pixel, TikTok Pixel, or Google Ads remarketing.
6. Is your information transferred internationally?
Our service providers are primarily based in the United States. When you use lume., your personal information may be transferred to and stored on servers located in the US.
For transfers of personal information from the UK, EEA, or Switzerland to the United States, we rely on the following legal safeguards:
Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with Google LLC, RevenueCat, and Termly.
UK Addendum to the EU SCCs for UK-originated transfers.
Supplementary safeguards: encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and contractual processing restrictions.
Some of our service providers, including Google LLC, are also certified under the EU-US Data Privacy Framework and UK Extension, which provides an additional adequacy basis for data transfers to them.
7. How long do we keep your information?
We retain your personal information for as long as you have an active lume. account. When you delete your account, we delete your personal data from our systems, except where we need to retain certain information to:
Comply with legal, tax, or accounting obligations (typically up to 6 years under UK law);
Resolve disputes or enforce our Terms;
Prevent fraud or abuse (retained reports of banned users may be kept for up to 2 years to prevent re-registration).
Backups are deleted as part of our routine backup retention cycle after account deletion.
8. How do we keep your information safe?
We implement appropriate technical and organisational measures to protect your personal information:
Encryption in transit via TLS 1.3 for all client-server communication.
Encryption at rest via AES-256 across Firestore, Firebase Storage, and backup systems.
Access controls via Firestore Security Rules enforcing per-user access restrictions.
Authentication protection including phone OTP verification with reCAPTCHA fraud prevention.
Monitoring and detection via Firebase Crashlytics and server-side logging.
Limited administrative access — production data is accessible only to authorised personnel.
Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to notifying affected users and the relevant supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in risk to your rights and freedoms.
9. Do we collect information from minors?
lume. is intended exclusively for users aged 18 and over. We do not knowingly collect personal information from anyone under the age of 18. If you believe we have collected information from a minor, please contact us immediately using the details in Section 15, and we will promptly delete the data.
We rely on users' self-declared age at signup and reserve the right to require additional verification. We may introduce selfie-based age verification in a future version of the App.
10. What are your privacy rights?
Depending on your location, you have the following rights over your personal information:
Right of access: request a copy of the personal information we hold about you.
Right to rectification: correct inaccurate or incomplete information. Most profile data can be edited directly within the App.
Right to erasure ("right to be forgotten"): request deletion of your account and associated personal data.
Right to restriction of processing: limit how we use your information in certain circumstances.
Right to data portability: receive a copy of your data in a structured, machine-readable format.
Right to object: object to processing based on legitimate interests, including for direct marketing (we do not currently conduct direct marketing).
Right to withdraw consent: withdraw consent where we rely on it as our legal basis, at any time, without affecting the lawfulness of prior processing.
Right to lodge a complaint: contact your local data protection authority. In the UK, this is the Information Commissioner's Office (ico.org.uk).
To exercise any of these rights, contact us using the details in Section 15. We will respond within 30 days (GDPR) or 45 days (CCPA and US state laws). We may need to verify your identity before fulfilling the request.
11. Controls for Do-Not-Track features
Because the lume. App does not use browser cookies or respond to Do-Not-Track (DNT) signals in the traditional web sense, DNT headers do not apply. However, we honour mobile operating system privacy controls, including Android's App Tracking settings and iOS App Tracking Transparency (if and when we support iOS).
12. Do United States residents have specific privacy rights?
If you are a resident of the United States, you have additional rights under your state's privacy laws. Our policy covers the requirements of all applicable US state privacy laws, including:
CCPA/CPRA (California), CPA (Colorado), CTDPA (Connecticut), DPDPA (Delaware), FDBR (Florida), ICDPA (Indiana and Iowa), KCDPA (Kentucky), MODPA (Maryland), MCDPA (Minnesota and Montana), NDPA (Nebraska), NHPA (New Hampshire), NJDPA (New Jersey), OCDPA (Oregon), TIPA (Tennessee), TDPSA (Texas), UCPA (Utah), and VCDPA (Virginia).
Your US state privacy rights
Right to know / access: request details about the personal information we collect, use, and disclose.
Right to delete: request deletion of your personal information.
Right to correct: request correction of inaccurate personal information.
Right to portability: receive your data in a portable format.
Right to opt out of sale or sharing: we do not sell or share your data for cross-context behavioural advertising.
Right to limit use of sensitive personal information: in states where applicable.
Right to appeal any denial of a privacy rights request. Appeals should be sent to the same contact details listed in Section 15.
Right to non-discrimination for exercising any of the above.
California-specific rights
Under California's "Shine the Light" law, California residents may request information about the categories of personal information we have shared with third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.
Financial incentives
We do not offer financial incentives in exchange for personal information.
13. Do other regions have specific privacy rights?
Canada
Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, under Law 25. These include the right to access, correct, and withdraw consent for the processing of your personal information.
Australia, New Zealand, and South Africa
We comply with the Australian Privacy Act 1988, the New Zealand Privacy Act 2020, and South Africa's Protection of Personal Information Act (POPIA), where applicable. Residents of these countries have rights equivalent to those described above and may contact us to exercise them.
14. Do we make updates to this policy?
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App, by email, or both, before the changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised.
Continued use of lume. after an update constitutes acceptance of the revised policy. If you do not agree with a change, you may delete your account at any time.
15. How can you contact us?
For privacy-related questions, data subject access requests, or to exercise any of your rights under this policy:
Request correction of inaccurate information via the App or by email.
Delete your account via the account deletion option in the App, or by emailing us. Account deletion will remove your profile, swipes, matches, messages, date plans, journal entries, and other personal data, subject to legal retention requirements.
We will process your request within the timeframes required by applicable law.