lumi. Privacy Policy — plain-English explanation of how your journal data is collected, stored, and protected.

lumi.
Privacy policy
Last updated: July 2026  ·  ICO: C1973098  ·  SJB Creative Studio Ltd, England and Wales
lumi. is a private journal. Everything you record, reflect on, and work through here is personal — and it deserves to be treated that way. This policy explains clearly what data lumi. collects, where it goes, and how it's protected. No jargon, no burying the important bits.
1 — Who is responsible for your data

lumi. is operated by SJB Creative Studio Ltd, a company registered in England and Wales, trading as lumi. (referred to in this policy as "lumi."). As the data controller under UK GDPR, lumi. determines what data is collected and how it is used. ICO registration number: C1973098. You can reach lumi. at the contact details at the bottom of this page.


2 — What lumi. collects and stores

lumi. stores the following in its database, hosted on Railway:

Your journal content
  • Journal entry transcripts (converted from your voice recordings)
  • Your own annotations and written reflections
  • A life context statement — background you share about yourself
  • Session notes and between-session actions (if you use the Sessions feature)
AI-generated content
  • Entry summaries, daily questions, weekly signals, monthly summaries
  • Intentions — micro-goals extracted from your entries, in your own words
  • A voice and writing profile built up from your entries over time
Your goals and life structure
  • Life areas, goals, and a journal purpose statement (set during onboarding)
Connected services
  • Google Calendar events — read-only, synced to provide context in monthly summaries
  • Your name and email address, stored by Clerk (the login service lumi. uses)
Sensitive fields — transcripts, summaries, intentions, annotations, session notes, life context, daily questions, weekly signals, and actions — are encrypted with AES-256-CBC before being stored. Metadata like entry dates, sentiment scores, energy levels, and life area tags is stored unencrypted.
Special category data. Journal entries, annotations, and related AI-generated content may contain information about your health, emotional wellbeing, relationships, or other matters that qualify as special category personal data under Article 9 of UK GDPR. This data is processed only for the purpose of delivering the journalling and reflection service you have explicitly consented to, as set out in Section 5 below.

3 — Audio recordings

When you record or upload a voice note, the audio file is sent to a transcription service for conversion to text. Once transcription succeeds, the audio file is deleted from the server immediately and is not retained. lumi. does not store audio long-term.

If transcription fails, the file is retained for up to 24 hours, during which lumi. will automatically retry transcription every 30 minutes. This window exists to recover from temporary service outages without losing your recording. Once transcription succeeds or the 24-hour window closes, the file is deleted automatically.

lumi. uses OpenAI's Whisper service as its primary transcription provider, with Groq's Whisper service as an automatic fallback if OpenAI is unavailable. Both services receive only the audio file — no other personal data is sent alongside it. See Section 4 for details on each service's data handling.


4 — Third-party services: what leaves the app and why

lumi. works with a small number of trusted services to deliver its features. Here is exactly what is sent to each one and why.

Service What is sent Why / retention
OpenAI
Whisper API
Your audio file + a short vocabulary hint containing your name, life area names, goal titles, and common phrases Speech-to-text transcription. OpenAI does not use API data to train models. Retained up to 30 days for abuse monitoring per OpenAI's policy.
Groq
Whisper API (backup)
Your audio file Backup speech-to-text transcription, used automatically if OpenAI Whisper is unavailable. Groq does not use API data to train models. Retained for a short period for operational purposes per Groq's privacy policy.
Anthropic
Claude API
Decrypted journal content — transcripts, summaries, intentions, life context, voice profile, goals, life areas, Google Calendar events All AI features: tagging, daily questions, weekly signals, monthly summaries, pattern alerts, onboarding extraction, life context synthesis. Anthropic does not use API data to train models by default. lumi. operates under Anthropic's Commercial Terms of Service. Retained up to 30 days for trust and safety monitoring per Anthropic's commercial terms and privacy policy.
Clerk
Authentication
Your name, email address, and login credentials Account creation, login, and session management. lumi.'s own database stores only your Clerk user ID as a reference. Account deletion in lumi. also triggers deletion in Clerk. See Clerk's policy.
Google Drive
Backups (optional)
An encrypted backup of the database — Google receives an opaque encrypted file, not readable journal content Daily encrypted backup if you connect Drive. The last 7 versions are kept; older ones are auto-deleted. You can revoke access at any time. See Google's policy.
Railway
Hosting
Application logs — file sizes, entry IDs, processing statuses, character counts Infrastructure hosting. Logs do not contain readable journal content. Retained for typically 7 days. See Railway's policy.

5 — Why lumi. processes your data

Under UK GDPR, lumi. must satisfy two separate legal tests for processing your data: an Article 6 basis (which applies to all personal data) and, where applicable, an Article 9 basis (which applies additionally to special category data). Both are set out below.

Article 6 — lawful basis for all personal data
Processing activity Lawful basis Notes
Account creation and loginContract (Art. 6(1)(b))Necessary to provide the service
Voice transcription and entry processingContract (Art. 6(1)(b))Core function of the service
AI analysis and summary generationContract (Art. 6(1)(b))Core function of the service
Goal and life area trackingContract (Art. 6(1)(b))Core function of the service
Subscription and billingContract (Art. 6(1)(b))Necessary to manage a paid subscription
Safety and distress monitoringLegitimate interests (Art. 6(1)(f))Assessed in the Legitimate Interests Assessment on file. Interest: protecting user wellbeing. Overriding prejudice test passed.
Service operationLegitimate interests (Art. 6(1)(f))Assessed in the Legitimate Interests Assessment on file.
Google Calendar syncConsent (Art. 6(1)(a))Optional feature; user connects and can disconnect at any time
Google Drive backupConsent (Art. 6(1)(a))Optional feature; user connects and can disconnect at any time
Article 9 — special category data

Journal entries, annotations, and AI-generated content derived from them may contain information about your health, emotional wellbeing, relationships, or other matters that constitute special category personal data under Article 9(1) of UK GDPR. This includes, for example, references to mental or physical health, relationships, or personal circumstances disclosed in the course of journalling.

For this processing, lumi. relies on explicit consent under Article 9(2)(a). This consent is collected separately from the Terms of Service at the point of onboarding, before any journal entries are recorded. It is specific to the processing of special category data for the purposes of delivering the journalling and reflection service.

Processing activity Article 9 basis Notes
Journal entry content
Health, emotional state,
or other special category data
Explicit consent (Art. 9(2)(a))Consent collected at onboarding, separate from ToS. Withdrawable at any time — see Section 7.
AI analysis and summaries
Derived from special category entry content
Explicit consent (Art. 9(2)(a))Derived processing covered by the same consent as above.
Voice profile
Built from entry content over time
Explicit consent (Art. 9(2)(a))Longitudinal profile may reflect patterns in emotional state and wellbeing.
Your right to withdraw consent. Where lumi. relies on your explicit consent under Article 9(2)(a), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. If you withdraw consent, lumi. will no longer be able to process your journal entries or generate AI analysis — which means the core features of the service cannot be provided. You can delete your account and all associated data at any time via Settings. See Section 7 for your full rights.

5a — International data transfers

Some of the third-party services lumi. uses are based outside the United Kingdom, which means your personal data may be transferred to and processed in countries outside the UK. This applies in particular to Anthropic (United States), OpenAI (United States), Groq (United States), and Clerk (United States).

Where personal data is transferred outside the UK, lumi. relies on appropriate safeguards to protect it. For transfers to the United States, lumi. relies on the standard contractual clauses approved for use under UK GDPR, or on the adequacy decisions and transfer mechanisms maintained by the services themselves under their published data processing agreements.

You can find details of the transfer safeguards each service relies on in their respective privacy policies, linked in the third-party services table above. A solicitor review of these transfer mechanisms is planned before public launch.


6 — How long data is kept
DataRetention
Audio recordingsDeleted immediately after successful transcription. If transcription fails, retained for up to 24 hours with automatic retry every 30 minutes, then auto-deleted.
Journal entries, summaries, goals
Including intentions, session data and special category data
Kept for as long as your account is active — the longitudinal record is central to what lumi. does. You can delete individual entries at any time. All special category data is deleted promptly on account deletion or consent withdrawal.
Google Drive backupsLast 7 versions kept; older ones auto-deleted
Railway application logsTypically 7 days
All data on account deletionRemoved from active systems promptly on deletion. Residual copies in encrypted backups are purged according to the backup retention schedule (up to 7 days). See section 7.

7 — Your rights

Under UK GDPR, you have the following rights. To exercise any of them, contact lumi. using the details at the bottom of this page.

Access
Request a copy of the data lumi. holds about you.
Rectification
Ask for inaccurate data to be corrected.
Erasure
Delete your account and all associated data at any time via Settings. This is immediate and permanent.
Portability
Request your data in a portable format.
Restriction
Ask lumi. to pause processing your data in certain circumstances.
Objection
Object to processing based on legitimate interests.
Withdraw consent
Where processing is based on your explicit consent (Article 9(2)(a)), you may withdraw it at any time. This will affect lumi.'s ability to provide its core features. Contact lumi. or delete your account via Settings.
Account deletion removes all data from lumi.'s active systems across all tables — entries, summaries, intentions, sessions, goals, life areas, voice profile, and your Clerk account. Residual encrypted copies held in Google Drive backups are purged within 7 days according to the backup retention schedule. If you delete your account and believe active data was not removed, please contact lumi. straight away.

8 — What lumi. does not do
  • No analytics or behavioural tracking (no Google Analytics, Mixpanel, or similar)
  • No advertising — lumi. is ad-free
  • No selling of your data to any third party
  • Payment card data is processed exclusively by Stripe and is never stored by or accessible to lumi.
  • Readable journal content never appears in application logs

9 — Safety monitoring

lumi. performs a local keyword check on your journal entries before any content is sent to external services. This is designed to detect signs of significant distress. If certain language is detected, the normal AI analysis may be suppressed for that entry, and crisis support resources are shown instead. This check runs on the server before any content leaves lumi.'s systems.

lumi. is not a mental health service and does not provide therapeutic support. If you are in distress, please reach out to a professional. In the UK: Samaritans — 116 123 (free, 24/7).


10 — Changes to this service

lumi. is in active development. Features may change from time to time. This policy will be updated if anything material changes to the way personal data is processed. The current version date is shown at the top of this page. Continued use of lumi. after a policy update constitutes acceptance of the revised terms.


11 — Cookies and local storage

lumi. uses session cookies and local storage only as required for authentication (via Clerk) and to remember your in-app preferences. No advertising or tracking cookies are used.


12 — Changes to this policy

If this policy changes materially, you will be notified in the app. The date at the top of this page always reflects when it was last updated.


13 — Questions and complaints

If you have any questions about this policy or how your data is handled, please get in touch.

Contact: lumi.journalling@gmail.com

If you are not satisfied with how a concern is handled, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.