Privacy Policy

Effective Date: April 4, 2026 · Last Updated: May 10, 2026

Lumzi ("Lumzi", "we", "our", or "us") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use https://www.lumzi.app and related services. By using Lumzi, you agree to this Privacy Policy.

1. Overview

Lumzi is designed to minimize data collection. We only collect what is necessary to:

  • Provide AI-powered language learning and translation services
  • Maintain your account and preferences
  • Process payments securely
  • Ensure platform reliability and security

We do not sell your data.
We do not run advertising trackers.

2. Information We Collect

Account Information

  • Email address (required)
  • Password (securely hashed; never stored in plain text)
  • Display name (optional)
  • Account creation date and last login timestamp

Learning Preferences

  • Native and target languages
  • Proficiency level
  • Timezone
  • Theme preferences
  • Daily goals
  • Text-to-speech settings (voice, speed)
  • Feature toggles

User-Generated Content

  • Journal entries and AI feedback
  • Chat messages and conversation history
  • Custom flashcards (words and sentences)
  • Story prompts and generated stories
  • Translated articles you unlock

Activity Data

  • Daily progress summaries
  • Flashcard review history

Billing Data

  • Credit balance
  • Auto-refill settings
  • Transaction history
  • Stripe customer and payment method references

3. How We Use Your Data

We use your data to:

  • Provide translations and AI-powered features
  • Maintain your account and preferences
  • Process payments and manage credits
  • Improve system performance and reliability
  • Send essential account-related emails

We do not use your data for advertising.

4. Cookies and Sessions

Lumzi uses exactly one cookie:

Session Cookie (sessionid)

  • First-party cookie (set by Lumzi, not third parties)
  • Stores only a session ID — no personal data inside the cookie itself
  • All session data is stored securely server-side
  • Marked HttpOnly, SameSite=Lax, and Secure (HTTPS only)
  • Expires after 30 days

This cookie is required for login persistence, CSRF protection, and maintaining state across requests. There is no alternative browser mechanism for secure session functionality.

No Tracking Cookies

Lumzi does not use advertising cookies, tracking pixels, or third-party analytics cookies. We use Plausible Analytics, which is cookieless and does not collect personal data.

Third-Party Cookies

Stripe may set cookies on its own domain during payment processing (Stripe Checkout). These cookies are not controlled by Lumzi.

5. Third-Party Services

We use the following services to operate Lumzi:

AI Providers

  • Anthropic (Claude): Receives text (journal entries, chat, articles) for AI feedback, translation, and chat
  • OpenAI: Receives text for text-to-speech audio generation

No user identifiers are included in content sent to these providers.

Payments

  • Stripe: Receives email, payment amount, and payment details for processing transactions

Email Delivery

  • Resend: Sends verification emails, password resets, and transactional emails

Error Monitoring

  • Sentry: Receives error reports and stack traces (personally identifiable information is disabled)

Analytics

  • Plausible Analytics: Collects anonymous page view data (no personal data, no cookies)

Storage

  • Cloudflare R2: Stores generated audio files (MP3s for articles, stories, and sentences)

Content Sources

  • The Guardian: Public articles are fetched by the application; no user data is sent

6. Data Retention

We retain data only as long as necessary.

Data Type Retention Deletion Method
Chat messages365 daysAutomatic cleanup
Unaccepted friend invitations90 daysAutomatic cleanup
Session cookie30 daysBrowser expiry or logout
Email verification tokens24 hoursExpiration
Password reset tokens1 hourExpiration
Temporary audio files1 hourAutomatic cleanup
Pending wallet holds15 minutesAutomatic cleanup
Journal entriesUntil account deletionUser action
Flashcard historyUntil account deletionUser action
Wallet transactionsUntil account deletionUser action
Translated contentUntil account deletionUser action

7. Your Data Rights

You have full control over your data. All of the following can be done directly from your account settings:

Download Your Data

Export a complete copy of everything Lumzi holds about you — journal entries, chat history, flashcards, transactions, progress, and more — as a single JSON file.

Download data export →

Update Your Information

Change your email, display name, language preferences, or any other account settings at any time.

Go to account settings →

Delete Your Account

Permanently and irreversibly delete your account and all associated data, including audio files and your Stripe customer record. See Section 8 for full details.

Delete account in settings →

If you are unable to access your account or need additional assistance, contact us.

8. Account Deletion

You may delete your account at any time through your account settings. Upon deletion:

  • All account data, preferences, and content are permanently deleted
  • Journal entries, chats, flashcards, and learning history are removed
  • Credit balance and transaction history are deleted
  • Audio files are deleted from storage
  • Your Stripe customer record is deleted from Stripe's systems

Account deletion is permanent and irreversible.

Some data may be retained where required by law or for fraud prevention. The following are not deleted:

  • Shared system content (sentence library, news articles, language data)
  • Aggregated, non-identifiable analytics data
  • Error logs retained by Sentry (no personal data per our configuration)

9. Security

We implement the following security measures:

  • Password hashing using PBKDF2/SHA256
  • CSRF protection on all forms and API requests
  • Strict security headers (HSTS, CSP, X-Frame-Options, and others)
  • Secure, HttpOnly session cookies
  • Error monitoring with personally identifiable information disabled

10. IP Addresses and Location Data

  • Lumzi does not store IP addresses in its database
  • A temporary country code may be checked at registration for compliance purposes and is not stored
  • Infrastructure providers (e.g., Cloudflare) may process IP addresses at the network level

11. Emails We Send

We send only essential emails:

  • Email verification (token valid for 24 hours)
  • Password reset (token valid for 1 hour)
  • Friend invitations (stored up to 90 days if unused)

We do not send marketing emails unless explicitly enabled in the future.

12. Children's Privacy

Lumzi is not intended for users under 18. We do not knowingly collect data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this page reflects the latest version.

For material changes, we will notify you by email or by displaying a notice on the site before the changes take effect.

14. Contact

If you have questions about this Privacy Policy:

Lumzi Support
Contact form