Privacy policy

1. Controller

Luma AS is the controller for the personal data you provide when you use our website (luma.no), web application, and mobile apps (collectively, the “Service”). For privacy questions contact kontakt@lumabudsjett.no.

2. Scope

This policy applies to all processing carried out in connection with the Service, whether you access it in a browser or through our iOS or Android apps.

3. Categories of personal data

Depending on how you use the Service, we may process:

• Account and identity: name, email address, authentication identifiers, and preferences stored on your profile.
• Financial and budget data: transactions, categories, budgets, rules, imports, and similar information you enter or upload (including CSV and, where the product supports it, PDF or image files you choose to upload for parsing).
• No live bank account linking today: the Service does not connect to your bank for automatic transaction sync. You add data by uploading files you export from your bank, by supported import formats, or by manual entry.
• Technical and security data: IP address, device/browser type, timestamps, cookies or similar technologies needed to operate and secure the Service, and diagnostic logs from our hosting providers.
• Product analytics: when product analytics is enabled in production, event and usage data is sent to PostHog (hosted in the EU) to understand feature usage, improve reliability, and develop the product. Some events may be associated with your user account identifier or email where our client identifies you after sign-in or sign-up.

4. Purposes and legal bases (GDPR)

We process personal data on the following bases:

• Performance of a contract (Art. 6(1)(b)) — providing accounts, storing your financial records, budgets, imports, and related features you use, and communicating about the Service.
• Legitimate interests (Art. 6(1)(f)) — securing the Service, preventing abuse, limited product analytics that do not override your rights, service improvement, and internal reporting in aggregated form where possible.
• Legal obligation (Art. 6(1)(c)) — where applicable, retaining or disclosing information to comply with law or competent authorities.

5. Automated processing and suggestions

The Service may suggest categories or detect patterns (for example internal transfers or import mapping) using rules and models applied to your data. These tools support you and do not produce legal or similarly significant effects solely by automated means without human involvement; you can always review and change categories and related settings. If you start optional AI-assisted categorisation, selected transaction text is sent to our servers and configured inference providers only to return category suggestions; nothing is applied without your confirmation.

6. Processors and recipients

We use vetted service providers who process personal data on our instructions (processors), including where relevant:

• Supabase (database, file storage for imports, authentication, and related infrastructure in the EEA).
• Clerk (authentication and account management).
• PostHog (product analytics in the EU).
• Model and inference providers used when you invoke optional AI-assisted categorisation (processing is limited to suggesting categories from your text and your category list).
• Infrastructure and email delivery providers required to host and operate the Service.

We do not sell your personal data. We do not share personal data with third parties for their independent marketing purposes.

7. Transfers outside the EEA

We primarily store and process data in the European Economic Area (EEA). If a processor transfers data outside the EEA, we rely on appropriate safeguards under GDPR (such as the EU Commission Standard Contractual Clauses) and supplementary measures where required.

8. Retention

We keep your data for as long as your account is active. If you delete your account, we delete or anonymise personal data within a reasonable period (typically within 30 days) unless a longer retention is required by law or necessary to resolve disputes or enforce our terms.

9. Security

We use industry-standard measures including encryption in transit (TLS), access controls, separation of environments, and processor agreements. No method of transmission or storage is completely secure; we work continuously to protect your information.

10. Cookies and local storage (web)

Our website and web app use cookies and similar technologies that are strictly necessary for authentication and session management, and to remember display preferences where you opt in to saving them. Analytics may use browser storage as configured for PostHog.

11. Your rights

Under the GDPR and Norwegian privacy law you may, subject to conditions in the law:

• Request access to personal data we hold about you.
• Request rectification of inaccurate data.
• Request erasure (“right to be forgotten”) where applicable.
• Request restriction of processing or object to processing based on legitimate interests.
• Request data portability for data you provided, where processing is based on contract or consent and is automated.
• Lodge a complaint with a supervisory authority.

Contact kontakt@lumabudsjett.no to exercise your rights. In Norway the supervisory authority is Datatilsynet.

12. Children

The Service is not directed at children under 16. If you believe we have collected data from a child, please contact us and we will take appropriate steps to delete it.

13. Changes

We may update this policy to reflect changes in the Service or legal requirements. We will publish the updated version on this page with a new “Last updated” date. Where changes are material, we will provide additional notice as appropriate (for example by email or in-app message).

14. Legal notice

This policy is provided for transparency. It does not constitute legal advice. If you need certainty for your specific situation, consult a qualified lawyer.